HELP! Malware problem!

Welcome to Majorgeeks


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

After these are attached our malware experts will review these to see if your free of this malware, at times you may still be infected after running the guide this is normal as malware can mutate and have random file names, hence why the logs are needed to produce a manual set of instructions for you to remove the infection, So logs that you will get to attach are:

MGlogs.zip (which has 5 logs inside it, including Hijackthis, just attach the whole Zip )
MalwareBytes log
Superantispyware log

plus a guide on how to attach the logs HOW TO: Attach Items To Your Post

 

Welcome to Major Geeks!

Is the below from something you installed?
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe

I strongly recommend that you uninstall Kazaa Lite K++ v2.4.3 as requested in the READ ME.

I also strongly advise you to stop downloading and saving files like below. This folder should just contain installed programs. If you want these files, move them somewhere elese that is safe. Storing them here can making them appear like malware.

Code:

"C:\Programas\"
3ivx_m~1.exe   5 Feb 2008      898872  "3ivx_MPEG-4_502_trial_win-codec.exe"
a2anti~1.exe  29 Mar 2008    27448192  "a2AntiMalwareSetup-a-square.exe"
antiro~1.zip  29 Mar 2008      310641  "AntiRootkit-tirar trusted.zip"
ccsetu~1.exe  28 Mar 2008     2733520  "ccsetup205-programa de limpeza.exe"
combofix.exe  29 Mar 2008     1603084  "ComboFix.exe"
direct~1.exe   4 Feb 2008    67196968  "directx_nov2007_redist.exe"
divxin~1.exe   5 Feb 2008    17021984  "DivXInstaller.exe"
dxwebs~1.exe   4 Feb 2008      315624  "dxwebsetup.exe"
free-s~1.exe  27 Mar 2008     7512584  "[COLOR=red][B]Free-SpyHunter-Scanner-Install.exe"  [COLOR=purple] <-- this one we will be deleting as you should not use it.[/COLOR][/B][/COLOR]
hjtins~1.exe  29 Mar 2008      806912  "HJTInstall.exe"
mbam-s~1.exe  29 Mar 2008     1505568  "mbam-setup.exe-malwarebytes.exe"
requir~1.rar   8 Feb 2008      793571  "REQUIRED_WM9Codecs.rar"
rr-pro~1.com  29 Mar 2008      870904  "rr-pro-setup-rogue remover da majorgeeks.com"
sdfix-~1.exe  29 Mar 2008     1414896  "SDFix-para o trusted ant..exe"
sdsetu~1.com  28 Mar 2008    17646136  "sdsetup-remover trusted antivirus da spyware.com"
smitfr~1.exe  30 Mar 2008     1306941  "SmitfraudFix.exe"
spybot~1.exe  28 Mar 2008     9722720  "spybotsd152-detectar malware.exe"
spybot~2.exe  29 Mar 2008     9722720  "spybotsd152.exe"
supera~1.exe  28 Mar 2008     6291992  "SUPERAntiSpywarePro-retirar spyware.exe"
vundof~1.exe  29 Mar 2008      147456  "VundoFix-para tirar o trusted antivirus.exe"

Did you create the below Policies yourself?

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: Barra do SAPO - {D02BA59A-9A8E-4B25-8145-E068B7A7A715} - C:\DOCUME~1\JOSGOM~1\OSMEUS~1\SAPOBR~1.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bhpzgmaqi] C:\WINDOWS\System32\lkjmbfox.exe
O4 - HKLM\..\Run: [oglqkm] c:\windows\system32\boezhm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [oipwxofi] C:\WINDOWS\system32\jizabgfe.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

You're welcome. Your logs are clean other than the items I was questioning.

Okay then let's remove the registry settings.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

And now let's see if we can get more info about the supervisor.exe file before we delete something that you may need.

I would like to get some more info on the C:\WINDOWS\supervisor.exe file. Locate it using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too. Also if the file does not exist, tell me that too.

 

Then are you getting an error message about not being able to find it when you boot your PC?

 

That does not mean that it is not there. Malware (if it is malware) can hide from viewing with Windows Explorer.

Let's just remove the registry entry and try using Avenger to find and delete the file (if may or may not exist).


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe

After clicking Fix, exit HJT.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

This means that you are not including the Files to delete: line when you follow the instructions.

You did not attach the MGlogs.zip file I requested. I did not ask for any individual logs from the MGtools folder to be attached.

 

Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
2. If we had you run Avenger, you can delete all files related to Avenger now.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
6. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
7. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!