trojan problem

If you run explorer.exe from Task Manager does the Desktop appear.

Don't save them to the Desktop. Save them to the root folder like C:\ which is where you should attempt to put MGtools.exe from the READ & RUN ME and then run it from Task Manager by simply entering C:\MGtools.exe into the New Task (Run...) box. If that runs, you need to get the C:\MGlogs.zip file from this PC somehow and attach it here.

We need to know exact word for word error messages and error numbers.

What exactly did it detect and where?

No!!!!! You may need to use it to get the PC more functional. In fact if you cannot get us any logs, you may as well just try running System Restore to go back to a restore point before all this happened.

Does he actually have a Windows XP bootable CD that you can reinstall from?

 

And how did you attempt to run System Restore. Did you try accessing it from Task Manager? Did you try running C:\WINDOWS\SYSTEM32\Restore\rstrui.exe

I said I need exact word for word messages with error numbers. Guesses or something like, do not help. If you want help, you have to be specific. Otherwise the help you get will be non-specific.

I only asked about the 2 trojans.

 

You need to start by disabling Spybot's Teatimer as requested in the READ & RUN ME.

In the future, please download MGtools.exe where requested. You put it here: C:\Program Files\adam fix\MGtools.exe which is not where specified. In some instances, tools will not run properly when instructions are not followed.

What are the two below startups? If unknown, add them to the HijackThis fix below.
O4 - Startup: Flying Fingers.lnk = C:\FINGERS\FLYING.EXE
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE

What are the below files and why are they in this folder? If they are needed, move them somewhere else into a folder that indicates what they are.

Code:

2002-01-22 16:40 9,390,361 ----a-w C:\Documents and Settings\Syd\unpack.exe
2002-01-22 16:33 41,806 ----a-w C:\Documents and Settings\Syd\RegSetup.exe
2001-12-19 20:09 974,848 ----a-w C:\Documents and Settings\Syd\golf.exe
2001-12-19 18:25 393,216 ------w C:\Documents and Settings\Syd\jgl.dll
2001-12-19 15:23 1,273,898 ------w C:\Documents and Settings\Syd\jgld.dll
2001-12-18 14:52 458,752 ------w C:\Documents and Settings\Syd\sound.dll
2001-12-17 13:25 290,816 ------w C:\Documents and Settings\Syd\autorun.exe
2001-12-14 15:12 454,719 ------w C:\Documents and Settings\Syd\Terrain.dll
2001-11-27 10:17 291,328 ------w C:\Documents and Settings\Syd\binkw32.dll
2001-08-20 16:54 65,536 ---h--w C:\Documents and Settings\Syd\go_ez.exe
2001-08-20 16:53 577,536 ---h--w C:\Documents and Settings\Syd\Sid Meier's SimGolf_EZ.exe

Uninstall the below software:
Java(TM) 6 Update 2
Java(TM) 6 Update 3
SurfingAdvisor

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {44106788-c419-4638-a111-e750b768df27} - (no file)
O2 - BHO: (no name) - {9C23039D-6862-4149-A1C4-859DCB5B10F5} - (no file)
O2 - BHO: (no name) - {A8A52F72-A465-55DC-8314-0845523C9DA5} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: wqkvtepl.dll yxymstvr.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then have HijackThis fix items like the below which are unnecessary and waste system resources. A PC with only 512 MB of RAM cannot have all this stuff loading. Windows XP runs much better with a minimum of 1 GB.

Not according to your logs! You needed to disable it before running the procedure. Please see the below and make sure you get it disabled now:

How to disable Spybot's TeaTimer



Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, look for the above files and folders and if they still exist, delete them yourself.

Now run the fixme.reg patch again by double clicking on the file you saved to your Desktop in the previous fix.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

What tab or procedure did you run in CCleaner. We only ask you to run the CCleaner. We specifically state do not run the Scan for Issues selection under the Registry tool.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combo-fix" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!