Please Help ! Hijack log posted here

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

I need to see logs from running SUPERantispyware, Combofix and MGTools please. Do not run things twice in both normal and safe modes, just normal mode will suffice, we only have people scan in safe mode when normal mode is problematic or not accesible.

 

I had a very busy weekend, only just got round to this now.

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

Fair warning, screensavers are a great way to get infected Watch where you download these from.

• Messenger Plus! 5 <--- Also another way to get infected...this invites in lop amongst other things. Uninstall it.
• Java(TM) 6 Update 24 <--- Outdated, uninstall.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
C:\windows\system32\Data
C:\windows\system32\Defaults
C:\windows\system32\Win9X
File::
C:\Documents and Settings\Gary\Local Settings\Application Data\{01724771-1F1A-4837-99AF-F989F81B84DF}
C:\Documents and Settings\Gary\Local Settings\Application Data\{029D6900-4323-4610-A494-A74FD79DB55F}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{04CECC55-7033-4A21-8184-5CFCC419E04A}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{0ADB64FF-B2B1-40E9-94C6-D4B4FB928BB7}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{1901E9EF-14B8-4BC8-BBB4-24680B3EB4F5}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{1FE952EE-6B5E-486F-B084-85CE713D77B0}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{21911D8F-264D-4853-8931-23DB1CE4B6B7}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{27B5F4EC-88D9-47EB-8B77-9F3439A1C930}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{34C3A9C9-51D5-4B5C-9BE8-760018B5F2AC}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{4A1ACB12-E83F-4EC8-B493-4E9D09ADE650}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{5072882B-900D-49AC-9601-7AA30E8F5F9B}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{515D3F8E-DE77-42D5-A135-720723C5545F}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{51E36073-7ACD-4504-9EA5-5630DA8BAE5A}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{54739D40-591C-4225-BDE8-AA9B804D65FF}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{6087F9D9-F645-427F-BE25-533701970285}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{68889F3C-D9ED-461E-A28A-1D8CDF33B0DE}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{6F1A6F41-32E7-472E-8D01-32099943BCAD}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{73790BA8-4D4A-4266-BE34-AD64D68EDF46}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{77A81914-F27C-4C70-8386-5D2C95FBF82A}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{7D31C265-038A-4057-B2F3-BA80DEE36CDC}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{860D18EC-C0C9-4A4D-902C-57E0EB74132A}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{8E82A016-7C25-4A20-906E-CA496400E4F6}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{904465DD-818F-4FD6-844D-484844612805}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{91DB8355-DA85-4E45-A432-82C02A429443}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{9593B3A8-E57D-4D8A-BF9C-F07787403F49}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{9B2E9BFE-04BA-4134-B7BF-3C849BA7F78D}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{9F630CE3-329B-4653-938F-0B8903626E19}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{A0332676-CE3F-458D-9B03-5DE12FFDE4A9}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{A1F6EF39-6DAA-4DCA-8317-002405A3F6BD}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{A36D66E4-B001-4385-94DE-FAA17A29C6CF}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{A3C7EA96-9AD8-4E29-B02F-B017FFEE9A53}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{AA5B17D8-AEAE-462A-B60C-75F3CBA99B0A}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{AC12AA5D-8346-4879-B066-18DEB1802546}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{ADB508B8-C769-406D-B35A-45E7C1496026}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{B671274C-C6F9-4DB0-8F33-3E4EC8E4FA99}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{BCB4FDD0-5667-4158-9697-E1CE85D0B92E}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{C04A9ADC-4DB5-436F-9934-7E76ECB1D579}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{C4D802C4-0B30-4C30-94EA-9195C059CA1C}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{C96C4ABF-6147-4A64-BDE2-B410A3F131E2}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{CE7E77FE-E835-4744-82B7-003F446C7512}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{D1483524-B04E-425F-A3EB-AE728FF0C4C3}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{DBEE8E5D-48B2-4E6B-9A14-F7C40ADE1488}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{DF9F396D-611C-411F-A463-4752A8B598DD}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{ED3AD4C2-74A5-4E12-B67F-93FB5A647B82}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{EE803DA2-E6DA-42B3-8C2B-2DB39BC2A563}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{EFBBEA18-6F49-4553-AE34-8B72B4FE35E3}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{F434248E-D2CD-43A1-8C4F-5684A74A1DA1}"
C:\Documents and Settings\Gary\Local Settings\Application Data\{F472BE09-6F73-4307-8209-960439EE2CDF}"
c:\documents and settings\All Users\Application Data\xml3AB.tmp
c:\documents and settings\All Users\Application Data\xml3AA.tmp
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Folder::
C:\WINDOWS\system32\drivers\Avg(2)
c:\RECYCLER(2)
C:\windows\E

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Just a thought...you have Internet Lock 5.3 installed. This is nothing to do with your internet problems is it?? Do you still have issues if you uninstall it?

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:files
C:\Documents and Settings\Gary\Local Settings\Application Data\{264C288B-D882-4DC4-A727-B3004B3019CA}
C:\Documents and Settings\Gary\Local Settings\Application Data\{CFAEB261-C1C7-49B0-B380-BEC1FB85C591}
C:\Documents and Settings\Gary\Local Settings\Application Data\{D7819602-A159-48C3-B2EE-39E48CA28E1C}
C:\windows\E

:Commands
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Yep. You still need to do OTM.

 

Delete these files:

C:\Documents and Settings\Gary\Local Settings\Application Data\{86732824-AF40-45B4-A081-6534EC2DCC2E}
C:\Documents and Settings\Gary\Local Settings\Application Data\{C4AE01BD-1E22-4793-A6BD-84C112CC4803}

Tell me what problems remain.

 

Yes, MBAM is just doing its job, it will block IP addresses in it's database of malware serving websites.

What is this file? C:\windows\E

Could you please get it into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

log retrievable @ C:\collect.zip

Something to further discuss in another section of the forum because it is not malware related. 30 seconds to desktop? Wow you were lucky!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

What we have done and the scans we have run cannot cause a slow down, perhaps you can review what is running at start up, and trim that down by using third party software such as StartupCPL for instance. AVG is also a known resource hog. You have a-squared installed which I do not rate these days, you could uninstall that and rely on MBAM and SAS instead.

You are most welcome!

vShare Plugin <--- Is this something you knowingly installed? If you do not use it be rid of it, uninstall it.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.


What is this file? If you do not know, attach it or have it scanned like the files further down my post.

• C:\windows\system32\c_71311.nl

Remnants from Internet Lock below, you can delete it.

• C:\WINDOWS\system32\drivers\InetLock.sys

Try and zip this using the method previously described, otherwise zip it yourself.

C:\WINDOWS\system32\drivers\nebkrp.sys


Please go to virustotal and upload the following files for analysis, and let me know the results.

• C:\WINDOWS\system32\drivers\nebkrp.sys
• C:\WINDOWS\system32\drivers\update.sys

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

• C:\Documents and Settings\Gary\Local Settings\temp
• C:\WINDOWS\temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Well while it is true that the scans themselves are not the problem, it is due to MSconfig not being used anymore. Remember in message 7 the below was requested as part of out normal process

28 startup processes were being disabled with MSconfig and now need to be controlled via some other method since MSconfig should not be used to do this. This is the reason for your startup time change. It was not due to the scans.

Thus Kestrel13! is on the right track telling you that that if you want to reduce startup time, you need to reduce your startup processes. Just don't use MSconfig. The READ & RUN ME gave you the below link:

Dealing with Startup Process

 

Have you ever used Avenger? Software similar to Combofix where bad files are compiled into a script and then run as a fix. That's what I think this file relates to so just delete it as it is not needed anyway.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Well it just sounds to me like MBAM is doing it's job, do you have the paid for version?

 

I will ask Chaslang to take a look at the log and see what he thinks.

 

That was going to be my first suggestion. I saw utorrent in your logs.

When you complete the final instructions that Kestrel13! posted, you will see that P2P and torrent programs are frowned upon. They are dangerous as they open up the door to your PC to let all kinds of problems in from anywhere in the world. You are allowing ANYONE to connect to you. You don't have to be actively downloading. All you have to do is allow the utorrent program or other P2P program to run. And you run yours immediately upon startup. i.e, you load the below:

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"


If you must use it then do not allow it to run at startup and only use when you are using it and then shut it down immediately when you finish. Leaving it running is like leaving the keys in your running car in the Bronx, New York.