Nasty and ugly infection

The scans did most of it.

The system could use a bit more ram:

Code:

Total Physical Memory    512.00 MB    
Available Physical Memory    97.96 MB

Let's just do this:

Now download The Avenger by Swandog469, and save it to your Desktop.

Please use add/remove programs to uninstall:
Viewpoint Media Player

Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):

Now :
* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

Better.....now please disable the guest account in user accounts.

You need to uninstall McAfee if you are running Avast.

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now we need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\clusppih.dat  
C:\WINDOWS\system32\mnmdgveq.dat  
C:\WINDOWS\system32\mnmdou.dat    
C:\WINDOWS\system32\mscorye.dat   
C:\WINDOWS\system32\tapipkrf.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\wmedia106.exe

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

You need to tell me exactly what other file avast is reporting.

Now run CCleaner --> both the cleaner and the issues, making the backup when prompted.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

 

The way you had phrased it made me think it was indicating more than one file.....however we have a few more that have cropped up:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let's try avenger again.....

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

Arrggg....and once again:

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

You did not disable the guest account nor did you run the tool to disable windows messenger.

Something keeps regenerating the malware, so let's do this:

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

Also attach the avenger log and a new MGLog.zip

 

Not meaning to be a prig...it was just that your logs indicated that they had not been done.

 

http://housecall.trendmicro.com/

Not sure if it gives you a log (been a while since I have checked it), but let me know what it finds.

 

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and tell me how things are running.

 

Download Blacklight Beta.

* Download blbeta.exe and save it to the Desktop.
* Once saved... double click blbeta.exe to install the program.
* Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
* If it displays any items...don't do anything with them yet. Just hit exit (close)
* It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Please put copies of the current files into a ZIP file and have it attached:

Code:

"C:\WINDOWS\system32\"
admparsa.dat  Nov 28 2008         260  "admparsa.dat"
hlp95elc.dat  Nov 28 2008        1592  "hlp95elc.dat"
mp43decp.dat  Nov 28 2008         260  "MP43DECP.dat"
msaudiwe.dat  Nov 25 2008         157  "msaudiwe.dat"
ulibmhg.dat   Nov 28 2008         260  "ulibmhg.dat"

 

I'd like to see the result of running this:
Dr.Web CureIt

We may have to then start looking at your running processes to see what is triggering these files.

 

You have no delete or move options? You don't have to worry about the files found in the system restore files....nothing will fix them other than toggling system restore.

 

Please tell me which ones they are.

 

You need to toggle system restore to remove the files in your system restore folders.
Then after doing that, run both SAS and MBAM and get me a new MGLogs.zip.

 

I would suggest you find and delete them....unnstall Desktop Doctor.
And also find and delete:

Code:

C:\WINDOWS\system32\"
admparsa.dat  Dec  8 2008         707  "admparsa.dat"
hlp95elc.dat  Dec  8 2008        3980  "hlp95elc.dat"
mp43decp.dat  Dec  8 2008         707  "MP43DECP.dat"
msaudiwe.dat  Nov 25 2008         157  "msaudiwe.dat"
perfc009.dat  Nov  3 2008       65044  "perfc009.dat"
perfh009.dat  Nov  3 2008      410574  "perfh009.dat"
ulibmhg.dat   Dec  8 2008         707  "ulibmhg.dat"

Now run Dr.Web again and attach the log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

Your logs look clean. But I would like you to do this:

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Then run CCleaner --> both the cleaner and the issues ( be sure to do the backup when prompted) ....now let me know if you are still having issues.

 

You are quite welcome.....it was a tough one. Safe surfing.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   • Delete the C:\combofix folder from combofix (if it exists)
   
   
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
8. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!