WiniGuard malware problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by funglu, Feb 27, 2009.

  1. funglu

    funglu Private E-2

    I am too getting the pop ups that others have posted about and I have gone through the "Read & RUN ME FIRST before asking for support" malware removal.

    History, I started getting the pop-ups two days ago when I foolishly pushed yes on a WiniGuard pop up. After going through the removal on my own through the control panel, I still go the pop ups with a five or so second loud annoying sound every five to ten minutes (it would go off whether I had the volume on or off). After the first couple tasks of your removal procedure the loud noise stopped. The pop ups were still going strong. Now I have finished going through the Vista cleaning procedure and I still get the pop ups. Therefore, per instructions, I am going to attach my logs.
     

    Attached Files:

    funglu, Feb 27, 2009
    #1
  2. funglu

    funglu Private E-2

    next attachment
     

    Attached Files:

    funglu, Feb 27, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\59bzst9al663.exe
c:\windows\System32\32ezpyw9r51435.dll
c:\windows\1d13ba9kdooz2351.bin
c:\windows\2393spar5e1470z.exe
c:\windows\System32\4zc4addw5re3599.exe
c:\windows\25189vi9zs48d.bin
c:\windows\20891troz795.dll
c:\windows\System32\54zad9ware342.exe
c:\windows\System32\5b6ds9zal2325.bin
c:\windows\System32\27771w9rm175z.dll
c:\windows\21651n9t-a-5irzs151.bin
c:\windows\7724wo5911z.dll
c:\windows\System32\z593spa9bot5bf.dll
c:\windows\1ec0baczdoo52339.exe
c:\windows\6571spyzare2912.dll
c:\windows\621spam9oz553.exe
c:\windows\7531v9r963z.exe
c:\windows\1552zspambot5fd9.dll
c:\windows\System32\70fczpar5e9572.bin
c:\windows\System32\255z69acktoolb9.bin
c:\windows\6b5e9ownlo5der10z8.bin
c:\windows\41z9downloader3125.dll
c:\windows\7z59ha5ktool5629.dll
c:\windows\193zb9ckdoor1665.exe
c:\windows\System32\4982s5yz9c.exe
c:\windows\System32\9651hacktool95cz.dll
c:\windows\26556worm7z9.exe
c:\windows\583vi919z9.exe
c:\windows\1z59vir1489.dll
c:\windows\35z57s9y73d.exe
c:\windows\System32\6865adzware7559.bin
c:\windows\System32\54e2b9ckdzor3074.exe
c:\windows\System32\7f95vir65z.exe
c:\windows\5dz59ackdo5r2464.bin
c:\windows\System32\1c49addzare8155.dll
c:\windows\4b5hzef1779.exe
c:\windows\3502no5-a-virus93z.bin
c:\windows\System32\2dz9backdo9r18795.bin
c:\windows\System32\555d9ownzoader31085.exe
c:\windows\2988addzare425.ocx
c:\windows\z641th5ef1919.dll
c:\windows\6ddev9r99z5.bin
c:\windows\z9755virus6f4.exe
c:\windows\z2f4spy9are10245.cpl
c:\windows\System32\7640addwa9e1z915.cpl
c:\windows\92255zrus514.dll
c:\windows\59a9downlozder995.dll
c:\windows\1za6thief9594.exe
c:\windows\35185hrza96309.ocx
c:\windows\System32\54f6add9arez060.bin
c:\windows\431as5e9lz496.ocx
c:\windows\4f91addwz9e5297.exe
c:\windows\System32\6c6zt9reat275275.dll
c:\windows\System32\26z55spam9ot7d9.cpl
c:\windows\System32\34da5tealz391.dll
c:\windows\93eddownloa5zr69.ocx
c:\windows\System32\996245roj395z.dll
c:\windows\26398not-5zvirus99c.dll
c:\windows\23590h5cktzol62e.dll
c:\windows\System32\6ez5hief9907.dll
c:\windows\System32\52294not-a-viruz299.cpl
c:\windows\5852d5wnloadzr2296.cpl
c:\windows\System32\2156downl9adzr2927.ocx
c:\windows\4588trzj42d9.dll
c:\windows\12053zpy30e9.exe
c:\windows\System32\2d17thi5f2z509.ocx
c:\windows\31z5hief9877.ocx
c:\windows\15915zot-a-vi59s481.dll
c:\windows\System32\14541h9cz5ool417.cpl
c:\windows\153zaddware9749.cpl
c:\windows\5654spz498.cpl
c:\windows\14150hackt9oz3e5.bin
c:\windows\4254s9yz33.ocx
c:\windows\System32\4f6dbazkdoor9555.bin
c:\windows\System32\3519t5oz559.exe
c:\windows\593ddownloaderz735.cpl
c:\windows\4759backzoor5636.dll
c:\windows\15129hacktoolz56.cpl
c:\windows\System32\135529zrus2bb5.ocx
c:\windows\System32\19z1s9y455.exe
c:\windows\System32\65f4zteal429.ocx
c:\windows\System32\9157adzware5761.cpl
c:\windows\5e95szarse1799.bin
c:\windows\System32\4b95s5ezl9145.exe
c:\windows\17998troz5459.bin
c:\windows\System32\7c4bth5efz0519.bin
c:\windows\System32\51cspywa9e13z5.ocx
c:\windows\7f959hreat2369z.dll
c:\windows\95891ha5ktzol6b5.exe
c:\windows\System32\57f9spywzre852.dll
c:\windows\177z2vir9s5a5.dll
c:\windows\1z2ft9ie5652.cpl
c:\windows\459fvir24z15.exe
c:\windows\System32\5cbaaddwarz59.dll
c:\windows\11854zo596af.bin
c:\windows\System32\2699tzoj45f5.dll
c:\windows\System32\458f9ddzare1569.dll
c:\windows\5626viru93zf.cpl
c:\windows\3z789w5rm712.bin
c:\windows\System32\29085h9cktozl5c8.ocx
c:\windows\System32\29686spamzo51b7.exe
c:\windows\System32\19035no9-azvirus6f1.ocx
c:\windows\System32\5a79dzw9loade5568.ocx
c:\windows\77baadd5are48z9.ocx
c:\windows\7195spz7a5.cpl
c:\windows\System32\27975sz5592.exe
c:\windows\1z595spambot5c7.cpl
c:\windows\z6261tr9j159.cpl
c:\windows\6z0f9p5rse2236.cpl
c:\windows\System32\25258wzrm91.exe
c:\windows\2e0eth5ea915369z.ocx
c:\windows\46z2downlo5der79.bin
c:\windows\System32\9925h5zktool9b.cpl
c:\windows\c7bs5azse3992.ocx
c:\windows\System32\4ab8ba9kdo5z593.exe
c:\windows\29a4stezl652.bin
c:\windows\System32\225159irzs579.cpl
c:\windows\System32\4b2czhief9508.ocx
c:\windows\259805zru9682.bin
c:\windows\5159virz676.ocx
c:\windows\System32\8240wor5z179.cpl
c:\windows\System32\145z5ackdoor2895.cpl
c:\windows\1cd7backzoo92405.exe
c:\windows\5d28thr9at19096z.dll
c:\windows\z519ddwa5e1226.ocx
c:\windows\System32\590z3hacktool4aa.ocx
c:\windows\1z909spy559.dll
c:\windows\11a0z5dwa9e2136.exe
c:\windows\System32\5c2zsteal94265.ocx
c:\windows\z4275spy49.cpl
c:\windows\z7515o9m8d.cpl
c:\windows\54523trzj2d99.exe
c:\windows\System32\57425s9yz1f.cpl
c:\windows\9768thi5fz611.exe
c:\windows\System32\5f959ackdozr1957.dll
c:\windows\7177spar59255z.cpl
c:\windows\System32\871backdoorz5149.cpl
c:\windows\419fspyware2z095.dll
c:\windows\System32\6196addwaze959.dll
c:\windows\58zthre9t23453.bin
c:\windows\System32\15dzthief1629.dll
c:\windows\System32\795dvzr55.bin
c:\windows\System32\z861spar5e941.ocx
c:\windows\System32\2510sp9zare2045.ocx
c:\windows\System32\5azadown5oader7539.dll
c:\windows\zb7595ckdoor918.bin
c:\windows\System32\19929hac9tooz553.dll
c:\windows\13920not-a95irus1a3z.ocx
c:\windows\5bz5v59861.dll
c:\windows\System32\383fthz5at26569.exe
c:\windows\System32\55zds9arse901.cpl
c:\windows\fd2zddw5re9410.bin
c:\windows\28886tro57fz9.exe
c:\windows\System32\31258ziru96df.dll
c:\windows\System32\7b9vi959z.exe
c:\windows\System32\115749pambot4e1z.exe
c:\windows\System32\59t59j5z2.cpl
c:\windows\3593threa525z13.bin
c:\windows\202569pamzot45c.dll
c:\windows\5ce5t9al257z.ocx
c:\windows\25z50v9rus5a5.dll
c:\windows\System32\434zhack59ol382.cpl
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run CCleaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    Last edited: Feb 28, 2009
    TimW, Feb 28, 2009
    #3
  4. funglu

    funglu Private E-2

    following instructions.
     

    Attached Files:

    funglu, Feb 28, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you have a problem dragging the txt file over Combo? Nothing was removed? Please do it again and make sure you Save the above as CFscript.txt.
     
    TimW, Feb 28, 2009
    #5
  6. funglu

    funglu Private E-2

    maybe I attached the old log
     

    Attached Files:

    funglu, Feb 28, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nope.....download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and re-run COmbo.
     
    TimW, Feb 28, 2009
    #7
  8. funglu

    funglu Private E-2

    here it is
     

    Attached Files:

    funglu, Feb 28, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Mar 2, 2009
    #9
  10. funglu

    funglu Private E-2

    I can't get it to save to text so I copied it to the notebook and am sending you that text file. I forgot to call it bdscan and called it bdcode. I get dumber every day.
     

    Attached Files:

    funglu, Mar 2, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It found a few things but did not recognize the rest. Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

    Where you able to remove the items manually?
     
    TimW, Mar 4, 2009
    #11
  12. funglu

    funglu Private E-2

    The only thing that I have been able to remove was a program I deleted from the control panel. If there are other items to look for and remove, let me know.

    One thing that I have found is that when my computer is left on over 8 hours, the pop-ups stop.

    Other than that, I know nothing.
     

    Attached Files:

    funglu, Mar 4, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Windows\10814h~1.cpl  
C:\Windows\108295~1.ocx  
C:\Windows\111359~1.dll 
C:\Windows\11fzth~1.ocx  
C:\Windows\124769~1.dll 
C:\Windows\138bsz~1.exe 
C:\Windows\146ezh~1.cpl 
C:\Windows\15299s~1.exe
C:\Windows\1559vz~1.bin 
C:\Windows\15792s~1.ocx
C:\Windows\158dst~1.bin  
C:\Windows\159619~1.cpl
C:\Windows\1603z5~1.ocx
C:\Windows\169995~1.ocx
C:\Windows\17245w~1.cpl
C:\Windows\17376s~1.ocx
C:\Windows\17533s~1.exe
C:\Windows\17596w~1.dll
C:\Windows\1768nz~1.bin 
C:\Windows\17839v~1.bin
C:\Windows\18447s~1.bin 
C:\Windows\19254t~1.cpl 
C:\Windows\19566v~1.ocx
C:\Windows\19926s~1.bin 
C:\Windows\1996vi~1.ocx 
C:\Windows\19z82v~1.dll  
C:\Windows\1e51sp~1.ocx
C:\Windows\1e98zd~1.exe
C:\Windows\1z611s~1.bin 
C:\Windows\1z795s~1.cpl 
C:\Windows\1z9bba~1.exe
C:\Windows\1zd4sp~1.exe 
C:\Windows\20409t~1.ocx 
C:\Windows\20473t~1.cpl 
C:\Windows\20z31w~1.cpl
C:\Windows\21499z~1.dll  
C:\Windows\21817n~1.cpl
C:\Windows\22352v~1.ocx
C:\Windows\2245zs~1.cpl 
C:\Windows\23675z~1.bin 
C:\Windows\23z69s~1.bin 
C:\Windows\24798s~1.dll  
C:\Windows\25431w~1.exe
C:\Windows\25491w~1.cpl
C:\Windows\25535w~1.dll
C:\Windows\257csp~1.bin 
C:\Windows\25fado~1.cpl 
C:\Windows\25z20n~1.cpl 
C:\Windows\25z365~1.ocx
C:\Windows\262399~1.bin
C:\Windows\263939~1.cpl
C:\Windows\26497s~1.dll 
C:\Windows\26e59o~1.dll 
C:\Windows\27899t~1.ocx
C:\Windows\27z5sp~1.exe
C:\Windows\28089r~1.cpl 
C:\Windows\28922n~1.cpl
C:\Windows\29255s~1.exe
C:\Windows\2937ha~1.bin
C:\Windows\29447t~1.dll  
C:\Windows\29516n~1.dll 
C:\Windows\29951h~1.ocx
C:\Windows\29a4a5~1.dll 
C:\Windows\2a4cv5~1.cpl 
C:\Windows\2a52do~1.exe
C:\Windows\2a58do~1.exe
C:\Windows\300z3v~1.dll 
C:\Windows\30718n~1.ocx
C:\Windows\31255v~1.cpl
C:\Windows\35z59a~1.bin 
C:\Windows\3665do~1.cpl
C:\Windows\3c59sp~1.bin 
C:\Windows\3cz8sp~1.bin 
C:\Windows\3e40zp~1.bin
C:\Windows\3z553v~1.ocx
C:\Windows\3z92sp~1.dll 
C:\Windows\3z99s9~1.cpl 
C:\Windows\40caza~1.cpl 
C:\Windows\435bad~1.dll 
C:\Windows\4485h5~1.ocx  
C:\Windows\4558th~1.cpl  
C:\Windows\46d0sp~1.exe  
C:\Windows\485csp~1.cpl  
C:\Windows\48fcb9~1.exe  
C:\Windows\49b4vz~1.cpl  
C:\Windows\49d3s5~1.ocx  
C:\Windows\4a1fv9~1.cpl  
C:\Windows\4b03ba~1.dll  
C:\Windows\4c88st~1.cpl  
C:\Windows\4d11vi~1.bin  
C:\Windows\4d7fba~1.bin  
C:\Windows\4fc5sp~1.cpl  
C:\Windows\5050vi~1.ocx  
C:\Windows\5081zo~1.exe  
C:\Windows\51632s~1.cpl 
C:\Windows\519bac~1.ocx  
C:\Windows\521f9a~1.ocx  
C:\Windows\52485d~1.bin  
C:\Windows\533z9o~1.ocx  
C:\Windows\53z75p~1.ocx  
C:\Windows\54829o~1.cpl  
C:\Windows\5499vi~1.exe  
C:\Windows\559bvz~1.cpl  
C:\Windows\55ezba~1.cpl  
C:\Windows\56b1st~1.exe  
C:\Windows\5746v5~1.cpl  
C:\Windows\5757v9~1.dll  
C:\Windows\5795th~1.exe  
C:\Windows\57f35h~1.exe  
C:\Windows\590st5~1.dll  
C:\Windows\59425s~1.ocx  
C:\Windows\599esp~1.bin  
C:\Windows\5e9spa~1.dll  
C:\Windows\5f9b5p~1.bin  
C:\Windows\5z879p~1.ocx  
C:\Windows\6109p5~1.ocx  
C:\Windows\622zvi~1.cpl  
C:\Windows\6233th~1.cpl 
C:\Windows\6545zt~1.ocx  
C:\Windows\6575ad~1.exe  
C:\Windows\658bdo~1.cpl  
C:\Windows\65e4b5~1.exe  
C:\Windows\65f6ad~1.ocx  
C:\Windows\65zfst~1.cpl  
C:\Windows\663zir~1.ocx  
C:\Windows\6924zt~1.exe  
C:\Windows\6979ha~1.exe  
C:\Windows\6b77z5~1.ocx  
C:\Windows\6etzre~1.exe  
C:\Windows\6f7bad~1.bin  
C:\Windows\6z57ad~1.dll  
C:\Windows\705bad~1.dll  
C:\Windows\70b559~1.exe  
C:\Windows\718bdo~1.exe  
C:\Windows\72zc5a~1.exe  
C:\Windows\7354tr~1.bin  
C:\Windows\7575do~1.cpl  
C:\Windows\7590ad~1.bin  
C:\Windows\75e9th~1.bin  
C:\Windows\7695ha~1.cpl  
C:\Windows\79695r~1.exe  
C:\Windows\797zs9~1.ocx  
C:\Windows\7996ad~1.ocx  
C:\Windows\7b57st~1.exe  
C:\Windows\835zv9~1.exe  
C:\Windows\8494no~1.bin  
C:\Windows\9059ha~1.exe  
C:\Windows\92153h~1.ocx  
C:\Windows\9249v5~1.bin  
C:\Windows\93185s~1.cpl  
C:\Windows\9538sz~1.dll  
C:\Windows\9735tr~1.dll  
C:\Windows\975zsp~1.cpl  
C:\Windows\97z55h~1.cpl  
C:\Windows\9813do~1.cpl  
C:\Windows\98ecsp~1.exe  
C:\Windows\993a5d~1.dll  
C:\Windows\99c5do~1.dll  
C:\Windows\9a55te~1.exe  
C:\Windows\9z515w~1.cpl 
C:\Windows\9z585t~1.dll  
C:\Windows\a98zpa~1.cpl  
C:\Windows\bdzthr~1.ocx    
C:\Windows\d295h9~1.ocx  
C:\Windows\z0465n~1.dll  
C:\Windows\z1805s~1.bin  
C:\Windows\z1b1vi~1.ocx  
C:\Windows\z2556v~1.dll  
C:\Windows\z2908s~1.cpl  
C:\Windows\z3249h~1.cpl  
C:\Windows\z4925t~1.exe  
C:\Windows\z5199t~1.bin  
C:\Windows\z7835t~1.exe  
C:\Windows\z7d3st~1.cpl  
C:\Windows\z818tr~1.dll  
C:\Windows\z98spa~1.bin  
C:\Windows\zc765i~1.dll  
C:\Windows\System32\13069h~1.exe  
C:\Windows\System32\139ead~1.exe  
C:\Windows\System32\19999w~1.exe 
C:\Windows\System32\2493sp~1.exe  
C:\Windows\System32\2625zt~1.exe  
C:\Windows\System32\27cesp~1.exe  
C:\Windows\System32\2bc3sp~1.exe 
C:\Windows\System32\31968v~1.exe  
C:\Windows\System32\3d98ba~1.exe  
C:\Windows\System32\3z29sp~1.exe  
C:\Windows\System32\3z9bth~1.exe  
C:\Windows\System32\459edo~1.exe  
C:\Windows\System32\4e3zst~1.exe  
C:\Windows\System32\59zspy~1.exe  
C:\Windows\System32\6062th~1.exe  
C:\Windows\System32\6492zp~1.exe  
C:\Windows\System32\6daast~1.exe  
C:\Windows\System32\753dt9~1.exe  
C:\Windows\System32\7993do~1.exe  
C:\Windows\System32\7b5e9i~1.exe  
C:\Windows\System32\8518ha~1.exe  
C:\Windows\System32\8978za~1.exe  
C:\Windows\System32\90754w~1.exe 
C:\Windows\System32\95362s~1.exe  
C:\Windows\System32\9564az~1.exe  
C:\Windows\System32\95z8sp~1.exe  
C:\Windows\System32\9679hz~1.exe  
C:\Windows\System32\e1down~1.exe  
C:\Windows\System32\145th9~1.dll  
C:\Windows\System32\15446n~1.dll  
C:\Windows\System32\15459s~1.dll  
C:\Windows\System32\157fst~1.dll  
C:\Windows\System32\1715z9~1.dll  
C:\Windows\System32\1963do~1.dll  
C:\Windows\System32\1zfcba~1.dll  
C:\Windows\System32\22b4ba~1.dll  
C:\Windows\System32\28735v~1.dll  
C:\Windows\System32\2991no~1.dll  
C:\Windows\System32\31z32s~1.dll  
C:\Windows\System32\323ezo~1.dll  
C:\Windows\System32\32695h~1.dll  
C:\Windows\System32\35bzst~1.dll  
C:\Windows\System32\3722do~1.dll  
C:\Windows\System32\3c9eth~1.dll  
C:\Windows\System32\3ezavi~1.dll  
C:\Windows\System32\5567vi~1.dll  
C:\Windows\System32\5789st~1.dll 
C:\Windows\System32\5820sp~1.dll  
C:\Windows\System32\5946ba~1.dll  
C:\Windows\System32\5ac6sp~1.dll  
C:\Windows\System32\5e7esz~1.dll  
C:\Windows\System32\62529p~1.dll 
C:\Windows\System32\6517no~1.dll  
C:\Windows\System32\6645ad~1.dll  
C:\Windows\System32\6b46s5~1.dll  
C:\Windows\System32\6d569t~1.dll  
C:\Windows\System32\75c6ba~1.dll  
C:\Windows\System32\7969s5~1.dll  
C:\Windows\System32\940fth~1.dll  
C:\Windows\System32\957z6t~1.dll  
C:\Windows\System32\9996ba~1.dll  
C:\Windows\System32\fa49ir~1.dll  
C:\Windows\System32\z48csp~1.dll
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Mar 6, 2009
    #13
  14. funglu

    funglu Private E-2

    here are the logs
     

    Attached Files:

    funglu, Mar 6, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Shall we have another go at it?

    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


File::
c:\windows\System32\15a1th9eat709z.cpl
c:\windows\System32\1dzethre5t95974.bin
c:\windows\System32\23067vizu95a95.ocx
c:\windows\System32\7615t9reatz6268.bin
c:\windows\System32\405dviz2938.cpl
c:\windows\System32\7c32addw9r5312z.cpl
c:\windows\System32\4b61sp5rse29z2.ocx
c:\windows\System32\211849pamboz225.bin
c:\windows\System32\33dzdow9loader2325.cpl
c:\windows\System32\16536not-z-vir9s4f3.ocx
c:\windows\System32\2322zownl9ader5393.cpl
c:\windows\System32\7a9zbackd9or1155.cpl
c:\windows\System32\79b5thizf2766.ocx
c:\windows\System32\2739sp5zse89.cpl
c:\windows\System32\55952zpambot69b.ocx
c:\windows\System32\19755hacktzol352.bin
c:\windows\System32\579bthre9t275z3.cpl
c:\windows\System32\8598spz495.cpl
c:\windows\System32\zb68thr9at185265.bin
c:\windows\System32\20057zro94bc5.bin
c:\windows\System32\7a9aszyware2075.cpl
c:\windows\System32\1227sp59boz273.cpl
c:\windows\System32\9941wzrm500.ocx
c:\windows\System32\3888backdoorz95.bin
c:\windows\System32\7697zhief28885.ocx
c:\windows\System32\z13ado5nloade9618.ocx
c:\windows\System32\515bs9eal1490z.ocx
c:\windows\System32\19z39troj425.ocx
c:\windows\System32\69dbszywa5e2176.cpl
c:\windows\System32\1493spz5se3178.cpl
c:\windows\System32\295zback9oor2817.cpl
c:\windows\System32\19z5spy789.ocx
c:\windows\System32\615baddwar9568z.bin
c:\windows\System32\169969o5mze0.cpl
c:\windows\System32\5d32downloadz92740.ocx
c:\windows\System32\z547th9eat557.bin
c:\windows\System32\25995szambot753.bin
c:\windows\System32\7bdc5pyware9440z.ocx
c:\windows\System32\zc98vir1572.cpl
c:\windows\System32\4a73thr9az855.bin
c:\windows\System32\23730zo5933c.ocx
c:\windows\System32\promo.exe
c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
c:\windows\System32\99aszywar5509.cpl
c:\windows\System32\2395vi9zs7a0.bin
c:\windows\System32\379dspyzare94575.ocx

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"promo.exe"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Mar 9, 2009
    #15
  16. funglu

    funglu Private E-2

    here we go
     

    Attached Files:

    funglu, Mar 9, 2009
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why am I not seeing any anti-virus software on your machine??? Apparently we will continue this forever unless you get some protection!!

    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Windows\System32\z744s9y759.exe
C:\Windows\System32\z9070spamb5t5b5.exe 
C:\Windows\1053ztroj795.dll
C:\Windows\153299orm26dz.dll
C:\Windows\1626sp9zare2545.dll
C:\Windows\25879tzoj598.dll
C:\Windows\293zth9ef2245.dll
C:\Windows\3z805hi9f2138.dll
C:\Windows\491b9zckdoo52889.dll
C:\Windows\53dba9dw5re2z02.dll
C:\Windows\53z9virus705.dll
C:\Windows\56549py5zre1391.dll
C:\Windows\5z7evir694.dll
C:\Windows\6f0dvi518z99.dll
C:\Windows\77z5spar9e5692.dll
C:\Windows\7bz9stea51039.dll
C:\Windows\z273spyware5098.dll
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Mar 12, 2009
    #17
  18. funglu

    funglu Private E-2

    Problem solved -- winiguard gone. thank you.

    I do have anti-virus (AVG). the best protection out there won't stop the suckers like me who click a link thinking they are securing a machine instead of seeing that they are clicking on a land mine. In other words, anti-virus, -spyware, -malware don't stop stupid.

    Thanks for all your help.
     
    funglu, Mar 13, 2009
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would still like to see the logs, to be sure all is good.
     
    TimW, Mar 15, 2009
    #19
  20. funglu

    funglu Private E-2

    many thanks
     

    Attached Files:

    funglu, Mar 16, 2009
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Only one item left to remove:

    Use windows explorer to find and delete:
    c:\windows\System32\16z975acktool3b9.bin

    If you have no problems removing that.....If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Mar 18, 2009
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds