Ultimate Cleaner Malware

Welcome to Major Geeks!

Next time you have any issues with malware, please run the complete READ & RUN ME procedure and attach all of the requested logs. While MGtools is very useful to us it is not a comprehensive malware scanning tool. That is why the READ & RUN ME runs several procedures.

You are using MSconfig to control startups and you should not be doing that. See the below:

Dealing with Startup Processes


Do you know what the below files are for?

Code:

                          
"C:\Program Files\"
sss.dat       Feb 22 2008         120  "sss.dat"
"C:\"
pth.bat       Jan 15 2008         263  "pth.bat"
pth1.bat      Jan 15 2008         226  "pth1.bat"

Did you add the below info to your hosts file?

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

After clicking Fix, exit HJT.

Now delete the below files[/b]
C:\WINDOWS\admgcx.dxx
C:\WINDOWS\bdmanager.dxx
C:\WINDOWS\fsxloqf.xxx

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\HP_Administrator\Local Settings\Temp


As requested in the READ ME, please download and install CCleaner

• Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files.
• Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

Make sure you tell me how things are working now!

 

Everytime you come into this forum and no matter what page in the forum you are on, all of the sticky (also call pinned) threads are right at the top of the page. You should have looked at them before posting. The READ & RUN ME is one of them. Look to see what I mean but I will also give you a direct link.

READ & RUN ME FIRST. Malware Removal Guide

That is all of what you should have completed before posting.

Okay leave it that way and if you don't notice any problems running anything on your PC over a period of time, then delete it.

You can do this with analyse.exe and if you find out you need them, there is a backup mechanism on a Misc Tools page of HijackThis that you can restore from.

Why? What problem did you have?

The fix of the BHO line may have failed the first time. This happens quite often and is also one of the many reasons why the procedure states to make sure you exit all browsers before clicking fix. If even 1 IE browser is open it can block fixes. It looks like you missed fixing the below too:


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

If McAfee does not know about Zlob/SmitFraud infections by now then they never will. These are old news. But it does not hurt to send to them, however you should rename them back to the proper filenames before sending them.

Your logs are clean other than the files you are saving for McAfee.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

No you don't need the Dev Kit. This means you did not download and install from the link I gave you because you would only have gotten the Runtime Environment if you used the link I gave.

Either some component of your protection software is blocking the change, or the registry key has had its permissiones changed so that you cannot remove it. It is not malware, it is just a totally unecessary startup which is a waste of System Resources.

If you still have ComboFix, you could try the below which may work.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"TkBellExe"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Did that work?

 

ComboFix is okay to run. The READ & RUN ME procedure even explained to you that you may notice things from your antivirus. It stated the below:

McAfee is a bigger problem then ComboFix.

Yes that is the quarantine folder where ComboFix saves copies of everything it removes.

In this last case I was attempting to have it remove the registry key that you could not remove with HijackThis. ComboFix has more power to do things like this. McAfee may be the reason why you could not fix that registry key. In general ComboFix is a tool that removes hundreds of different malware issues from a PC automatically and it has the power to take a script file that we create to do things we want it to do.

If you shutdown, McAfee and run ComboFix with the CFScript.txt file, it should remove the item from RealPlayer. Manual steps will require other tools and will be more complicated for you since you will have to be doing manual registry editing. However you can try doing the below with McAfee disabled and perhaps this will work.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Okay it is not a major problem anyway. It is just a waste of resources. You could check within the program for an option to disable it from loading at startup. The other option is to just uninstall RealPlayer if you don't use it. I don't have it installed and never miss it.