Help... I am back, and not for a good cause

You should have follow ALL of the instructions from the How to protect yourself link last time you were here. It may have helped you to avoid this VERY VERY BAD infection.

Start by disabling the Guest user account which is a security risk and opens the door for intruders.

Uninstall the below old versions of software:
Java(TM) 6 Update 2


I'll be post the rest of the fix soon.

 

Okay here is the rest of the fix. As you will see, your PC is a mess!!!!



Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. Also if you see any other similarly named processes beginning with k119 and ending with .exe then kill them too.

C:\WINDOWS\system32\k11985026359.exe
C:\WINDOWS\system32\k11985032589.exe
C:\WINDOWS\system32\k11985037129.exe
C:\WINDOWS\system32\k11985042002.exe
C:\WINDOWS\system32\k11985044139.exe
C:\WINDOWS\system32\k11985052969.exe
C:\WINDOWS\system32\k11985057659.exe
C:\WINDOWS\system32\k11985072169.exe
C:\WINDOWS\system32\k11985074589.exe
C:\WINDOWS\system32\k11985081619.exe
C:\WINDOWS\system32\k11985093389.exe
C:\WINDOWS\system32\k11985095669.exe
C:\WINDOWS\system32\k11985098009.exe
C:\WINDOWS\system32\k11985102609.exe
C:\WINDOWS\system32\k11985104889.exe
C:\WINDOWS\system32\k11985117639.exe
C:\WINDOWS\system32\k11985124369.exe
C:\WINDOWS\system32\k11985135709.exe
C:\WINDOWS\system32\k11985138009.exe
C:\WINDOWS\system32\k119851499916.exe
C:\WINDOWS\system32\k119851566916.exe
C:\WINDOWS\system32\k119851588416.exe
C:\WINDOWS\system32\k119851610516.exe
C:\WINDOWS\system32\k11985163118.exe
C:\WINDOWS\system32\k119851631612.exe


After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SSLDyn] C:\WINDOWS\SSLDyn.exe
O4 - HKLM\..\Run: [WINSvr32] C:\WINDOWS\WINSvr32.exE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exE
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exE
O4 - HKLM\..\Run: [NAVMon32] C:\WINDOWS\NAVMon32.exE
O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\MsPrint32D.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [PTSShell] C:\WINDOWS\PTSShell.exe
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\NVDispDRV.EXE

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

If you don't get all of the files into the Avenger fix at one time, the fix will not work.

Let's just try something different.

• Boot into safe mode and run Windows Explorer.
• Goto the C:\WINDOWS\system32\ folder and delete all of the files beginning with k119 and ending with .exe yourself.
• If any of them say they are running, use the process manager of analyse.exe (HijackThis) like in my last message to kill them all. Try selecting all k119 type processes at once time and killing them.
• Also delete the below files while in safe mode:
  • C:\WINDOWS\system32\LotusHlp.dll
  • C:\WINDOWS\system32\drivers\daefalat.sys
  • C:\WINDOWS\system32\drivers\ivwrujbt.sys
  • C:\WINDOWS\bcfomu.exe
  • C:\WINDOWS\cnslpb.exe
  • C:\WINDOWS\fzdmlq.exe
  • C:\WINDOWS\"jotgpr.exe
  • C:\WINDOWS\jqeqwz.exe
  • C:\WINDOWS\LotusHlp.exe
  • C:\WINDOWS\orjchj.exe
  • C:\WINDOWS\pinvyf.exe
  • C:\WINDOWS\tlugdt.exe
  • C:\WINDOWS\vtbbqa.exe

Then boot into normal mode and tell me what happened. Also attach a new MGlogs.zip file from running GetLogs.bat again.

 

You need to read the stickies, especially this one: Don't Bump! It Only Hurts You!!!

These unnecessary messages cost you 16 hours of additional waiting time.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now let's remove a rogue service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to C0489BF1
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ciyugxee] C:\bslbjkmv.bat
O4 - HKLM\..\Run: [uahlgbhv] C:\ffowcmsp.bat
O23 - Service: C0489BF1 - Unknown owner - C:\WINDOWS\system32\1CF1AF35.EXE (file missing)

After clicking Fix, exit HJT.


Now delete the below files if found:
C:\Documents and Settings\meital shani\My Documents\$ap3c.tmp
C:\Documents and Settings\meital shani\Local Settings\Temp\is-2LO8R.tmp
C:\bslbjkmv.bat
C:\ffowcmsp.bat
C:\WINDOWS\system32\1CF1AF35.EXE
C:\WINDOWS\LotusHlp.exe
C:\avenger.txt
C:\ComboFix.txt

What is the below file? If unknown, then delete it too.
C:\Documents and Settings\meital shani\Desktop\m.xls

Now delete the below folders:
C:\Documents and Settings\meital shani\Desktop\AVENGER
C:\Avenger
C:\ComboFix
C:\qoobox

Now reboot.

After reboot, run Ccleaner!

NOW run MSconfig and put your system into Normal Startup mode as requested in the READ ME.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

Make sure you tell me how things are working now!

 

Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Those logs are not going to tell me anything about drives D and E. They are primarily scans of drive C only.

If you backed up your PC while it was infected, then whatever you backed up may well be infected. This is no different then why we toggle System Restore after cleaning. We do this to remove possible infected restore points so that you cannot restore malware by using an infected restore point. Since your backups may contain infections, they cannot be trusted.

Are the logs you attached from the same PC we just cleaned? Or are they from another computer? I was not sure from your message but it looks like this is another PC? If so you should have begun a new thread for the new PC and you should have run ALL of the READ & RUN ME. You are running MSconfig to control startups so I cannot properly evaluate your logs. You must do all of the READ ME and start a new thread and attach all of the requested logs. Note: I do see a Lovegate Trojan.

 

If you like it, yes you can purchase it. It is a good program. Or you can just use free tools.

Yes.



Remember your other PC does appear to be infected and also on this other PC you need to uninstall AVG Antispyware and get it installed properly. You must install programs in their proper default folders which is normally under C:\Program Files. You current have it installed like this:

C:\Documents and Settings\Administrator\My Documents\AVG Anti-Spyware 7.5\avgas.exe

This is a very bad idea. It is a program not a document and installing it this way makes it look suspiciously like malware trying to pose as the real application. In addition, no one else on the PC can properly access the program because it is install only where the Administrator user account can access it.