AVSystemCare and HiJack Logfile

I don't know where to go next with the removal of this malware, your stickies were very helpful with understanding what was happening but I cant seem to get rid of them on my own any help would be greatly appreciated.

 

Hi sMethod!
Welcome to MajorGeeks!

We need to see the logs we request in the READ & RUN ME FIRST which include Combofix, AVG Antispyware (if it produces a log) and the logs for the MGTools. There are other instructions prior to making these logs that are important for getting us the best information for us to work with. Please go through the READ & RUN ME and then attach the logs with your next post. Then we'll be able to see better what's going on with your computer.

abri

 

Abri, I sry I was impatient and reposted my log instead of bumping my original post. I will bump the first post with the log in it, sry for my incompetence.

 

sMethod,
Your first post didn't have any log attached to it. If you followed the instructions in the READ & RUN ME, there will be either two or three logs, one for Combofix, possibly one for AVG Antispyware and one for MGlogs.zip. Bumping posts here has the effect of putting you at the bottom of the list, so only bump if you have noticed several days go by with no response.
abri

 

Abri, when I said first post I meant an entirely different thread, it did have a log but it was only 1 from hijackthis.

Also when I attempt to install zone alarm or pc tools the programs are immediately shut down.

 

Hi sMethod,
Can you follow any of the instructions in the link in post 2 of this thread? If necessary, do Combofix first. To get to Combofix, go to the link in post 2 of this thread and scroll down that page that opens until you get to the instructions for the different operating systems at the bottom. Click on the one that's relevant for your operating system. Then look for the Combofix instructions. If you are able to run Combofix, then go back and do the rest of the instructions in the READ & RUN ME. If you get any of the logs, please attach them here. If you can't do any of the instructions, please tell me what error messages you are getting.
Thanks.
abri

 

Avg Anti-Spyware would not produce a log.

 

Hi sMethod,

Before you begin, close all browser windows and run CCleaner in the default setting with the Windows tab as the one on top.

Then delete the C:\Temp folder completely.

When you've finished these two things, come back and continue with the following instructions:

1) Rename the following file C:\WINDOWS\system32\nvModes.dat to nvModes.dat.zzz

2) Next we need to remove a bad service, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Security Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste YUNB into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

3) Click back until you get back to the start page of hijack this, then select Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5A30F2EA-839E-4A23-8834-0E6ED47099CA} - C:\Program Files\ComPlus Applications\hokero83122.dll (file missing)
O2 - BHO: 0 - {92DCDCAD-3CB1-40A1-6787-37BA9D99C862} - C:\Program Files\Online Services\lavulaxa151.dll (file missing)
O2 - BHO: (no name) - {9B424285-0761-48DD-962A-367F1E898A6E} - C:\Program Files\ComPlus Applications\hokero4444.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA429] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7349] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [Bov] C:\WINDOWS\system32\a?sembly\?poolsv.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8638] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9936] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O20 - Winlogon Notify: mljihfe - mljihfe.dll (file missing)
O23 - Service: Security Service (YUNB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

After you click fix, just close hijackthis.

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2
- AVSystemCare 2.2.362.2 (if you get any warning about uninstalling this,just cancel the uninstall)


8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Install the current version of Sun Java from: Sun Java Runtime Environment

10) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip (located directly under C) it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I don't know if this matters but these didn't show up on the HJT scan.

O4 - HKLM\..\RunOnce: [SpybotDeletingA429] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7349] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8638] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9936] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O23 - Service: Security Service (YUNB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

I moved past that and got to The Avenger but nothing showed up in the quote box.

 

Hi sMethod!

That is all okay. Just post the logs when you get done and tell me if you get a success message for the REGEDIT4 patch.

Thanks.
abri

 

sMethod,

When you finish with the instructions in post 8, please add the following registry patch and let me know if you get a success message:


Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

abri

 

Ran the fixme and got this.

Cannot import C:documents and settings\***\fixME.reg: The specific file is not a registry script. You can only import binary registry files within the registry editor.

 

There was another fixME.reg on my desktop I double clicked that one and it ran successfully.

 

Hi sMethod,

Go ahead and do the following and I'll check what happened with the registry patch. It may be necessary to delete the old one before creating the new one.

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip (located directly under C) it generates along with the Avenger log. <------ this should be left from the post where you used Avenger.

abri

 

Avenger failed to produce a log the first time and I'm sure I followed the direction correctly. After running MGtools I tried avenger again and got an error message: could not oper script file.

 

Hi sMethod,
It's okay that the hijackthis entries aren't there. The Avenger entries are more of a problem. We can try the Avenger deletions using Combofix instead. Please do the following:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

http://forums.majorgeeks.com/attachment.php?attachmentid=78961&thumb=1&d=1198874840

• Use your mouse to drag CFscript.txt on top of ComboFix.exe (refer to the above picture for an example)
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

• Attach the new log from ComboFix
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.