Trojan and Adware: AVG detected

Exactly where is it finding the problems?

 

That is System Restore. Nothing can be cleaned from System Restore. You have to toggle System Restore. But first you have some other things to do.

Uninstall the below old versions of software:
Java(TM) 6 Update 2

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: PowerReg Scheduler.exe
After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You are susceptible to security holes. Older versions of Java have been thought to also leave the door open for Vundo infections.

No! We have not toggle System Restore yet so it would still find the same thing.

You should keep all of your software current but it is not a major issue for us if it was not updated.

Are you using Spybot or some other program to control startups? I'm referring to the below which are being blocked from loading and I tried to clean them up in the last fix but they did not get fixed and you said the fixME.reg patch was successfull.

 

That is where you would check Spybot.

Then you contradict your earlier statement that you are not controlliong startups.

Undo whatever you did. We already tried manual removal so it looks like something you are running is just putting them back into those registry keys.

 

Are you familar with using the Windows Registry Editor?

 

What I want you to do with the registry editor is to navigate to the below keys and select them (one at a time)

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-

And once you have it selected (it should be highlighted) right click on it and select Delete. Make sure that you have selected the key that end with a minus sign. It is run- DO NOT delete the one that says run

You will have to say yes to the prompt Are you sure.....

After you do this for both keys, download and run the current version of MGtools (recently updated) and attach a new MGlogs.zip file.

 

That's better. How are things working?

 

You're welcome.

You can do that if you wish but do not do a rescan until after you have done all of the below.

If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. Go to add/remove programs and uninstall HijackThis.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

If the cf.exe file is still on your Desktop, then step 3 of the instructions I gave you should work.

 

Try renaming the cf.exe file to combo-fix.exe and then try using the below to uninstall.

Start, select Run.. and Copy and Paste the below exactly as written into the Run box and then click the OK button

"%userprofile%\desktop\combo-fix.exe" /killall

 

Sorry about that! I gave you the command to get a new log. Here is what I wanted you to run to see if it would uninstall.

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required


"%userprofile%\Desktop\combo-fix" /u

• Notes: The space between the combo-fix" and the /u, it must be there.

 

Yes!

As far as I know it does not. When running a scan it actually disconncects you from the internet. What were you seeing and are you referring to during the scan or during the uninstall? The uninstall may be accessing the internet to send bug reports...etc but I never checked.

Yes!

 

All but bug.txt are shortcuts to run programs that you or someone else put there. There is no need to have shortcuts in this folder. You can delete them if you don't use the shortcuts from this folder. The bug.txt file can be viewed with notepad to see what it is. It is probably nothing you need.

 

You should complete all of my final instructions.

 

The log is not useful since it does not show exactly what is being found. Logs with just names of malware are not helpful at all especially since every program uses their own naming convention. No you don't need to worry. It may have just been the below registry key which is added by mistake due to a bug in ComboFix that is adding the key rather than deleting it.

HKEY_CURRENT_USER\Software\Kazaa

There is another key improperly added by ComboFix. You can use the below patch to remove both keys.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

You're welcome!

Yes!

 

You're welcome. Surf safely!