Vista machine keeps rebooting after malware removal

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Files::
C:\Windows\TEMP\wwwodmrvf\snfmrhflajb.exe
C:\Windows\TEMP\ckf4ud.exe

DirLook::
C:\Windows\System32\6.0.6002.18005

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MqmPab"=-
"jaryxnfl"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall

Now see if you can boot into normal mode and run the scans.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF5956.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKLM\..\RunOnce: [combofix] "C:\ComboFix\CF5956.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKUS\S-1-5-18\..\Run: [MqmPab] C:\Windows\TEMP\ckf4ud.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jaryxnfl] C:\Windows\TEMP\wwwodmrvf\snfmrhflajb.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MqmPab] C:\Windows\TEMP\ckf4ud.exe (User 'Default user')

After clicking Fix, exit HJT.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay please attach the follow up MGlogs.zip file anyway so we can see your current status.

 

None of these lines I asked you to fix are in the last MGlog.zip file you attached.

So what problems are you actually still having. Is it still not possible to boot in normal mode and run an MGtools scan?

Why did you run ComboFix again on April 4th? We did not ask you to do this.

 

The HijackThis log in your MGlogs.zip file was not updated for some reason. Can you boot up in normal boot mode and run a new scan with C:\MGtools\GetLogs.bat and attach the C:\MGlogs.zip fle obtained in normal boot mode?


Also please run the below and attach the log from GMER:

GMER - running with a random name

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF5956.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKLM\..\RunOnce: [combofix] "C:\ComboFix\CF5956.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKUS\S-1-5-18\..\Run: [MqmPab] C:\Windows\TEMP\ckf4ud.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jaryxnfl] C:\Windows\TEMP\wwwodmrvf\snfmrhflajb.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MqmPab] C:\Windows\TEMP\ckf4ud.exe (User 'Default user')

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Windows\TEMP\ckf4ud.exe
C:\Windows\TEMP\wwwodmrvf\snfmrhflajb.exe
C:\Windows\TEMP\ckf4ud.exe
C:\Windows\TEMP\wwwodmrvf
C:\ComboFix
C:\Windows\System32\lsseagf.txt
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"combofix"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MqmPab"=-
"jaryxnfl"=-

:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your logs are not making any sense at all. The log from OTM is stating that the items are not being found but the current logs you attach are showing the same old stuff which just does not agree nor make sense. Are you performing a System Restore or is your system automatically reconfiguring itself back to a previous setting after you run my fixes? That is what it looks like the only answer would be as to why things keep reappearing.

 

No. OTM said they do not exist. The below is what OTM stated.

Please run MSconfig and look in the Startup tab for each of the items we have been trying to remove with analyse.exe. Disable any that you find. Once you have disabled them. Immediately run C:\MGtools\GetLogs.bat and then attach the new C:\MGlogs.zip file.

Then reboot your PC and see if it will run in Normal Boot Mode.

 

Also note that it appears that you have your Virtual Memory settings too low as I see the below file being created which normally should not be created:

Code:

"C:\Windows\System32\"
temppf.sys    Apr 10 2011   268435456  "temppf.sys"

You should fix this as stated in the below:

http://support.microsoft.com/?kbid=257758

 

So you do not see the other ones listed below

 

Okay then do the below:

Uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

• Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
• "%userprofile%\Desktop\combofix" /uninstall
  • Notes: The space between the combofix" and the /uninstall, it must be there.

Now if you have not fix the Virtual Memory, do that now and then reboot. See if normal mode works.

Get a new MGlogs.zip file and attach it ( from whatever mode you can run in ).

 

Download and save combofix.exe to your Desktop. Then run the uninstall with my instructions.

 

You should not bet setting them. You should allow Windows to control them for best performance.

 

Please uninstall Avira and then do the below.

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Users\Morton\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
C:\Users\Morton\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine
C:\Users\Morton\Desktop\CFScrip2t.txt
C:\cleanup.bat
C:\ComboFix.txt
C:\mbam-log-2010-09-02 (06-17-25).txt
C:\rkill.log
C:\TDSSKiller.2.4.21.0_01.04.2011_21.33.05_log.txt
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"combofix"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Seem you are having lingering Windows problems not malware problems. Items in your registry that we are removing just keep reappearing because Windows just keeps putting them back due to problems within Windows.

You may need to try doing a System Restore to a point before your problems began. Next step may be to reinstall. But you can try the instructions in message # 29 first.

 

Actually I would suggest a clean install of Windows 7! Not an upgrade from Vista if that is possible. I full install disk may be more expensive though but at least he would then have a disk to perform any possibly future repairs that may become necessary due to malware infections or just do to problems within Windows itself.


The logs still show the items were not removed even though OTM thinks they were. It looks to me like the registry is just locked ( permissions issues of some type within Windows ). And this may even be the cause of the inability to boot into normal mode and run properly. I think that the choice of either repairing Vista, reinstalling Vista, or starting from scratch with Windows 7 are the best next steps. Obvsiously to repair Vista, you would need the boot CD. But you could do a quick reimage from the Factory Recovery Partition on drive D just to quickly get Vista up and running again. Make sure that all necessary backups are performed first since restoring to a factory image does mean the PC will be back to the same state it was when it came out of the box.

 

Absolutely not.

You need to backup everything that he needs from anywhere he as saved it. I cannot tell you where that may be but it does not have to be in the C:\users folder. And you would not be able to backup everything in that folder anyway since windows would stop you from copying certain system files. And no you should not install "on top of Vista". You should format the drive and reinstall from scratch. And NO!!!! You cannot copy the C:\Users folder back. You would totally break the Windows 7 installation if you tried that. You need to reinstall all programs that are wanted from scratch. What you can copy back from the backups are things like personal documents, pictures, videos, and other personal files.

 

You're welcome. Surf safely and be sure to work thru the below after the reinstall.

How to Protect yourself from malware!