AACCKK!! Trojaned/Malwared out the yingyang

Welcome to Major Geeks!

First we need to take care of some issues that you missed while running the READ & RUN ME.

1. You must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer
2. You have multiple antivirus programs installed. You need to either uninstall McAfee or Verizon Internet Security Suite immediately and then you MUST reboot. We may have to take additional steps later to finish fixing things due to installing multiple security programs as they may not remove properly now.

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Did you purchase the below? If not, I suggest uninstalling these immediately.
Uniblue DriverScanner 2009
Uniblue SpeedUpMyPC 2009
Uniblue System Tweaker

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O15 - Trusted Zone: http://*.cinemanow.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: cms.nasa.gov
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

You also have a 3rd item with antivirus which is Fix-It Utilities 7 Professional. You need to uninstall this now since it has installed Authentium AntiVirus.


Then try uninstall the below again:
Verizon Internet Security Suite
Verizon PC Security Checkup

If they do not uninstall, try using the below software to uninstall them:
Your Uninstaller! 2008


Your MGlogs.zip file shows that one application is not getting a proper log. Please refer to Error Message Type 1 in this link Using MGtools and apply that fix.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Something is still preventing it from working properly and I would like to try and figure out what.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Not a major issue since we don't need the log from Processdll.exe right now. It could be a problem with your .NET installation or it could be due to a software conflict. I have heard of some people with DELL PCs having this problem until they uninstalled the Dell Support software, but I don't know if this is your problem or not. Some people also said repair their .NET Framework installation helped. See: http://support.microsoft.com/?id=824643 Seems that many people have seen error messages like you got but no one really has the exact fix.

 

Hmmmm! That's a new one.


Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
locate *.exe /NR <-- this will try to run the locate command which is part of MGtools. There is a space before the * and before the /. If it works, the output should look like the below

Code:

C:\MGtools>locate *.exe /NR
C:\MGtools\
   analyse.exe    Thu Jul 12 2007  10:56:14p  A....        401,720   392.30 K
   catchme.exe    Fri Jun 13 2008   5:09:08p  A....         28,672    28.00 K
   driver~1.exe   Tue Oct  7 2008   2:22:08a  A....         30,720    30.00 K
   getdet~1.exe   Mon Oct 30 2006  11:17:58a  A....        245,760   240.00 K
   grep.exe       Mon Apr 14 2003  12:00:00a  A....         80,412    78.53 K
   ltime.exe      Tue Oct 28 1986  11:51:06a  A....         13,184    12.88 K
   process.exe    Thu Jun  5 2003   8:13:46p  A....         53,248    52.00 K
   proces~1.exe   Tue Aug  1 2006   8:14:52a  A....          6,656     6.50 K
   sed.exe        Thu Aug 31 2000   8:00:00a  A....         98,816    96.50 K
   swreg.exe      Sun Dec 16 2007   5:36:08p  A....        156,160   152.50 K
   swwhoami.exe   Sun Dec 16 2007   5:47:26p  A....         66,048    64.50 K
   vfind.exe      Fri Dec 28 2007   2:42:12p  A....         49,152    48.00 K
   zip.exe        Thu Jan 13 2005   9:41:50p  A....        126,976   124.00 K
13 items found:  13 files, 0 directories.
   Total of file sizes:  1,357,524 bytes      1.29 M

Do you see this output or did you get another error message like you had before? Like below:

The process cannot access the file because it is being used by another process.


SN64.bat <-- this will try to run another command which is part of MGtools which is a 64 bit compatible version of ShowNew.bat. Let me know if this gets any error messages. Attach the C:\MGlogs.zip file which will be updated by this.

 

Your new log is clean so at this point it appears all your malware has been fixed. But you should do the below.

Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Lynn\Local Settings\TEMP


I'm still just curious about why the locate command will not run.

Strange. It seems like you cannot run a .com file.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

mode <-- this will try to run the mode.com command which is part of Windows. If it works, the output should look something like the below for your user account.

Code:

C:\Documents and Settings\Lynn>mode
Status for device LPT1:
-----------------------
    Printer output is not being rerouted.
 
Status for device COM2:
-----------------------
    Baud:            1200
    Parity:          None
    Data Bits:       7
    Stop Bits:       1
    Timeout:         OFF
    XON/XOFF:        OFF
    CTS handshaking: OFF
    DSR handshaking: OFF
    DSR sensitivity: OFF
    DTR circuit:     ON
    RTS circuit:     ON
 
Status for device COM1:
-----------------------
    Baud:            1200
    Parity:          None
    Data Bits:       7
    Stop Bits:       1
    Timeout:         OFF
    XON/XOFF:        OFF
    CTS handshaking: OFF
    DSR handshaking: OFF
    DSR sensitivity: OFF
    DTR circuit:     ON
    RTS circuit:     ON
 
Status for device CON:
----------------------
    Lines:          2010
    Columns:        80
    Keyboard rate:  31
    Keyboard delay: 1
    Code page:      437
 
C:\Documents and Settings\Lynn>

 

You're welcome.

Well that did not show me anything to help figure out why the locate program would not run. Anyway your logs were clean and you should do the below now.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!