Ran Malware and still having problem!

You have a Zero Access infection.

• Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
  • TDSSkiller - How to run
• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Uninstall the below software:
Ask Toolbar
Best Buy Software Installer
Java(TM) 6 Update 23

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Avery Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKCU\..\Run: [charkmgr] "rundll32" "C:\Windows\certshta.dll",CreateProcessNotify
O4 - .DEFAULT User Startup: Best Buy Software Installer.lnk = C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (User 'Default user')
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\pev.3XE

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from TDSSKiller
• the log from MBRcheck
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not extract avenger.exe from the ZIP file. You cannot run the procedure with the executable program still inside of the ZIP. You need to have avenger.exe directly on your Desktop and not inside the Avenger.zip file which is on your Desktop. Try again from the Avenger procedure thru to the end ( but I don't need new logs from MBRcheck or TDSSkiller. Just the Avenger log and the new MGlogs.zip. ).

 

Now avenger.exe is on your Desktop. It was not at the time you posted your previous logs. Last time, only Avenger.zip was on your Desktop.

Yes and it will continue to be this way until the fixes we are trying to make with Avenger get applied. Since Avenger does not seem to be working, let's try it a different way.


Download OTL by Old Timer and save it to your
Desktop.

See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
  
  Code:

  :processes
  :files
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  C:\Windows\assembly\tmp\click.tlb
  C:\Windows\assembly\tmp\loader.tlb
  C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
  C:\Windows\assembly\tmp\U\000000c0.@
  C:\Windows\assembly\tmp\U\000000cb.@
  C:\Windows\assembly\tmp\U\000000cf.@
  C:\Windows\assembly\tmp\U\80000000.@
  C:\Windows\assembly\tmp\U\800000c0.@
  C:\Windows\assembly\tmp\U\800000cb.@
  C:\Windows\assembly\tmp\U\800000cf.@
  C:\Windows\assembly\tmp\U
  C:\Users\Josie\AppData\Local\4faa92a4
  C:\Windows\TEMP\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
  C:\Windows\TEMP\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
  C:\Users\Josie\Local Settings\TEMP\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
  C:\Users\Josie\Local Settings\TEMP\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb 
  C:\Windows\System32\drivers\auurwg.sys
  C:\Windows\System32\drivers\mbgdvlj.sys
  C:\Windows\System32\drivers\vfntgyyt.sys
  C:\Windows\System32\drivers\vjpltfrk.sys
  C:\Windows\System32\drivers\yqkdofm.sys
  C:\Windows\SysWOW64\drivers\auurwg.sys
  C:\Windows\SysWOW64\drivers\mbgdvlj.sys
  C:\Windows\SysWOW64\drivers\vfntgyyt.sys
  C:\Windows\SysWOW64\drivers\vjpltfrk.sys
  C:\Windows\SysWOW64\drivers\yqkdofm.sys
  :commands
  [PURITY]
  [EMPTYTEMP]
  [RESETHOSTS]
  [CREATERESTOREPOINT]
  [CLEARALLRESTOREPOINTS]
  [REBOOT]
  

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

 

You're welcome.

See if ComboFix can be run now.


Also now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\combofix.txt log if it runs now
• C:\MGlogs.zip

 

Now please save Win32kDiag file to your desktop.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

"%userprofile%\desktop\win32kdiag.exe" -f -r


Now we need to scan the system with a Microsoft/SysInternals program named Junction.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe) Make sure that you get the exe file in the root folder. The default may be to but the exe into a folder named junction. If you don't do this correctly, the below will not work.
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

 

What is the size of the log.txt file from Junction? If it is very large, that is why it cannot be uploaded. Put it into a ZIP file and attach that.

 

Press and hold the Windows key ( to the left of your space bar ) and hit the 'r' key at the same time. This should bring up the run box.

In the run box enter cmdand click OK. This should open a command prompt Window.

If you just simply enter the below, tell me what happens ( note there is are no spaces in this, and do not leave out the colon or the \ ).

C:\junction.exe

 

Okay that's good. Now do the below.




Now we need to reset the permissions altered by the malware on some files.

• Download and save inhertit.exe to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

• A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
• Accept the license agreement and the scan will begin.
• Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
• The command prompt window should close when it finishes.
• While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

You're welcome.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!