Trojan avkiller/adware agent BN virus

All steps have been taken to remove the virus' from my computer...and although I can follow directions quite nicely...I have no idea how to interpret the results to determine if my system is indeed clean.

All logs have been attached as requested.

Thanks...and your step by step instructions are absolutely wonderful.

 

NOTE: MGLogs.zip file attached

 

Hi MsBehavin64,
Welcome to Major Geeks!

Thanks for the logs. One of us will look at them soon and let you know what still needs to be done. This takes some time, so thanks for being patient. Please use your computer as little as possible until we can get back to you.

Thanks.
abri

 

Will do... and thanks for all your help, it is greatly appreciated.

 

MsBehavin64,

Before we start, I want to tell you that I have your instructions set to remove your dating service. I don't know if this is part of the problems you're having. If you want this and know it to be a site that is clean, I need to remove these entries so you don't delete them before you carry out the following instructions.


1) Please disable your guest account if this hasn't already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O2 - BHO: (no name) - {56E42CAB-98D4-4CB2-86D1-B3E473C97C08} - C:\WINDOWS\system32\wvUkHYrS.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O20 - Winlogon Notify: pmnmkKef - pmnmkKef.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)


Do the following belong to programs you know or want to keep? If not, please fix them as well.

R3 - URLSearchHook: datingadvice Toolbar - {b9ff8b6c-cad3-4e19-b28d-4d2bba878442} - C:\Program Files\datingadvice\tbdat1.dll
O2 - BHO: datingadvice Toolbar - {b9ff8b6c-cad3-4e19-b28d-4d2bba878442} - C:\Program Files\datingadvice\tbdat1.dll

After you click fix, just close hijackthis.

4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Winek05

DIRLOOK::
C:\Documents and Settings\Deborah\Local Settings\Application Data\{6448F0A6-6813-11D6-A77B-00B0D0160060}
C:\Documents and Settings\Deborah\Application Data\TmpRecentIcons

FILE::
C:\WINDOWS\system32\Drivers\Winek05.sys
C:\Documents and Settings\Deborah\Desktop\jre-6u6-windows-i586-p.exe
C:\LOG000001.txt
C:\WINDOWS\DUMP1c98.tmp
C:\WINDOWS\~DFCCCE.tmp
C:\WINDOWS\system32\REN26.tmp
C:\WINDOWS\system32\drivers\pctfw2.sys
C:\WINDOWS\system32\wvUkHYrS.dll
C:\Program Files\datingadvice\tbdat1.dll

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B9FF8B6C-CAD3-4E19-B28D-4D2BBA878442}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B9FF8B6C-CAD3-4E19-B28D-4D2BBA878442}"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek05.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xdI27.sys]
[-HKEY_CLASSES_ROOT\clsid\{b9ff8b6c-cad3-4e19-b28d-4d2bba878442}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E42CAB-98D4-4CB2-86D1-B3E473C97C08}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnmkKef]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9ff8b6c-cad3-4e19-b28d-4d2bba878442}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B9FF8B6C-CAD3-4E19-B28D-4D2BBA878442}"=-

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.




5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Hello Abri,

Instructions carried out...thank you for all your help.

The system appears to be running great.

I have attached the fresh MGlogs.zip file, as well as the Comfofix.txt file.

 

Hi MsBehavin64,

Everything looks quite good. Did you disable your Guest account and disable the Windows Messenger?

There's one more entry that is partially removed that needs to be finished. Please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - {b9ff8b6c-cad3-4e19-b28d-4d2bba878442} - (no file)

After you click fix, just close hijackthis.

Then run CCleaner.

Other than that, your logs look clean. If everything is working well, please go ahead with the final cleanup instructions:

abri

 

Hello Abri,

Yes, I disabled the Windows Messenger using the download provided.

I have now disabled the Guest account... my apologies, I could have swore I did that yesterday. I failed to double check when I performed your given set of tasks.

Final cleanup is also complete.

I can't thank you enough for all your help.

 

You just did.
All the best and enjoy your computer!
abri