Infected with something - Plz help!

Hi

Computer started running slow, programs slow to open, firefox and yahoo messenger crashing constantly.

Did your "read me" and "house cleaning" but came across a few problems.

1. After running spybot, windows kept hanging - no choice but to reboot. Had to start in last known good config to get it to work.

2. Ran AVG Spyware, a few things were found, but I had no option to save a report. I double checked the settings again, and they were correct, then the program froze, then windows. Once again had to reboot.

3. Ran AVG Spyware again, found 1 thing only this time, still no option to save report.

So, only 2 logs attached - Combofix and MGlogs (I hope as computer froze last time I was trying to attach files!).

thanks in advance

p.s. I know I am naughty I should be running SP2 and I will once I get this all sorted. I also want to run Comando Firewall but this also requires SP2 to run. I would really like your advice on which products to use, as I am still getting these things

 

Hi princess_zammy!
Welcome to Major Geeks!

Did the problems you've been noticing start recently? Do you remember if you installed any new software around that time?

Your computer is very vulnerable without Windows Updates. You have a lot of files which are unfamiliar to me, but they were put on quite a long time ago, so I don't want to do anything about them if they preceded the problems you are experiencing now.

Did you install norman antivirus yesterday?

Please do the following:

1) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe

After you click fix, just close hijackthis.


3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!

4) Run CCleaner in the default setting to remove your temporary files, cookies, history, logs etc. Don't change anything. Simply run it where it opens.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things are running now?

abri

 

Hi Abri

Thank you for your quick reply. Yes problems maybe last 2 weeks or so. I just put it down to holiday internet overload. I was running AntiVir which picked up a few things that I put in quarantine but it kept picking up new things. I was looking at your site with software etc and thought I'd try Avast instead to see if it would fix the problem. It also picked up a few things.

I was looking through processes to see what was draining my ram and found mmdmm.exe which I googled, deleted and also deleted from registry. Obviously there is more here.

I was on your forums in May with problems but havent had any since. If you want to run by some programs maybe I can tell you what they are?

Never heard of Norman Antivirus >.<

Only other strange thing is I have an Explorer icon on my desktop which wasnt there before I started all this.

Things seem to be running ok but after I ran the Getlogs avast picked up smscg.exe which I took no action cause I didnt know what to do rolleyes

thanks in advance

 

Hi princess_zammy

1) Is it an Internet Explorer icon on the desktop that didn't used to be there before? If so, I believe it was installed automatically by the MGTools. If it isn't removed when we do our final clean-up at the end, check to make sure it's a link by right-clicking on it. Then click on Properties and make sure it points you to the normal location for Internet Explorer which is usually in the Internet Explorer folder under C:\Program Files. If it's a link, you can delete it without any problems, but please wait until we are finished.

2) I'm finding recently installed programs popping up in your logs which look like they may or may not be legitimate. One of them is quransahih. Is this something that is familiar to you? It's a folder located directly under C:\ and looks possibly like something that may have been put in by you?


3) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2

4) I would like for you to remove a service. Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to System Managment Controler
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe by double clicking on it. (This is really HijackThis), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste SMSCGISVCinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: PowerReg Scheduler V3.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe

After clicking Fix, exit HJT.

5) Next continue as follows:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Run CCleaner in the default setting to remove your temporary files, cookies, history, logs etc. Don't change anything. Simply run it where it opens.

7) Please C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


abri

 

Hi Abri

Continuing this saga:

After my previous post I got a few more Avast warnings which I tried to do nothing, in the end I had to put it in the chest as they were continuous. I just checked before writing this post, and the only thing in there was the a.exe.

1. Yes, the Explorer icon was not their previously. When I right click I get Internet Explorer options. Not sure if it is sus though cause the home page is pointing to dbarticles dot com and I'm sure when I looked at it the first time it was freesarticles dot com, both which are unfamiliar to me. It is still there waiting for instructions from you.

2. Quransahih was put there by me. I was having problems before I installed that. I did run it by Avast with no problems showing. I can delete it if you need me too.

3. Java Update 2 was not there as I had removed it with your previous instructions.

4. Services done. HJT were already removed from your previous instructions except for O4 - Startup: PowerReg Scheduler V3.exe which has now been done.

Everything else done, logs attached.

thanks again

 

Hi princess zammy,

It doesn't look like you reran the GetLogs.bat. The MGlogs.zip that you posted with the Avenger log is the same one you posted before running Avenger. Please do the following:

Run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Thanks.
abri

 

Ooppss so sorry. I closed it too early. Hope this one is better.

kind regards

princess_zammy

 

Hi princess zammy!

I hate to tell you this, buy I'm not happy with your computer. I suspect there is something creating these files ... the newest one is Offlce.exe, so I would like for you to run several scans to see if we can pick up what's in there. Before you do that
I need more information.

1) Please upload the following files to jotti or VirusTotal and let me know the results. If nothing is found, just tell me. At either of these sites you will see a small window where you can browse to the file on your computer and then have it scanned by hitting submit or send.

C:\1020239350
C:\qwji.exe

2) And now, please run Avenger again as per the instructions in post #4 only use the contents of this box instead:

CCleaner is not getting enough of your temporary files out, so I would like for you to install and run ATF Cleaner after you finish running Avenger. The instructions are as follows:

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

And now I would like you to do the following:

4) Go to Alternate Scans and go about halfway down the page where you'll find a list of rootkit scans. Please run the following: RootkitRevealer and BitDefender. Let me know if they find anything. I would also like for you to run a scan called Silent Runners
For this particular scan, choose the short version.

5) After you do all of the above and post the various information to me, I would like for you to run a more lengthy scan which can only be run with Internet Explorer with Active X turned on. With broadband it takes around an hour or two. There is a specific way to run this particular scan and I will post the instructions to you so you can get the log in the form we need.


****NOTE**** DO NOT INSTALL Bitdefender's Antivirus program. Make sure you follow the directions below and run the ONLINE SCANNER only.


Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.


6) When you finish the BitDefender scan, please post the log you created and rerun the C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

If you have any questions, just ask.
abri

 

Hi Abri

Don't like the sound of that

Thank you for your time and patience. Update as follows:

1. Used jotti. First file nothing found. Second file was malware - results attached.

2. & 3. Completed as instructed.

4. RootkitRevealer results attached. BitDefender nothing found. Silent Runner file attached.

I think you want all these now and I continue with the next longer scan? I will post the rest when completed.

Only question I have is if Avast finds any trojans etc, do I put in chest or leave or delete?

thanks again

princess_zammy

 

Hi Abri

I ran the online BitDefender which did find and delete a few things including the qwji. Unfortunately when I went to save the log file the pc froze and I had to reboot. Rather than do the scan again, I though to continue with the MGLogs as it may be able to show you some of what the BitDefender deleted.

Sorry if that was wrong, so if you need me to redo the BitDefender scan just let me know.

It is getting rather crazy - took me 3 reboots just to post this up.

kind regards

princess_zammy

 

Hi princess zammy

If Avast finds anything it doesn't like, have it put it in the chest. It's possible to delete it later.

Your most recent MGlogs.zip show that all the files that should have been deleted with Avenger were not deleted. Did you run Avenger? If so, can you post that log to me as well? If there's an error message, I would like to see it. It may not have been installed or run correctly.

Thanks.
abri

 

Hi Abri,

I am pretty sure I ran Avenger. Sorry for not posting the log. If I did miss it please forgive me, I'm not making your job any easier

kind regards

princess_zammy

 

Hi princess zammy!

1) In one of the rootkit scans called Rootkit revealer, you can see three lines at the bottom. Please double click on that file in your post to open it (or you can open it in your computer) and look at the names in those lines. Do you know who this belongs to? Are you running a firewall?

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [OfficeWord Monitors] C:\WINDOWS\System32\Offlce.exe
O4 - HKCU\..\Run: [OfficeWord Monitors] C:\WINDOWS\System32\Offlce.exe
O4 - HKUS\S-1-5-18\..\Run: [OfficeWord Monitors] C:\WINDOWS\System32\Offlce.exe (User 'SYSTEM')

After you click fix, just close hijackthis.


3) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

7) Now please run The Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things went!

abri

 

Hi Abri

1. One email is mine and the other is someone I know who I do have a shared folder with. I have not used MSN for a while. I am not sure if these are actual files or not. If you need me to delete MSN I can.

I am not running a firewall, I wanted to install Comodo but can't until I upgrade to SP2.

2. Completed

3. This was a real struggle. I could not save in Notepad it would crash. I ended up getting someone else to create the file on their pc and sending it to me. Same problem when I went to save it, crashed. They emailed it to me - hotmail would crash. Yahoo mail I was able to do it, but using a download manager rather than browser/windows, save it wherever it landed, and dragged to the desktop. Phew.

7. LOL 4. 5. All done.

Sometimes the whole pc just crashes. Only improvement (if you can call it that) is when anything does crash, i can refresh and run it again without rebooting.

Avast did pick up something, when I put in chest I would get an error saying (appropraite place in pc)mdmm(5) cannot be found.

Also, there was no "manage attachment" button in the post this time. I had to do an IE tab within FF to upload these.

Are we getting anywhere????

thanks so much

princess_zammy

 

Hi princess zammy!

It looks like you're making progress, but the MGlogs.zip you posted most recently have the same time and date as the ones before. Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates. The new zip file can be found directly under C:\

Thanks.
abri

 

Hi Abri

How frustrating. I know I did it and funny thing is the size was diffrent on my computer.

Avast seems to be picking up 2 things continually. The mdmm, which is now up to [10]. When I try to put in the chest, I get an avast error it cant process it (sorry my error previously I thought it couldnt find it). Then I get the warning of trojan again. So, this time I deleted it. The other one is 2k3 which I just got while typing this. I can put that in the chest no problems although I keep getting the same warnings maybe on the next bootup.

Do you think a reformat might be the only way?

thanks in advance

princess_zammy
p.s. This has taken me 1 hour to upload this. Firefox kept crashing when I go to browse, tried IE tab which worked last time - crashed. Ended up using IE which home page now shows as freesarticles.:banghead

OK - update..as I was about to post this i got a "mixit" warning from Avast:

The process cannot access the file because it is being used by another process.

Cannot process: C:\\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U1IRKTAF\mixit[5].exe
:cry

 

Hi princess_zammy!

We don't usually ask people to reformat here and I would ask you to postpone that thought. There are a number of different things on your computer so they have to all be addressed. Please continue as follows:

1) Go to add/remove programs and uninstall the below:

- Java(TM) SE Runtime Environment 6 Update 1

2) Next, if you do not use the MS Script Editor, you can disable it as per the instructions here:

- How to turn off Machine Debug Manager


3) Next, If the following two entries relate to the same software I had you delete, please delete these as well. Optionally, you can have The Glorious Quran.pdf scanned at jotti or VirusTotal and let me know the results.

C:\Documents and Settings\user\Desktop\The Glorious Quran.pdf
C:\Documents and Settings\user\Desktop\The Noble Quran - Saheeh Int. Translation.lnk


4) Next we need to remove some bad services, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to HFUCDRQRK
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above steps to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • V
  • ZOAAIR
• Now Click OK until you get back to Windows.
• Next, run C:\MGtools\analyse.exe (which is HijackThis), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste HFUCDRQRK into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • V
  • ZOAAIR
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'Default user')
O23 - Service: HFUCDRQRK - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\HFUCDRQRK.exe (file missing)
O23 - Service: V - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\V.exe (file missing)
O23 - Service: ZOAAIR - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\ZOAAIR.exe (file missing)

After you click fix, just close hijackthis.

6) Now please run The Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please run ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things went!

abri

 

Hi Abri,

Firstly, I really wanted to go back to using Avira, so i reinstalled and updated that. I ran my pc problems past a friend. They were suggesting a few things with system restore and I actually think I forgot that step :hammer So here is what I did:

* Turned off system restore. Rebooted in safe mode. Ran avira and avg spyware and ATF Cleaner on both user and admin. Tried to run spybot and ccleaner - wouldnt load. Qurantined everything or deleted if no qurantine option available.

* Rebooted in normal mode. Turned System Restore back on. Computer running good! I could turn on taskmanager and was only running at 4-11% rather than 88-100%. Firefox and pages loaded quickly. Avira and Avg Spyware picked up a few things (not by a scan) and asked me to reboot. Started running a bit slow again and yahoo crashing - BUT diff now is that if I get a not responding error, if I hit cancel it will take me back to the program, and if I hit end it will end and give me the microsoft "do you wan to send" window.

Then followed on with your instructions:

1. Deleted Java 6 update 1 and also avast

2. This was already checked as debugging off in advanced options.

3. Jotti was busy. Virustotal picked it up on the last scan...Tried to copy and paste the results into notepad...it crashed but was able to end and refresh and continue without having to reboot. I deleted both the files anyway just to be safe.

4. All done. Only thing they were already stopped in services.msc. I just had to disable them.

5. All done, although the 023's were not showing.

6. 7. & 8. All done and completed.

Once again, manage attachments not showing in Firefox. Had to use an IE tab.

Thanks for making it this far...I really appreciate your time and advice. I hope I didn't do too much damage with what I did rolleyes Things seem to be going a lot lot better though

kind regards

princess_zammy

 

Hi princess zammy!

Do you know what this is? TiggersHHunt

If it's not something you recognize, I will give you instructions for removing the values that belong to it.

1) I would like for you to remove a service. Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to System Managment Controler
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe by double clicking on it. (This is really HijackThis), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste SMSCGISVCinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe

After clicking Fix, exit HJT.

2) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things went!

abri

 

Hi Abri

TiggersHHunt is a Disney Pc Game. If you would like me to remove it I can.

1. Went in to services.msc, the service was already stopped, just changed to disabled.

Deleted in Remove an NT Service.

The second analyse this, that particular 023 was not showing.

2. MGTools.zip attached. There was no instructions for avenger?

Computer still running a lot better. Keeps alerting to the smscg which hopefully we just fixed, lo.exe and arr which is in the temp internet files - both I just qurantine.

Should I get a firewall and Real time spy blocker? Or wait until we finish?

kind regards

princess_zammy

 

Hi princess zammy,

tigger LOL ... didn't think of Winnie the Pooh!

There's still something infecting your computer which your antivirus is picking up on. The reason I asked about the tigger file is because it was loaded on the 31st of December. I'm not sure if you are downloading things while we work on your computer, but it wouild be better to wait because I can't tell if the new malware you're getting is coming in from outside of your computer or if it's being generated by something hidden inside of your computer.

You can download Zone Alarm free and I would recommend it. Once it's installed on your computer, it will ask you if programs can have permission to connect to the internet. Some of these are obvious. MSN Messenger, your browser, youir e-mail all need permission to connect to the internet or your computer won't function. Also, some others that are not so obvious. If you are not sure about a program, click on not to allow and if you can't work on the internet, reboot and the next time click on ok. Once you're sure about a program, check the box to always allow or never allow. Windows Explorer does not need to connect to the internet. The download for Zone Alarm free is under firewalls in the thread called How to Protect Yourself from Malware

I would like for you to run three more scans, still checking for rootkits and one because the last files you had quarantined belong to a certain virus. Please let me know the results for these:

FixWareout by LonnieRJones

Then go here: Alternate Scans

and go to the rootkit scans again and run GMER (note the link for the instructions) and also the Panda Anti-rootkit

The logs you posted to me are clean. I will look at the above logs if there is anything that could be malware and after that, I hope it will be time to finish so you can get your Windows Updates. It is not good to get the updates until your computer is clean, but your computer will remain vulnerable until you can do that.

Please keep deleting your temporary files with CCleaner or ATF Cleaner everytime you finish with the internet.

abri

 

Hi Abri

Lol @ Tigger..Well you can never be too sure Although i will check with the kids if they played it on that day but I'm pretty sure it has been installed for a while.

I am not downloading any programs only what you recommend, although I did dl the latest yahoo im to see if that made any difference. Other than that I have dl a few pdfs that I really needed but I am trying to control myself rolleyes

Avira started picking up mdmm and a.exe right after I posted :cry Qurantine, they come back again. I also think there was msmsgs which I recall came up in one of the scans.

After installing Zone Alarm things seem to be running a little better, and when I had to load Internet Explorer for the GMER scan, the sus home page is temp suspended - not sure if that was ZoneAlarm or maybe the Spyware police caught up to them. Yay!!

Only other strange thing that may be unrelated is my firefox bookmarks disappeared. There was a backup which I managed to save and copy somewhere else and import them again - could be a firefox glitch and totally unrelated.

Results of FixWareout and GMER attached. Panda Rootkit came up clean.

I will try and do cc and ATF although most of the time I have to reboot after my computer freezes while on the net.

Thanks again and have a great day

~princess_zammy~

 

Hi princess zammy!

Msmsgs can be gotten rid of with a removal tool:
Disable/Remove Windows Messenger


What is Avira / Avast giving you for a description of these files? Does it give you a virus name associated with the file or a link to a description or tell you anything else besides the file pathway? mdm.exe is a valid file. mdmm is also a valid file. I don't know what a.exe is, only that it is exactly the same size as mdm.exe and it is located in the same directory and it comes on the computer together with mdm.exe
Let me see if I can find out more about these.

abri

 

Hi Abri,

Since installing Zone Alarm, the alerts are almost non existent, pretty much everything ok although Pdf viewer crashing when it never has before.

When I woke this morning there was a file name C:\System Volume Information\...\A0002265.exe which is WORM/IrcBot.53760.8.

The a.exe is also this, as well as mmdmm[1-4].exe and one of mixit[2].exe. I was getting a and mmdmm together also. Is the mmdmm supposed to have numbers after it and be in the temp internet files?

Mdm.exe is stated as Worm/IrcBot.49664.5, along with the last batch of mmdmm detections, bin, bingo, and a.exe on 07/01.

Almost no crashes now, so hopefully we are nearly there!

ty ty ty

kind regards

~princess_zammy~

 

Hi princess zammy!

Well, I'm not ready to give up. Please go to Removing Zlob aka SmitFraud, SpySheriff, Infections and run the removal tool. This is a two-step process. Please attach the first log rapport.txt to your post before you continue with the cleaning part of the instructions, otherwise the 2nd log will overwrite the first one.

This particular malware is not a new one, but it seems quite determined to stay.

abri

 

Hi Abri,

Awwwww. Thank you for hanging in there

Rapport file part 1 attached. Now for some cleaning...

princess_zammy

 

Hi Abri,

Ok cleaning done - rapport part 2 attached. I did it in Admin. Is that right? DO I need to do it in user also?

One other thing, I just got a new tab in Firefox for accept.com. The site doesnt exist. I was getting these before but they had stopped.

thank you again for all your help

~princess_zammy~

 

Hi Princess Zammy!

You have a file which is not where it belongs and isn't the correct size. It's this one:

C:\WINDOWS\system32\msmsgs.exe

Please find this file in Windows Explorer, right-click on it and select rename. Give it the new name msmsgs.exe.zzz

Your computer is still infected, and the infections are not coming from no where. Let's see if the above makes any difference. If your computer runs all right with the file renamed, I will have you then delete it, but try your computer first, rebooting and all. There is a legitimate file by this name, which I've had you remove with the removal tool, but the legitimate file is usually under Program Files and not under system 32.

abri

 

Hi Abri,

I can't find that file on my pc. The closest thing was msmsgs.cat in c:\WINDOWS\system32\CatRoot\{lots of numbers and letters}.

When I used ccleaner earlier, I noticed there were some files (about 5) that said would be removed on reboot that were in the IE temp files. They were all .bmp files and all the same size and ones I didnt know. Like kleenex.bmp and airforce3.bmp.

Computer running ok, I also get some zonealram pops ups for winlogin when I dont have IE or msn running...not sure if that is legit or not.

Any other scans to try?

kind regards

~princess_zammy~

 

Hi Princess Zammy,

Please run Avenger as you have in previous steps, only use the contents of this box this time:

After running Avenger, check the log to see if it got this file out. If it was deleted, please run ATF Cleaner again.

I would like a new MGlogs.zip because a lot of discussion has been going on and your logs may not be up to date.

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

abri

 

Hi Abri,

It looks like the file wasn't there. Recent logs attached.

have a great day

~princess zammy~

p.s. would be ok to install my printer software at this point? I really need to print some things.

 

Hi princess zammy!

1) Yes, you can install your printer!

2) Also, open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.

The false msmsgs is still in your logs. (creepy critter ... look at how the Microsoft office is spelled below!) Let's try the following:

3) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

abri

 

Hi Abri,

Those two steps done. Does this mean we're nearly there? Is there any final logs to be double sure I'm clean? :heli

~princess_zammy~

 

Hi princess zammy!
I think your computer gets the award for very unusual infections. I found two files earlier that I forgot to ask you about. Do you know anything about the following two? They should be on your desktop. If you can't see them, see if they are in Windows Explorer under C:\Documents and Settings\user\Desktop\.

C:\Documents and Settings\user\Desktop\p.avi
C:\Documents and Settings\user\Desktop\AVALQ___.TTF

If they are not familiar, please upload them to jotti or VirusTotal and let me know the results.

My feeling is that we've been having a personal battle with someone who got into your computer. The presence of norman.exe (the name of an antivirus software) and of msmsgs.exe (the name of a regular windows messenger), and offlce (spelled with an l, not an i, also a regular software from Microsoft) and now oftice (this time with a t instead of an f) makes me think that all of these are related. What I am hoping is that we are getting the file out that is leading to these files being created. After you finish the above, would you be so kind as to run the C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates? I'm sorry for the struggle. I would hate to give up when I think we are getting close to the end. I want very much to have you get your Windows updates but your computer needs to be clean when you try to install SP2 and I don't want to have you set a new restore point until it is clean.

abri

 

Hi Abri,

Wow that sounds scary. What do I win? Next award I'm going for is the most views...

I know both those files. First one I had already deleted before your post, the second one is a font which I ran on virustotal anyhow and it came up clean.

MGTools logs attached.

~princess_zammy~

 

I think for the most views, you have to put in the girly pictures.

please post me one more set of MGlogs.zip. I await them eagerly.

abri

 

Hi Abri,

Oops I thought I did attach the logs >.<.

So sorry!!

~princess_zammy~
p.s. think I'll pass on the girly pics..lol

 

Hi princess zammy!
I'm waiting on an answer to one question I have about your logs and then I'll get back to you.
abri

 

Hi princess zammy!

I don't see any further signs for malware on your computer. Please follow the instructions below for final cleanup. I would also like to point you at some light reading about Get Your PC Ready for Windows XP SP2
Refer to this after you finish the below.

It's important that you set a clean restore point as per the instructions below before you download SP2. If everything goes well with SP2, then allow the rest of the updates to be installed, but do this with some pauses in between so if any problem arises, you'll know when it started.

Thanks for your patience and perserverance! Let us know if any of these problems start again.

abri

 

Hi Abri

Thank you so much for all your patience and assistance. Can't believe we got to the bottom of it!

I installed SP2, everything running ok. However I am having trouble with the updates. They dl and install but then it comes up failed. I tried to run from Microsoft site, same problem. Only one installed properly, and that was the updated automatic update install tool.

The one from the web says you must install windows genuine notification tool first. Same thing, failed although its not showing in my update history on the Microsoft site. Only the auto update tool is.

Any suggestions?

Just a few other questions about being secure...AVG antispyware trial will run out soon. I will need to replace that with a real time scanner?

With the firewall, should I just keep Zone Alarm installed?

Shoud l I continue to always use both CCleaner and AFT? Do you ever use the registry cleanup in CCleaner or just the normal run?

Lastly, all those nasties just stay in qurantine? What about the ones in AVG Antispyware? If I ever uninstall it will they reinfect my computer?

Once again I truly appreciate all your help and this great site. I send all my friends here for safe software and advice.

kind regards

princess_zammy

 

I'm sorry. I must send you to the Software Forum for this question, because I don't know. I'm glad SP2 is working. Please post a new thread about this, because I think you are not the only person to run into this problem.

The best information is in the How to Protect Yourself from Malware
Spyware Blaster is important! Spybot S&D is important! It's not resident, but it has an immunization feature that will protect you. The scan you can update and run yourself about once a week. It takes about 15 minutes. If you have these two and run CCleaner faithfully (at the default setting with the windows tab on top), plus one antivirus program and a two way firewall, your computer is quite safe. Adding something like AVG's antispyware is a choice.

yes!

Use CCleaner.

I try to never fix a working system. However, as you'll see in the above link, this registry cleaner is considered quite safe. Be sure to set a restore point before you do any changes.

They will not reinfect your computer, but they may stay in your computer. After you uninstall AVG Antispyware, do a search for AVG folders and get rid of any that are related to AVG Antispyware. If you are also using AVG antivirus (can't remember), be sure you don't confuse the two and delete the wrong folders. After you delete any left over folders, run CCleaner to clear the trash.


I enjoyed the work with you and wish you the best with your computer. There is a lot of information at the Software, Hardware, Networking, etc. forums. Most people end up coming to the Malware Forum first because that's how they find us.

abri