not sure if infection is gone

Please do not post anymore logs inline. It should not be necessary. If you can upload to filedropper then you should be able to upload here.


While I read thru some of this thread and look at your most recent logs, please download the following & save to your Desktop


GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Attach this log to your next message.

 

Also please run this Running GMER to detect rootkits and attach the log.

 

You need to stop doing this! We want all logs attached.

 

No! You need to attach it here at MGs. If you can upload it there, you can upload it here.

 

I'm not so sure how much of your problems are a corrupted Windows OS and how much is malware. You have a lot of system files which are the wrong size. When you were doing your Windows Updates, did you have problems?

Does ComboFix run properly for you? We are going to need to use it and Avenger.

 

Ah!!!! This may be what I'm noticing. Does it say anything about a Virut infection? If you don't remember, try dowloading the current version of ComboFix right now to your Desktop and then double click on it. Tell me exactly what it says.

combofix.exe

I have more to give you but it will be a waste of time to post it until I know the answer to the above.

However on the outside chance that it is not a Virut infection, I want you to do the below to get prepared for what my next steps may be.

Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp3bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

Now uninstall AVG9 and reboot. Then continue with the below.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now download and install Mozilla FireFox and use it for your browser instead of Internet Explorer which may have some corrupted files associated with it.

 

Okay then just do what the rest of my message gave you as long as it did not say anything about a Virut infection.

 

Good! Hopefully it will work better.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

FileCopy.bat


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

After getting this log, I will be able to complete a procedure that I'm working on. DO NOT SHUTDOWN OR REBOOT YOUR PC. You need to keep it running until you start this next fix and it reboots your PC itself.

 

Try it now. I just fixed the link.

 

Yes that's the stupid default of FireFox but it should be defaulting to the Desktop. Give it a shot and let me know. If it does not goto the Desktop, I will tell you have to change FireFox to prompt you.

 

In fact, here is what the READ & RUN ME gave you (in the downloading of MGtools area) about setting FireFox up properly.

 

What internet error?

You need to just move on to running GetLogs.bat as requested and attach the new MGlogs.zip file.

 

GetLogs.bat ran properly but it shows that FileCopy.bat did not. Where do you have FileCopy.bat? Is it on your Desktop?

 

Okay I see why FileCopy.bat did not work. Download the below new version and overwrite the old version with it:


FileCopy.bat


Now run it. Then rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file again. Hopefully this is more successful so we can move on to the next steps. Don't worry about any internet errors if you get any of them.

 

It is still not copying the files we want to copy. Let's do something else and then move on to my next fix which is all below.



Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now download The Avenger by Swandog46, and

save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you
delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Lorraine\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note:
if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the Win32kDiag log
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay somethings worked and some did not. We may have to boot to the Recovery Console to fix some files since Avenger will not do it and you cannot get ComboFix to run.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

After clicking Fix, exit HJT.


Now download and run the new FileCopy.bat program below. Overwrite the old version with it:


FileCopy.bat


Now run it. Then rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file again.

 

Make sure you read and understand this sticky: Don't Bump! It Only Hurts You!!!

Yes we need to see this log from ComboFix. The FileCopy finally did what I wanted it to do but we have more to do. You need to attach the ComboFix log first though before we can continue.

Also tell me how your PC is currently operating.

 

This was not what I asked you to do. Did you read the below at the very beginning of the READ & RUN ME? See the last bullet item.

You will now have to attempt working in the Software Forum to see if you can make your PC bootable. If you cannot do that, you will possibly be reinstalling which may have been a good idea anyway since many of your problems appeared to be Windows related and not malware.

 

I suggest that you post in the Software Forum to get help. This is not a malware problem. It is a problem with your reinstall and getting the proper drivers for your hardware installed.