Help! recurring infection!

Hello. I am running windows xp and I am running
spybot
norton systemworks (15 day trial because I am broke)
Zone Alarm
Comodo BOClean
Ad-Aware 2007
hijackthis

Below is my hijackthis log (i tried to attach a file but the browse window wouldn't come up), I appreciate any help, i have read many of these threads and followed the directions but I realize that to get rid of whatever is wrong I need personalized attention. Thanks a million in advance.

 

Hi escher,
Welcome to Major Geeks!

Did you have trouble posting which led you to create several threads?
I can see from your hijackthis log that you have several things which need fixing. Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs. You will get some relief from the symptoms as you work through the instructions and when you attach your logs, we can look at them to see what is left that still needs to be done.

I'm attaching your HJT log here with my post and will delete it from yours. We ask that you attach any logs you want to have looked at.

abri

 

Yeah, I kept getting messages about an invalid link or something. I followed the very comprehensive might i add instructions and it worked beautifully I believe. It has been a few hours and my desktop hasn't become a giant ad-link and added link icons on my desktop so that's good.

Only one thing though, when combo fix was finished doing its thing i came to the computer and found that it rebooted so i logged in, and it produced a log i will attempt to attach (last time the browse window never came up). No error messages came up but my computer clock is still in 24 hour mode. Do you thinkl you can help?

 

Hi escher,
You're not out of the woods yet. Your Combofix log was helpful. It shows that you still have a number of files that will get all of the same symptoms going again. Please complete the READ & RUN ME instructions and attach the logs here. Or if you've already run all the scans, just find the rest of the logs and attach them. Then I can see what's left and give you a complete fix. A partial fix won't work.
abri

 

Wow, shows how smart I am. Thanks for the help abri, and i will attach my logs.

Checks is from Spybot
mbam is malware bytes

 

One last log for you. Thanks again

 

Hi escher,

Your computer's been infected for awhile.


1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\Documents and Settings\All Users.WINDOWS\Application Data\xufolari

Also, please tell me the names of the files in the following folder:

C:\WINDOWS\system32\AppCert


2) Please disable your guest account if this hasn't already been done.


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {26597F9A-4E9F-4320-9DD2-180E004549E5} - c:\windows\system32\fontextc.dll (file missing)
O2 - BHO: (no name) - {D54B6166-E209-4C59-93AB-6FA3DCF8774C} - C:\WINDOWS\system32\deviln.dll (file missing)
O20 - Winlogon Notify: gebxwts - gebxwts.dll (file missing)
O20 - Winlogon Notify: sfuikrtd - fontextc.dll (file missing)

After you click fix, just close hijackthis.


4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) Finally I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh C:\MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Ok, thank you so much for the help abri!

1) there are no contents in
C:\Documents and Settings\All Users.WINDOWS\Application Data\xufolari

that i could find

C:\WINDOWS\system32\AppCert i could not find this folder at all. should I be worried?

 

sorry forgot to mention after your steps how everything was running. Thinks seemed fine which is why i thought it was gone but thanks to you i know there is still work to be done. The only visible thing for me is the military style clock that combofix put up but never removed. Anyway, i will be waiting intently for your reply

 

Hi escher,

You can set your clock back by going to Start / Control Settings and click on Regional and Language. Look at the tab Regional Settings and reset it the way you want it. Some versions of Combofix set it back, other versions that step gets missed, don't know why.

Now, please continue as follows:

Download and install Erunt. Use it to create a backup of your registry.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe (or cf.exe if it has been renamed) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text inside the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
 
Driver::
lqgcpjid
 
File::
C:\WINDOWS\system32\drivers\qyhzmenc.dat
C:\WINDOWS\system32\AppCert\wsil32.dll
 
Folder::
C:\WINDOWS\system32\AppCert
 
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppCert] 
"Path"=- 
"CurrentState"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls] 
"AppSecDll"=- 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls] 
"AppSecDll"=- 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls] 
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwts]
"gebxwts.dll"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfuikrtd]
"fontextc.dll"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfuikrtd]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26597F9A-4E9F-4320-9DD2-180E004549E5}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D54B6166-E209-4C59-93AB-6FA3DCF8774C}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now delete any files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp


Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


When you've completed the above, please attach the new MGlogs.zip (browse to C:\ ) and the Combofix log.

Let me know how this goes?

abri

 

Done and thank you as always. The only thing I see is the clock in 24 hour time. Though I have been seeing less and less firewall blocked notices which means either the firewall is slacking, or your steps are working (i am much inclined to believe the last). Awaiting your reply gratefully, escher

 

Did you try changing it back manually as I outlined in the first comment of my last post?

 

I did but i think i changed it to a capital H instead of a little h. whatever I did incorrectly previously it is now corrected, thank you. Is there anything wrong the logs?

I guess my real question is, am I out of the woods yet?

 

Hi escher,

Almost. The meadow is in sight.

Please run Combofix again using the same instructions you had in Post 10, only this time use the contents of this box:

Code:

KILLALL::

NetSvc::
mamplzcc

File::
C:\DOCUME~1\Chris\LOCALS~1\Temp\nya.exe

Folder::
C:\Documents and Settings\All Users.WINDOWS\Application Data\xufolari

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]

After you complete the Combofix instructions, run CCleaner.

Attach the Combofix log with your next post and let me know how this went. If everything gone after that, then I should be able to give you the final cleanup instructions.

abri

 

Well that is good news

all right, below is the combofix log and thanks for the quick replies, I share this computer with my brother so it's hard to kick him off to do the cleaning programs, but you come back everyday which is appreciated.

 

Okay, that seems to have worked.

Now please follow the final cleanup instructions which will remove all the logs and tools we had you put on your computer and you will then set a clean restore point:

abri

 

I cannot thank you enough abri, I really owe you one. I followed all the prevention steps and will continure to do so. Thank you again, king among men!

 

Thanks escher.

All the best to you and enjoy your computer!

abri