Removal of Virus Infection I

Hi

We are currently reviewing your logs and will get back to you with a plan of action and a set of instructions as soon as possible.

Thanks for your patience,
Kes13!

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [FU] C:\WINDOWS\system32\FUvirus.exe

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now click Start, Run, and copy and paste the below exactly as written into the run box and click OK. It will take a long time to run. Just be patient.

C:\MGtools\VFind.exe -ltf -s 32768 C:\*.exe >C:\EXEDUPE.txt

When the above finishes, it will create a file named C:\EXEDUPE.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\EXEDUPE.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay we will need to run it after opening a command prompt window to get the log to create. But first manually delete the below files.

C:\MGlogs.exe
C:\MGtools.exe

Now click Start, Run, and enter cmd and click OK to open a command prompt. The copy the below string:

C:\MGtools\VFind.exe -ltf -s 32768 C:\*.exe >C:\EXEDUPE.txt

Now to paste it into the command prompt window, bring the command prompt window to the top by clicking in it. Then right click in the black area of the window and select paste. This should paste in the command. Let it run. Attach the log if created this time. Let me know if you get any error messages.


How are things running?

 

Also delete the below hidden folder which I just noticed.
C:\MGlogs

Did you make the above folder or any of the below which are also hidden and system:

Code:

2008-11-27 14:18 . 2008-11-30 10:01 <DIR> d--hs---- C:\MGtools [B][COLOR=purple]  <-- this should be for MGtools but we do not make it hidden or a system folder[/COLOR][/B]
2008-11-24 07:55 . 2008-11-30 10:01 <DIR> d--hs---- C:\New Folder
2008-11-16 12:22 . 2008-11-30 10:01 <DIR> d--hs---- C:\OutputFolder

Are you using FolderGuard to lock these like this?

 

It should have been created. Shutdown or uninstall FolderGuard and then do the below.

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. In the command prompt window copy and paste in the below command and hit enter:

C:\MGtools\VFind.exe -ltf -s 32768 C:\*.exe >C:\EXEDUPE.txt

You can copy the above string by highlighing it and hitting CTRL-C to copy to the clipboard. Then bring the command prompt window to the top and right click in the black area and select Paste. See if the file is created now. If not, did you receive an error messages.

Then delete them.

 

What just closed itself??

Did you open the command prompt window as requested first? You need to have the black command prompt window open. I do not want you to enter that command into the Start, Run box.

 

Okay you just need to empty your Recyle Bin and then do the below.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

This is something you may want to post in the Software Forum since your logs were clean it is not a malware issue. You may have some option set somewhere on your PC to block seeing the folders. I don't know what though. Are you sure there are folders to see. If you plug this flash drive into another PC, can you see the folders on it?


Try using the below and see if it sees the folders.

ExplorerXP

 

You're welcome.