Still Having Problems

Welcome to Major Geeks!

You still have Vundo related files which is why you keep getting infected. We will remove them.

This C:\Documents and Settings\Woo Child.DA_DUNGEON\Desktop\simplyright.exe is not what we asked you to name ComboFix.exe. Please rename it to cf.exe as requested so that any other further instructions will be correct. Making up your own names would normally lead to a file like this being deleted as malware.

Now lets remove a stuck service from Kaspersky.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to setup_7.0.0.180_19.12.2007_13-35
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Is Ad Master something you knowingly installed?

Uninstall the below old versions of software:
Ask Toolbar
Java(TM) 6 Update 3

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O24 - Desktop Component MRI_DISABLED: (no name) - (no file)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you skip uninstalling Ask Toolbar or is it not showing in Add/Remove programs? I still see it in your logs.

Did you forget to fix the below with HijackThis or did it come back/not get fixed?
O24 - Desktop Component MRI_DISABLED: (no name) - (no file)


Did you create the below Policies yourself?

While unexpected reboots can be due to malware, they are often not malware related. Let's check for rootkits just to be on the safe side. Run the below and attach the requested log:

Using Sophos Anti-Rootkit

 

The below should remove it and this should also remove the polices you said you did not create.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Perhaps Desktop Maestro that you have installed is somehow interferring with this change. Do you know what the below is for?

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

How do you know it is not hardware? I know at this point that it is not a malware issue based on what we have seen in logs. You will have to disable automatic reboots on crashes and then look at Event Logs to see what is going on. This however is a topic for the Software Forum.

 

Then try fixing this line as well as the O24 line and see what happens. Also try the below:

Fixing Locked Desktop

• Right click on your Desktop and select Properties.
• Then click the Desktop tab
• then click the Customize Desktop button.
• Now in the next window that comes up click the Web tab.
  • Make sure at the bottom that Lock desktop items is unchecked.
• Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
• Then click OK.
• Click Apply. And click OK.

Did any of that help remove the O24 line? Don't worry if it does not as this is not a major issue.

Okay that's good. But if anymore reboots occur, you will have to make sure that you are not having conflicts with drivers for your hardware.


If you are not having any other malware problems, it is time to do our final steps:

2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
6. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
7. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!