Some Malware has infected my system?

Welcome to Major Geeks!

You must run ALL steps in the READ ME and they must be run in the order given. Start over and this time do not skip anything. Most notable items not run were ComboFix and AVG Antispyware. Run them this time and attach their logs. Then you will need to attach a new log from MGtools.

 

You are not supposed to be running anything in the C:\MGtools folder unless we ask you to do so. We also do not need you to attach any of the logs that are stored in this folder. All the logs in this folder are automatically put into the C:\MGlogs.zip file which is why the READ ME only requests that log.

Why the below files are on your PC.

Code:

"C:\WINDOWS\system32\"
hpzjrd01.dll  Feb  6 2008      139264  "hpzjrd01.dll"
 
"C:\WINDOWS\system32\"
haspdos.sys   Feb  8 2008         383  "haspdos.sys"
 
"C:\WINDOWS\system32\drivers\"
haspnt.sys    Feb  8 2008       47616  "Haspnt.sys"
          

These appear to be related Hasp Driver for Radar 8 on Virtual PC which is for when Windows is run in emulation mode on a MAC. See: http://www.radar24-shop.de/assets/ow...%20Results.htm

Why are they on your PC? Or is this MAC? If this is not a MAC then those files may be part of your problems.

You said ComboFix does not work. What were you doing on your own trying to use a CFScript.txt file for ComboFix on Feb 14th???

Code:

"C:\Documents and Settings\Cartik The Conjuror\Desktop\"
cfscript.txt  Feb 14 2008        2370  "CFscript.txt"
combofix.exe  Feb 14 2008     1597222  "ComboFix.exe"

You should never use fixes given to another user. All fixes are unique to a particular persons problems and are not meant for other PCs even though there may appear to be some items that look like they are common.


You have a WareOut infection! You should print or save the below steps locally because you will have to be Offline (with ALL browsers closed) while running some of them. Do this NOW!

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

• Run Fixwareout.
• Click Next,
• then Install,
• make sure Run fixit is checked
• and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed. And run the below steps.

• Go into Control Panel -->Network Connections.
• Right click on your connection and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.

Uninstall the below old versions of software:
Java(TM) 6 Update 3

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows Media_Player
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CB8E4F-B1E9-4FEA-B8F4-F3EFE9CD9B40}: NameServer = 85.255.116.78,85.255.112.227

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files & folders we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Cartik The Conjuror\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Did FixWareOut run? Where is the log I requested?


Let's remove a malware service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows Media_Player
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Now reboot into safe mode and see if you can manually delete the below files if they exist:
C:\WINDOWS\system32\hpzjrd01.dll
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Sever.exe
C:\WINDOWS\system32\mdelk.exe

Also while in safe mode, see if you can delete the below folder:
C:\WINDOWS\system32\drivers\down

I you cannot delete the down folder. Go into the folder and try to delete all the files in the folder. If you cannot delete them in groups, try deleting them one at a time. For any that you cannot delete, try right clicking on them and select rename, change the .exe extension to .XXX

Then no matter what happens above reboot into normal mode.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

Also tell me how the steps above went. Try to make use of the ability to quote pieces of messages. See the quote icon above the message edit box. Also please don't quote the whole procedure as this is unnecessary and clutters up the thread. Only quote whatever is necessary.

 

Okay so we will leave those alone if you are sure they are from Eset.

Probably a good assumption. Leave it.

Don't know. When you attach the new logs, we can have a look. And you should attach a new ComboFix log.

You are probably blocking your browers. You need to allow iexplore.exe or firefox.exe (whichever you use) access.

 

No I'm not sure what you mean by you ran Microsoft Windows. You run Windows everytime you boot your PC so I don't know what you mean? Were you referring to running Microsoft Malicious Software Removal Tool?

Okay so why were you running this? What were you hoping that it would fix? Was it ESET that suggested it would fix your problem with not being able to access the Internet? Why didn't then check to make sure you were not blocking your browsers in their firewall.

You need to stop blocking your browsers from having internet access. If you cannot figure out how to do this then uninstall the program or ask ESET for help; however let's make sure all malware is removed first. Continue reading below.

Let's make sure you are not still having malware problems but you forgot to attach the other log I requested. That is a new MGlogs.zip file.

Was that an old ComboFix log or a new one? Can you get a new one to attach? See the below new instructions for how to run ComboFix most effectively:

Running ComboFix