Log File View Requested -Seriously Infected Friends Machine

Fixing a friends computer. I followed all the instructions on the read me and run me first sticky. From that I'm attaching the output logs of the steps that I could run. In the order that I ran them. I was able to run the requested scans in safe mode without a problem. All tools reported that they could remove the infections.

The machine has 3 administrator accounts on it. One I currently don't have the password for, but can get it if I need it. Please let me know the procedure for multi-administrator machine is different. Can I just delete the other user accounts to save some time in the scanning process.

CounterSpy (wouldn't run -said the administrator wouldn't allow it -or something close to that)
AVG Antispyware -scan ran -can't find log -many things were found
BitDefender -log attached
PandaActiveScan (found 38 viruses, 263 spyware, 8 hacking tools and rootkits) -log attached
GetRunKey
ShowNew
HijackThis

 

Here are the other two logs.

 

Hi Trebacz!

Welcome to Major Geeks! Please read the following through before beginning!

Some of your logs didn't get attached! Please attach the following three.

AVG Antispyware
Panda
Bitdefender

While you're in add/remove programs, please remove Java jre1.5.0_03.

Once you've done the above, reboot

Then install install Java Runtime Environment vs. 6.2.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Remote Account Manager
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste ramtsvc into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items

Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Next ...Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt
Attach the logs for:
ComboFix
Avenger
GetRun
ShowNew
HJT
Thanks!
abri

 

Here are the log files fo:

Panda
Bitdefender

Unfortunately:
AVG Antispyware -scan ran -can't find log -many things were found

 

While you're in add/remove programs, please remove Java jre1.5.0_03. Done !

Once you've done the above, reboot Done !

Then install install Java Runtime Environment vs. 6.2. Done !

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Remote Account Manager
* then right click the entry, select Properties and press Stop Service.
It wasn't running. But I set it to disabled.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows. Done !

Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste ramtsvc into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items

Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com Done !
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com Done !
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\tnsjftqy.dll",forkonce Done !
O4 - HKLM\..\Run: [j] C:\WINDOWS\system32\j.exe Done !

Next ...Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log to your next reply Done ! ComboFixLog.txt

Now download The Avenger by Swandog469, and save it to your Desktop. Done !

* Extract avenger.exe from the Zip file and save it to your desktop Done !
* Run avenger.exe by double-clicking on it. Done !
* Check the 'Input script manually' box. Done !
* Click on the magnifying glass icon. Done !
* Copy everything in the Quote box below, and paste it in the box that opens: Done !

* Now click the 'Done' button. Done !
* Click on the traffic light icon and OK the prompt. Done !
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself. Done !
* A log file from Avenger will be produced at C:\avenger.txt The computer rebooted, but it said no log file could be found.

Attached are the first three new log files:
ComboFix
Avenger (didn't create a log -just opened an empty text box on reboot)
GetRun
ShowNew

 

Here is a new hijack this log.

 

I need logs for
Combofix
Newfiles
Runkeys

Before you redo Shownew (for Newfiles.txt) and GetRunKeys (for Runkeys.txt), if you have not yet done so, please make sure you've uninstalled WildTangent and anything else that's on the Uninstall Malware via Add/Remove Programs list.

Thanks!
Abri

 

I need logs for
Combofix Done -see previous reply. #5
Newfiles Done -see previous reply. #5
Runkeys Done -see previous reply. #5

Before you redo Shownew (for Newfiles.txt) and GetRunKeys (for Runkeys.txt), if you have not yet done so, please make sure you've uninstalled WildTangent and anything else that's on the Uninstall Malware via Add/Remove Programs list.

Done -none were still installed there -including wild tangent. It's likely some of them were removed before I got to the machine. Thanks for the help your providing.

 

1) If you have not already done so, go to
Uninstall Malware via Add/Remove Programs
and look for any programs which have not yet been removed. I see the below program is still on the computer! Please remove it and any others you find on the list including these two!

2) Did you or someone using this computer give this name to a text? bfawvuqp.txt


If not, please go to C:\Documents and Settings\bfawvuqp.txt and look at it by double clicking on it. If it's not something you recognize, please delete it.


3) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.


4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Begin here after rebooting from Step 5!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

8) After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log
• Panda Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks for all your help. I did all the steps listed -except rerunning the Panda scan. I used the Panda scan to delete many of the .exe's that weren't found when I ran your Avenger script.

The computer seems to be running very well.

Here are the log files requested -except for the Panda scan.

HijackThis Log
ShowNew Log
GetRunKey Log
Avenger Log

 

Here is the Avenger Log.

 

Hi Trebacz,
a very few things left, but I want to make sure about them before I get back to you.
abri

 

Sorry, this is taking a bit longer than I would like, but I'll get back to you as soon as possible.
abri

 

Hi Trebacz!

1) Please go to Add/Remove Programs and uninstall

- J2SE Runtime Environment 5.0 Update 3

It's still showing up in your uninstalls list!! It should be there. Please uninstall it!


2) Unless you use it, please Disable/Remove Windows Messenger
(It is not the same as MSN Messenger!! It's a Windows internal thing which most people don't use.)

3)Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

4)Now, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

5) Now run Avenger...

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6)Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7)After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri