Had multiple Trogans/Malware, want to make sure I'm clean

[outdoorlady79]

Last night my Zone Alarm and AVG Antivirus both started throwing warnings left and right at the saem time. I remember seeing Generic11.gdc, Pakes.O, and dialer.sap. Some of the zone alarm alerts refered to beauty.exe, a.exe, and c.exe trying to run.

So this morning I booted the machine and attempted to restore to my last restore point thinking I had only gone to two websites that were out of the ordinary to me yesterday (both of which I wouldn't have expected would be contaminated but wouldn't rule it out). After restoring to that point I did full scan with AVG and it again found the Generic11 again. From there I did a quick google search and found this forum and a couple other posts in recent days referring to these trogans, both of which refered the users to the Read & Run Me First Malware Removal Guide. So I went ahead and followed the guide as a starting point. The system seems to be running better now but I'd still like someone to take a look at the logs if you don't mind before stoping and restarting the restore program.

Edit to add.........after all the alerts last night my wifi monitor in the tray started showing my linksys network had assigned an unusual IP address (don't remember what it was and didn't think to write it down at the time) while other computers using the router still showed the proper address. I wasn't able to resolve this until doing the restore this morning.

Thanks,
OL79

[outdoorlady79]

Just adding the last log attachment

[chaslang]

Welcome to Major Geeks!

You are in pretty good shape. We just have some minor finishing touches to do.


Did you copy tasklist.exe here like this or is this malware? It does not belong here!

Code:

2008-08-02 17:51 . 2008-08-02 17:51 72,192 --a------ C:\Documents and Settings\Sara\tasklist.exe

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[outdoorlady79]

Ok I've followed all the instructions in the last post and was successfull with the fixme.reg changes. I did not put that tasklist.exe there that I remember, I have deleted it. Attached is the new log as requested.

I'd also like to add that AVG has alerted me today to two different generic viruses, one was generic7.**** (if I recall the **** were abfx but I won't swear to it) and the other was another variant of Generic11. Both of these appeared to be in the system restore files (which if I read correctly will be wiped out once I'm clean of the other stuff and reset the system restore program). Or should I go ahead and reset it now and see if they quit appearing?

Thanks,
OL79

[chaslang]

You're welcome.

Quote:

Originally Posted by outdoorlady79

Both of these appeared to be in the system restore files (which if I read correctly will be wiped out once I'm clean of the other stuff and reset the system restore program). Or should I go ahead and reset it now and see if they quit appearing?

Since your logs are clean, you can just follow my instructions below and see what happens afterwards.

If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[outdoorlady79]

All seems to be ok so far. Thanks for all your help! I'll be back if any more issues pop up in the next few days.

[chaslang]

You're welcome. Surf safely!