Malware Removal - Help!

Welcome to Major Geeks!

Your PC is very very badly infected!!!! And know wonder it is! You have no protection software at all installed. You will have to get protected when we finish removing all this malware.

Uninstall the below software:
Ad-Aware SE Personal <--- very out of date and not useful. SUPERAntiSpyware and Malwarebytes are what you need to keep using. <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,C:\Documents and Settings\Stinky\jrnu.exe \s
O4 - HKUS\S-1-5-18\..\Run: [dbuptnky.exe] C:\WINDOWS\dbuptnky.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dbuptnky.exe] C:\WINDOWS\dbuptnky.exe (User 'Default user')

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We will get to this but right now you may be in such bad shape that there may be no choice but to reinstall. You have Windows operating system files that have been corrupted and all backups/replacements for these files on your hard disk have also been corrupted. In addition there could be other system files that we are not looking at that are infected.

Do you have a bootable copy of your Windows XP CD?

You are still far from clean. The infection of your operating system files is still there and manyother files we were removing have caused the infection to spread. Some items from last time were not removed or they respawned.

Let's try again. What we will be doing is trying to get rid of all non-windows related files that are infected in this fix.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O4 - HKUS\S-1-5-18\..\Run: [hdleentz.exe] C:\WINDOWS\hdleentz.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlsqvsvz.exe] C:\WINDOWS\xlsqvsvz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [hdleentz.exe] C:\WINDOWS\hdleentz.exe (User 'Default user')

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous file of the same name). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now double click the fixME.reg patch on your Desktop and allow it to be added to your registry one more time.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.


Run MGtools.exe then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

After attaching the above new logs, DO NOT power down or reboot your PC. You must keep it running until I get back to you on the status of your logs.

 

I want to warn you up front that the infection you have is a real nasty one and that it has infected many of your Windows system files. I will try to help guide you thru fixing this but I do have to say that even if we wind up appearing to have fixed it that your system may still be unreliable and untrustworthy in the end. If you wish to continue pursing fixing rather than doing a total clean reinstall then continue on with the below.


First I want you to put copies of the below two files into a ZIP file and attach the ZIP file to your next message:
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe


Now please download the following & save to your Desktop ( you must save it to your Desktop )


GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Then immediately attach this log here before doing the next step because we will be overwriting it.

Now delete the current mbr.log file and then run the below instructions.
Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK:

Code:

[B]"%userprofile%\desktop\mbr.exe" -f[/B] 

Now double click on the mbr.exe file and attach the new mbr.log

 

Don't worry about the other mbr.log file. We don't need it now since the first revealed that your Master Boot Record is okay.

Thanks for attaching those files. As I suspected, you have a Virut and or Sality infection that attaches itself to all executable files.

Yes if you did a total reinstall it would be gone.

The Software Forum is more appropriate for this. In addition there are sites on the internet with reinstall instructions. Like the below for example:

http://rcc.bgsu.edu/info/Windows_Installation

http://www.michaelstevenstech.com/cleanxpinstall.html

http://support.microsoft.com/?kbid=316941

Avoid backing up anything the has a.exe extension as they may all be infected. It would be a good idea to do a backup right now even if you decide that you would like to attempt to clean your PC. We could attempt to remove the infection but the act of doing so could potentially make your PC unbootable since files required by Windows are infected. And if the scanners cannot clean the infection, files could be deleted.

So after backing up your own personal data, let me know if you would like to attempt cleaning the infection instead of doing a reinstall and we can try to do so.

 

Your welcome Nikki.

Okay herein lies the problem. You have only about half the minimum amount of memory on your PC that I recommend to currently run Windows XP SP2 and above with all applications that you will need to run on your PC for protection. You definitely need to add protection, but they will all have an impact on performance and with only 512 MB like you have, it can be quite dramatic.

Everything we recommend is in the below link. You need one antivirus, one realtime antispyware blocking tool, and a better firewall than the Windows firewall but you can use the Windows firewall for a shorttime until you get more memory.

How to Protect yourself from malware!