Windows XP Antivirus

Hello,

I went through the read-me and followed all the steps. Here are the logs.

I was infected with the Windows XP Antivirus awhile ago. My computer sometimes will not boot up, but things seem to be better after going through the read me. However, since I've been infected any web browser I try and start will often take 20 minutes to initially launch, even if the rest of the computer is working properly. I still have this problem after going through the read-me so I'm assuming that there is still malware on the computer.

Thank you for the help, in advance, and for an awesome website.

 

Sas.log attached

 

Hi and welcome to Major Geeks, pacodelucia!

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxps://antivirus.uwlax.edu/WebInst/WebInst.cab
[COLOR="DarkRed"]Driver::[/COLOR]
MpKsl12ea0993
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Jayrod\Application Data\Mozilla\Firefox\Profiles\r2bcag6u.default\
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http - user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Jayrod\Local Settings\Application Data\0k6wg7yi8bi1155w717h311gb6sh301kc1x6rfl
C:\Documents and Settings\Jayrod\Templates\0k6wg7yi8bi1155w717h311gb6sh301kc1x6rfl
C:\WINDOWS\pchealth\helpctr\binaries\SET584.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET688.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET754.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5229F40-6C1B-41F7-8EE3-B909C66620F3}\MpKsl12ea0993.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Program Files\Common Files\Viewpoint
C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Here are the logs. Let me know what I need to do next. Thanks!

 

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = 127.0.0.1:9421

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how things are running afterwards.

 

Here are the logs again. Thank you!

 

How is the computer running now?

 

It looks like I'm still having the same problems as before. I had trouble getting the computer to start again today, but I was eventually able to get it running.

I am also still experiencing the same issue once I logon to Windows--everything loads within a minute, but if I try and click on a web browser, it will take at least ten minutes before anything pops up. However, I am still able to run other programs during this time without any thing seeming to be wrong.

Let me know if you need any other information or what else I need to do.

Thank you again; I appreciate the help.

 

Let's run a couple more scans.

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Hello again,

Here are the logs. Let me know what's next. Thank you.

 

There is not much malware in these logs. I would like to restore a Windows XP MBR to your system first. To be safe, I recommend backing up your data to another source at least temporarily. Usually this process goes without any problems but malware is constantly improving. Better safe than sorry

http://img684.imageshack.us/img684/6489/aswmbr.gifWhen you have done so, I would like you to click the FixMBR button while in aswMBR.

Then scan with aswMBR again and attach the newest log for review. Once it's clean, I will help you remove the final traces of malware.

 

Note: I've tried removing this proxy a couple of times now: 127.0.0.1:9421

It seems rather stubborn. I am thinking an infected MBR is preventing its deletion.

 

Here is the log. Thanks again

 

Ok that looks good. Now to attempt to remove the remaining traces:

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
IE - HKU\S-1-5-21-1492226861-1675625526-1261393137-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab (Java Plug-in 1.4.0)
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[18 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/05/14 08:51:02 | 000,012,532 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0k6wg7yi8bi1155w717h311gb6sh301kc1x6rfl
[2006/03/12 14:18:49 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Jayrod\Application Data\PFP120JPR.{PB
[2006/03/12 14:18:49 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Jayrod\Application Data\PFP120JCM.{PB
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Jayrod\My Documents\list.rtf:SummaryInformation
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\Common Files\Viewpoint
ipconfig /flushdns /c
dir /s "C:\WINDOWS\Fonts\" /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here are the two logs.

 

C:\Documents and Settings\Jayrod\Local Settings\Application Data\ggbrepgka <-- Delete this folder

127.0.0.1:9421 apparently is not bad. It's being recreated by the Akamai software you have installed. If you're interested, read this.
If you are still experiencing issues with your browser. You may want to temporarily uninstall "Akamai NetSession Interface Service" to see if this resolves them. The rest of your logs are clean and this is no longer a malware issue.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thank you so much for the help.

I am still having the same issues but it is good to know that at least all the malware is off the computer and I can use it safely use it browse the web.

Thanks again!

 

No problem. Surf safely!