is it a rootkit or is my pc down?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lazarro, Mar 24, 2012.

  1. lazarro

    lazarro Private E-2

    Hello, this morning I was working on my computer and suddenly Windows Live Messenger just closed for no apparent reason. So I download XueTr to help me find if it's a rootkit but I can't read the logs. The computer lags a little but nothing serious. I've had trojan and MBR infection in the past but someone cleaned them for me. Maybe that person did not clean everyhting and the infections are back, I have no idea. I don't know if you consider that an infection but when I use the mouse pad on my laptop to get the page up and down like using a mouse wheel it cannot get all the way down anymore. I scan with superantispyware it found something but I don't think it was really an infection. Malwarebyte picked up only files from a software I am using to watch movie. I can't undertand what Combofix and MGTools logs are. RootRepeal could not run so I did a GMER log instead.
     

    Attached Files:

    lazarro, Mar 24, 2012
    #1
  2. lazarro

    lazarro Private E-2

    GMER log. I know it wasn't in the Read and Run but RootRepeal doesn't want to run on my system
     

    Attached Files:

    lazarro, Mar 24, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
    Kestrel13!, Mar 25, 2012
    #3
  4. lazarro

    lazarro Private E-2

    Hi, here are the logs you asked.
     

    Attached Files:

    lazarro, Mar 25, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you indeed fix what Malware Bytes found? It says you took no action...


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    After clicking Fix exit HJT.


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Users\HP\AppData\Local\{027A26C9-9BE5-4764-831D-A9817C67A1D7}
C:\Users\HP\AppData\Local\{032B643E-5E4A-4EF8-B48E-7FC3AA07A57F}
C:\Users\HP\AppData\Local\{08A6F37D-4F39-4AB8-AD2C-5C0D0E619455}
C:\Users\HP\AppData\Local\{0C81A362-6E33-41E2-ABA9-4592C3936E63}
C:\Users\HP\AppData\Local\{0C8F89AC-E1D1-4AAB-A48C-F0DE74C4C706}
C:\Users\HP\AppData\Local\{0F0C82CC-2767-4527-BC53-8A93F96C6100}
C:\Users\HP\AppData\Local\{10CBC133-27A0-4C2B-9312-3D01459A1C71}
C:\Users\HP\AppData\Local\{112F2525-570C-4ED2-A241-815FFCEF4F2D}
C:\Users\HP\AppData\Local\{15C7B48A-538A-4721-AA73-37F30269D3A6}
C:\Users\HP\AppData\Local\{166753E6-33BF-4211-91A4-30DBAAE08399}
C:\Users\HP\AppData\Local\{18FD3D2C-ECA8-4DA9-B35C-DD67A9E4A946}
C:\Users\HP\AppData\Local\{197647EE-AF65-4642-85FD-444494733387}
C:\Users\HP\AppData\Local\{19E092B8-C665-430D-9810-7BDDAD3EDAAC}
C:\Users\HP\AppData\Local\{1A5CC70A-AFD5-4291-BAA4-CA65CEC64F79}
C:\Users\HP\AppData\Local\{1ACEBC02-8195-4727-B8FB-140F5ACB6B4C}
C:\Users\HP\AppData\Local\{277DEACA-D437-4E6A-95FD-613373BBDBDD}
C:\Users\HP\AppData\Local\{286D62AD-D5CB-4700-9D62-9279EDBEEB5F}
C:\Users\HP\AppData\Local\{2911E378-626A-42B9-A77E-DBF769567315}
C:\Users\HP\AppData\Local\{2961E63A-C184-4D50-9444-C2E0D0D6F9A2}
C:\Users\HP\AppData\Local\{2A024703-4C8E-4628-9041-A06A34AE8468}
C:\Users\HP\AppData\Local\{2A0E76BF-E50F-4F30-91A6-0657996D12A8}
C:\Users\HP\AppData\Local\{2E1D123C-AA76-45A5-9BCC-E153EA03D85A}
C:\Users\HP\AppData\Local\{2EE69B38-65A1-4B8E-9D21-EB361AAD1326}
C:\Users\HP\AppData\Local\{339DFBCD-F740-4607-B8C9-EF98133FAB8C}
C:\Users\HP\AppData\Local\{370C60B9-D41D-4EED-B98E-793FB6DFEAC8}
C:\Users\HP\AppData\Local\{3A9E7A46-E87B-4120-B388-4FE25EE3F620}
C:\Users\HP\AppData\Local\{3B02161A-2F0A-4BB3-9A20-C77557DA1A0C}
C:\Users\HP\AppData\Local\{3C3E82F8-0E05-4182-84A4-518963F8AA49}
C:\Users\HP\AppData\Local\{3D1452C5-B33F-42AC-A1EC-FA077ED51D70}
C:\Users\HP\AppData\Local\{45A3381C-7D92-4D78-9091-36E0A6071AC4}
C:\Users\HP\AppData\Local\{4A2538A5-E029-4552-9D80-AD64199435FF}
C:\Users\HP\AppData\Local\{5036582B-F019-4B9E-8627-AF796F70D582}
C:\Users\HP\AppData\Local\{5067C80A-C355-4E58-9048-57FEF05A0F43}
C:\Users\HP\AppData\Local\{50954320-44C5-4DF9-9E01-F97EB20928F0}
C:\Users\HP\AppData\Local\{588E4883-8123-4CCC-A3DC-8C386A594BA0}
C:\Users\HP\AppData\Local\{5AA4B409-D43B-4C80-9B81-94E851822FB3}
C:\Users\HP\AppData\Local\{5D185CD6-9541-4CC3-BFFA-37D1910A76E4}
C:\Users\HP\AppData\Local\{5D4B8373-88DF-43B5-A14F-63CE434E6EAD}
C:\Users\HP\AppData\Local\{5D56CA6C-520B-419E-B782-F1776B3F7486}
C:\Users\HP\AppData\Local\{5D69A275-566F-4560-B173-8D4A857DC88E}
C:\Users\HP\AppData\Local\{5E60C3A6-24E9-4DA0-9F33-27EAD141CCAE}
C:\Users\HP\AppData\Local\{5ECA3EA3-4BF5-440F-8F12-DCB3DA4DA769}
C:\Users\HP\AppData\Local\{6361BBC7-11FB-4160-92EA-89B00B80A4B4}
C:\Users\HP\AppData\Local\{636EECE3-9CA0-47A0-BA58-D90A4796DF53}
C:\Users\HP\AppData\Local\{6AEE963E-FDD3-40F4-8A74-04C6492B6C5C}
C:\Users\HP\AppData\Local\{72DAAF8A-E744-4AB7-9D7E-79D50CF093FC}
C:\Users\HP\AppData\Local\{7483DD95-FE5E-403E-9691-2D9570A67F9E}
C:\Users\HP\AppData\Local\{77B8B5E2-8826-4755-83E6-5B90ECF43210}
C:\Users\HP\AppData\Local\{7AD5CB97-3DA0-4878-AD4A-2D611BB68751}
C:\Users\HP\AppData\Local\{7FBEC8D6-E3D2-4C61-B79F-F104CCC71F49}
C:\Users\HP\AppData\Local\{824FD255-EAE1-466D-9F35-3228D1D56662}
C:\Users\HP\AppData\Local\{8AA9C0BF-3529-4516-B204-3696BF62C5E8}
C:\Users\HP\AppData\Local\{8C6E5237-69B7-4691-A933-395C94DA06C6}
C:\Users\HP\AppData\Local\{8CCE098F-48DF-42DB-B217-833EE79A7F75}
C:\Users\HP\AppData\Local\{8E665CE2-3CB3-402D-B330-99404C37368E}
C:\Users\HP\AppData\Local\{91ECDC8A-866F-4A6E-861D-904F83140EB6}
C:\Users\HP\AppData\Local\{9441DC85-99ED-4B16-97A0-198363595598}
C:\Users\HP\AppData\Local\{97BB8B90-39B0-4BFE-B39E-A88236D3DB42}
C:\Users\HP\AppData\Local\{9BBF8255-3A29-4373-A6E4-49389F58D96A}
C:\Users\HP\AppData\Local\{9CE0CC8D-853E-41EE-AEB9-95A9F9B3F3D0}
C:\Users\HP\AppData\Local\{9F2B43D0-B65E-408A-9CD3-12C7D890896C}
C:\Users\HP\AppData\Local\{A1AFD9BF-4CC2-4555-8008-CC86AF0787EF}
C:\Users\HP\AppData\Local\{A268B29C-E3B2-4A83-8BA2-8BB8B062B0E1}
C:\Users\HP\AppData\Local\{A4BEB3FC-C4B8-41C9-8350-09855C5ADF67}
C:\Users\HP\AppData\Local\{A51E2538-0D60-440E-A7B6-9118E91EF682}
C:\Users\HP\AppData\Local\{A943B15B-DD33-48ED-B8A5-00194698A974}
C:\Users\HP\AppData\Local\{AA44F6E6-20C2-4A60-8215-BEEBF14FE673}
C:\Users\HP\AppData\Local\{AABDD0F3-287A-4C93-9A8C-B7528560DD0E}
C:\Users\HP\AppData\Local\{AAFD40DE-528C-4182-B207-5B1C3D031265}
C:\Users\HP\AppData\Local\{AE3B2329-1889-44FB-AE5B-1EA8CA548852}
C:\Users\HP\AppData\Local\{B6A3712A-E5D8-4395-8A25-8C36A5EF53A8}
C:\Users\HP\AppData\Local\{B88FAED5-F3E2-470D-8D26-E0A69B6CF493}
C:\Users\HP\AppData\Local\{B890A72B-DCCE-4081-A7C6-7DDEB0FFEE08}
C:\Users\HP\AppData\Local\{B91907E3-A57C-4256-9E00-728EB40CB926}
C:\Users\HP\AppData\Local\{B9CA44BB-9588-4BD6-866B-3AA473DCBA3C}
C:\Users\HP\AppData\Local\{BB356A6F-77CB-45C7-83C3-20771800D512}
C:\Users\HP\AppData\Local\{BC7B5FE2-A10A-43F9-9536-C05C976970ED}
C:\Users\HP\AppData\Local\{BCB8403E-E125-45DA-B70E-D0E5AB229616}
C:\Users\HP\AppData\Local\{BE2FE5D9-6C15-478F-8376-453085B91977}
C:\Users\HP\AppData\Local\{BE44F931-B076-42F4-9B55-83227F71966B}
C:\Users\HP\AppData\Local\{C8DA2A6C-A835-46B4-986B-C61EA78EA205}
C:\Users\HP\AppData\Local\{C8DA8466-3278-4CF8-99CE-AF416C59E087}
C:\Users\HP\AppData\Local\{D3FFEBD7-8D84-41CA-B7CA-24AF3B8393A5}
C:\Users\HP\AppData\Local\{D46F9ED6-8357-489A-963F-F2D829AAA67A}
C:\Users\HP\AppData\Local\{D4F67F1F-B291-4EE9-9A45-8441B7F02763}
C:\Users\HP\AppData\Local\{D598CDAC-AB79-4AD6-9EF9-E731044BFC1A}
C:\Users\HP\AppData\Local\{D7DC15C6-1CC9-4150-BAC3-ED772F2E8382}
C:\Users\HP\AppData\Local\{D9563FA2-A2FA-4C29-93DD-F9BD9E7FDAB9}
C:\Users\HP\AppData\Local\{DC994BF3-AB3A-4344-AF3A-E8DCF0842FD5}
C:\Users\HP\AppData\Local\{DDE3B909-7114-40CF-9FE9-E77981621E32}
C:\Users\HP\AppData\Local\{DF06865C-5733-4C3B-8048-FB7DA5596870}
C:\Users\HP\AppData\Local\{E0A1CD9E-A25B-4AAD-9A6B-EA30D27E8C73}
C:\Users\HP\AppData\Local\{E222B164-F8B9-4EEA-BA7D-3BF791E65C14}
C:\Users\HP\AppData\Local\{E61AAC1C-0A9C-4AFD-84BD-E1811919BBB7}
C:\Users\HP\AppData\Local\{EA47F593-E1D7-4500-9726-8F15E1B6070B}
C:\Users\HP\AppData\Local\{EE4D62AD-BDE8-4863-880C-800E290DE8B5}
C:\Users\HP\AppData\Local\{EEDCA06E-2711-45CA-B9D1-45693BDF5C35}
C:\Users\HP\AppData\Local\{F6676FCB-2B23-4B28-996F-3D5046474511}
C:\Users\HP\AppData\Local\{FD526730-85B9-47AA-9250-27B43CF1DA81}
C:\Users\HP\AppData\Local\{FEFD884C-82EB-42EF-A14D-CAFA7CF46CD4}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Mar 26, 2012
    #5
  6. lazarro

    lazarro Private E-2

    Hello, I did not delete anything that Malwarebyte found cause all the files are from Funshion program. A program I use to watch movies. I did the HighJackThis fix and the ComboFix also. The log of the MgTools is attached
     

    Attached Files:

    lazarro, Mar 26, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
C:\Users\HP\AppData\Local\{027A26C9-9BE5-4764-831D-A9817C67A1D7}
C:\Users\HP\AppData\Local\{032B643E-5E4A-4EF8-B48E-7FC3AA07A57F}
C:\Users\HP\AppData\Local\{08A6F37D-4F39-4AB8-AD2C-5C0D0E619455}
C:\Users\HP\AppData\Local\{0C81A362-6E33-41E2-ABA9-4592C3936E63}
C:\Users\HP\AppData\Local\{0C8F89AC-E1D1-4AAB-A48C-F0DE74C4C706}
C:\Users\HP\AppData\Local\{0F0C82CC-2767-4527-BC53-8A93F96C6100}
C:\Users\HP\AppData\Local\{10CBC133-27A0-4C2B-9312-3D01459A1C71}
C:\Users\HP\AppData\Local\{112F2525-570C-4ED2-A241-815FFCEF4F2D}
C:\Users\HP\AppData\Local\{15C7B48A-538A-4721-AA73-37F30269D3A6}
C:\Users\HP\AppData\Local\{166753E6-33BF-4211-91A4-30DBAAE08399}
C:\Users\HP\AppData\Local\{18FD3D2C-ECA8-4DA9-B35C-DD67A9E4A946}
C:\Users\HP\AppData\Local\{197647EE-AF65-4642-85FD-444494733387}
C:\Users\HP\AppData\Local\{19E092B8-C665-430D-9810-7BDDAD3EDAAC}
C:\Users\HP\AppData\Local\{1A5CC70A-AFD5-4291-BAA4-CA65CEC64F79}
C:\Users\HP\AppData\Local\{1ACEBC02-8195-4727-B8FB-140F5ACB6B4C}
C:\Users\HP\AppData\Local\{277DEACA-D437-4E6A-95FD-613373BBDBDD}
C:\Users\HP\AppData\Local\{286D62AD-D5CB-4700-9D62-9279EDBEEB5F}
C:\Users\HP\AppData\Local\{2911E378-626A-42B9-A77E-DBF769567315}
C:\Users\HP\AppData\Local\{2961E63A-C184-4D50-9444-C2E0D0D6F9A2}
C:\Users\HP\AppData\Local\{2A024703-4C8E-4628-9041-A06A34AE8468}
C:\Users\HP\AppData\Local\{2A0E76BF-E50F-4F30-91A6-0657996D12A8}
C:\Users\HP\AppData\Local\{2E1D123C-AA76-45A5-9BCC-E153EA03D85A}
C:\Users\HP\AppData\Local\{2EE69B38-65A1-4B8E-9D21-EB361AAD1326}
C:\Users\HP\AppData\Local\{339DFBCD-F740-4607-B8C9-EF98133FAB8C}
C:\Users\HP\AppData\Local\{370C60B9-D41D-4EED-B98E-793FB6DFEAC8}
C:\Users\HP\AppData\Local\{3A9E7A46-E87B-4120-B388-4FE25EE3F620}
C:\Users\HP\AppData\Local\{3B02161A-2F0A-4BB3-9A20-C77557DA1A0C}
C:\Users\HP\AppData\Local\{3C3E82F8-0E05-4182-84A4-518963F8AA49}
C:\Users\HP\AppData\Local\{3D1452C5-B33F-42AC-A1EC-FA077ED51D70}
C:\Users\HP\AppData\Local\{45A3381C-7D92-4D78-9091-36E0A6071AC4}
C:\Users\HP\AppData\Local\{4A2538A5-E029-4552-9D80-AD64199435FF}
C:\Users\HP\AppData\Local\{5036582B-F019-4B9E-8627-AF796F70D582}
C:\Users\HP\AppData\Local\{5067C80A-C355-4E58-9048-57FEF05A0F43}
C:\Users\HP\AppData\Local\{50954320-44C5-4DF9-9E01-F97EB20928F0}
C:\Users\HP\AppData\Local\{588E4883-8123-4CCC-A3DC-8C386A594BA0}
C:\Users\HP\AppData\Local\{5AA4B409-D43B-4C80-9B81-94E851822FB3}
C:\Users\HP\AppData\Local\{5D185CD6-9541-4CC3-BFFA-37D1910A76E4}
C:\Users\HP\AppData\Local\{5D4B8373-88DF-43B5-A14F-63CE434E6EAD}
C:\Users\HP\AppData\Local\{5D56CA6C-520B-419E-B782-F1776B3F7486}
C:\Users\HP\AppData\Local\{5D69A275-566F-4560-B173-8D4A857DC88E}
C:\Users\HP\AppData\Local\{5E60C3A6-24E9-4DA0-9F33-27EAD141CCAE}
C:\Users\HP\AppData\Local\{5ECA3EA3-4BF5-440F-8F12-DCB3DA4DA769}
C:\Users\HP\AppData\Local\{6361BBC7-11FB-4160-92EA-89B00B80A4B4}
C:\Users\HP\AppData\Local\{636EECE3-9CA0-47A0-BA58-D90A4796DF53}
C:\Users\HP\AppData\Local\{6AEE963E-FDD3-40F4-8A74-04C6492B6C5C}
C:\Users\HP\AppData\Local\{72DAAF8A-E744-4AB7-9D7E-79D50CF093FC}
C:\Users\HP\AppData\Local\{7483DD95-FE5E-403E-9691-2D9570A67F9E}
C:\Users\HP\AppData\Local\{77B8B5E2-8826-4755-83E6-5B90ECF43210}
C:\Users\HP\AppData\Local\{7AD5CB97-3DA0-4878-AD4A-2D611BB68751}
C:\Users\HP\AppData\Local\{7FBEC8D6-E3D2-4C61-B79F-F104CCC71F49}
C:\Users\HP\AppData\Local\{824FD255-EAE1-466D-9F35-3228D1D56662}
C:\Users\HP\AppData\Local\{8AA9C0BF-3529-4516-B204-3696BF62C5E8}
C:\Users\HP\AppData\Local\{8C6E5237-69B7-4691-A933-395C94DA06C6}
C:\Users\HP\AppData\Local\{8CCE098F-48DF-42DB-B217-833EE79A7F75}
C:\Users\HP\AppData\Local\{8E665CE2-3CB3-402D-B330-99404C37368E}
C:\Users\HP\AppData\Local\{91ECDC8A-866F-4A6E-861D-904F83140EB6}
C:\Users\HP\AppData\Local\{9441DC85-99ED-4B16-97A0-198363595598}
C:\Users\HP\AppData\Local\{97BB8B90-39B0-4BFE-B39E-A88236D3DB42}
C:\Users\HP\AppData\Local\{9BBF8255-3A29-4373-A6E4-49389F58D96A}
C:\Users\HP\AppData\Local\{9CE0CC8D-853E-41EE-AEB9-95A9F9B3F3D0}
C:\Users\HP\AppData\Local\{9F2B43D0-B65E-408A-9CD3-12C7D890896C}
C:\Users\HP\AppData\Local\{A1AFD9BF-4CC2-4555-8008-CC86AF0787EF}
C:\Users\HP\AppData\Local\{A268B29C-E3B2-4A83-8BA2-8BB8B062B0E1}
C:\Users\HP\AppData\Local\{A4BEB3FC-C4B8-41C9-8350-09855C5ADF67}
C:\Users\HP\AppData\Local\{A51E2538-0D60-440E-A7B6-9118E91EF682}
C:\Users\HP\AppData\Local\{A943B15B-DD33-48ED-B8A5-00194698A974}
C:\Users\HP\AppData\Local\{AA44F6E6-20C2-4A60-8215-BEEBF14FE673}
C:\Users\HP\AppData\Local\{AABDD0F3-287A-4C93-9A8C-B7528560DD0E}
C:\Users\HP\AppData\Local\{AAFD40DE-528C-4182-B207-5B1C3D031265}
C:\Users\HP\AppData\Local\{AE3B2329-1889-44FB-AE5B-1EA8CA548852}
C:\Users\HP\AppData\Local\{B6A3712A-E5D8-4395-8A25-8C36A5EF53A8}
C:\Users\HP\AppData\Local\{B88FAED5-F3E2-470D-8D26-E0A69B6CF493}
C:\Users\HP\AppData\Local\{B890A72B-DCCE-4081-A7C6-7DDEB0FFEE08}
C:\Users\HP\AppData\Local\{B91907E3-A57C-4256-9E00-728EB40CB926}
C:\Users\HP\AppData\Local\{B9CA44BB-9588-4BD6-866B-3AA473DCBA3C}
C:\Users\HP\AppData\Local\{BB356A6F-77CB-45C7-83C3-20771800D512}
C:\Users\HP\AppData\Local\{BC7B5FE2-A10A-43F9-9536-C05C976970ED}
C:\Users\HP\AppData\Local\{BCB8403E-E125-45DA-B70E-D0E5AB229616}
C:\Users\HP\AppData\Local\{BE2FE5D9-6C15-478F-8376-453085B91977}
C:\Users\HP\AppData\Local\{BE44F931-B076-42F4-9B55-83227F71966B}
C:\Users\HP\AppData\Local\{C8DA2A6C-A835-46B4-986B-C61EA78EA205}
C:\Users\HP\AppData\Local\{C8DA8466-3278-4CF8-99CE-AF416C59E087}
C:\Users\HP\AppData\Local\{D3FFEBD7-8D84-41CA-B7CA-24AF3B8393A5}
C:\Users\HP\AppData\Local\{D46F9ED6-8357-489A-963F-F2D829AAA67A}
C:\Users\HP\AppData\Local\{D4F67F1F-B291-4EE9-9A45-8441B7F02763}
C:\Users\HP\AppData\Local\{D598CDAC-AB79-4AD6-9EF9-E731044BFC1A}
C:\Users\HP\AppData\Local\{D7DC15C6-1CC9-4150-BAC3-ED772F2E8382}
C:\Users\HP\AppData\Local\{D9563FA2-A2FA-4C29-93DD-F9BD9E7FDAB9}
C:\Users\HP\AppData\Local\{DC994BF3-AB3A-4344-AF3A-E8DCF0842FD5}
C:\Users\HP\AppData\Local\{DDE3B909-7114-40CF-9FE9-E77981621E32}
C:\Users\HP\AppData\Local\{DF06865C-5733-4C3B-8048-FB7DA5596870}
C:\Users\HP\AppData\Local\{E0A1CD9E-A25B-4AAD-9A6B-EA30D27E8C73}
C:\Users\HP\AppData\Local\{E222B164-F8B9-4EEA-BA7D-3BF791E65C14}
C:\Users\HP\AppData\Local\{E61AAC1C-0A9C-4AFD-84BD-E1811919BBB7}
C:\Users\HP\AppData\Local\{EA47F593-E1D7-4500-9726-8F15E1B6070B}
C:\Users\HP\AppData\Local\{EE4D62AD-BDE8-4863-880C-800E290DE8B5}
C:\Users\HP\AppData\Local\{EEDCA06E-2711-45CA-B9D1-45693BDF5C35}
C:\Users\HP\AppData\Local\{F6676FCB-2B23-4B28-996F-3D5046474511}
C:\Users\HP\AppData\Local\{FD526730-85B9-47AA-9250-27B43CF1DA81}
C:\Users\HP\AppData\Local\{FEFD884C-82EB-42EF-A14D-CAFA7CF46CD4}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Mar 27, 2012
    #7
  8. lazarro

    lazarro Private E-2

    I did that step already, it seems like you double posted. Please read again all your posts. You had me do the ComboFix /CFscript along with the HighJackThis fix.
     
    lazarro, Mar 27, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, no, no. First time round, I was LOOKING inside those folders, now we are DELETING them... continue on please.
     
    Kestrel13!, Mar 27, 2012
    #9
  10. lazarro

    lazarro Private E-2

    Ok I understand. I tried to do what you do but I received a message that said that ComboFix has expired, that I should click yes to continue in reduced fonctionnality or click no to exit. I don't remember the exact words but I exited the program. What should I do?
     
    lazarro, Mar 27, 2012
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download combofix again and let it overwrite the old version. Then continue on with my instructions.
     
    Kestrel13!, Mar 28, 2012
    #11
  12. lazarro

    lazarro Private E-2

    Ok here is the log that you requested. I am also attaching the ComboFix log cause I saw it found some kind of infection.
     

    Attached Files:

    lazarro, Mar 29, 2012
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
c:\program files\Common Files\Tencent
c:\program files\Tencent
c:\programdata\Tencent
c:\users\HP\AppData\Roaming\Tencent
C:\Users\HP\AppData\Local\{09609C4A-3EEC-4A19-8992-987660BC549A}
C:\Users\HP\AppData\Local\{0EE32A1E-26CC-497D-B50D-F829430829EC}
C:\Users\HP\AppData\Local\{20BCADA4-E032-46F8-BFD5-5D793AAE66A0}
C:\Users\HP\AppData\Local\{22FBC213-51BE-4646-A8E1-4FB9048951FF}
C:\Users\HP\AppData\Local\{527886ED-E087-44FA-A870-8ADB26CFB8DC}
C:\Users\HP\AppData\Local\{59269500-16A8-43DF-A5EA-68A872921554}
C:\Users\HP\AppData\Local\{5E41D68F-E608-4525-AC1E-A711EADEA9EA}
C:\Users\HP\AppData\Local\{68B53A6B-9C66-4F3A-A26C-47ADA7F1E8B0}
C:\Users\HP\AppData\Local\{756FDE4B-DE41-4C5A-9C30-6492BE9A5760}
C:\Users\HP\AppData\Local\{7EACDA34-F0C7-45C1-80FE-4CC12E05716F}
C:\Users\HP\AppData\Local\{93D179DC-FB2D-4564-AC4B-F3A12AD5CE75}
C:\Users\HP\AppData\Local\{96E5100D-5553-4992-8F78-3DB3685B2112}
C:\Users\HP\AppData\Local\{ACBB49CB-7CDA-417F-9E13-DF757528432F}
C:\Users\HP\AppData\Local\{BFD7678F-0B09-4486-81C4-727309AA8962}
C:\Users\HP\AppData\Local\{E57532CC-D6E3-41B6-940C-608B626090B8}
C:\Users\HP\AppData\Local\{EA95F1A8-8872-457E-B83A-7A9F9F467371}
C:\Users\HP\AppData\Local\{F02E098C-9D63-4B35-9040-8C71965161F4}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Mar 30, 2012
    #13
  14. lazarro

    lazarro Private E-2

    Here are the scans. I am also sending you a picture from my internet explorer: when I go to google.com the internet page icons changes to yours. Please have a look. Is that the doing of a malware? Thanks
     

    Attached Files:

    lazarro, Mar 30, 2012
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete these folders.

    C:\Users\HP\AppData\Local\{6A0D51B4-4098-4CBC-AC7B-55D86E52CDA4}
    C:\Users\HP\AppData\Local\{6E401301-2AA8-484D-BD26-E1D65E3B30BA}

    Why have you two executables for combofix??
    • C:\Users\HP\Desktop\ComboFix.exe <--- Delete this one please.
    • C:\Users\HP\Desktop\ComboFix1.exe

    What is this?

    C:\Users\HP\Desktop\t5q93v96.exe

    Try the below.

    Reset Internet Explorer Settings to Defaults

    1. Open Internet Explorer
    2. Click on Tools
    3. Click Internet Options
    4. Click the Advanced tab
    5. Locate the Reset Internet Explorer Settings heading
    6. Click the Reset button
    7. Click Ok
    8. Restart Internet Explorer

    Has that worked?
     
    Kestrel13!, Mar 31, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See the log in message # 2. It's GMER with random name. ;)
     
    chaslang, Mar 31, 2012
    #16
  17. lazarro

    lazarro Private E-2

    Yes Internet Explorer is back to normal. Do I have some kind of malware/spyware on the laptop that I should be aware of? I had two ComboFix on my desktop because the other one expired so I download another one like you told me to.
     
    lazarro, Mar 31, 2012
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanks Chas!

    @lazarro ...Good. So all is well again. With Combofix, I had wanted you to overwrite the previous copy. No, was not really seeing any malware, just a load of junk and empty folders.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Apr 1, 2012
    #18
  19. lazarro

    lazarro Private E-2

    Hello, thank for helping me. I did all the necessary steps. But I have a problem. This morning, I turned my computer on, and after putting my password, I noticed that it took a lot of time to load. When it finished for the desktop to appear, there was no desktop and it was like a windows 98 interface and got the following message:
    Location is not available
    C:\windows\system32\config\systemprofile\desktop refers to a location that is unavailable. It could be on a hard drive on this computer or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and the try again. If it still cannot be located, the information might have been moved to a different location.

    I could not restart or turn off so I manually shut it down. Upon restart, I got the windows 7 interface back but I received a pop-up:
    Failed to connect to a windows service
    Windows could not connect to the System Event Notification Service service. This problem prevent standard users from logging to the system. As an administrator user, you can review the System Event Log for details about why the service didn't respond.

    I did not know what to do. So I restarted and I did not receive any messages again. Can you please tell me what it can be. I don't understand. Thank you
     
    lazarro, Apr 2, 2012
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This is not topic for the malware forum I'm afraid. You can further discuss this in the software forum if you wish. :)
     
    Kestrel13!, Apr 2, 2012
    #20
  21. lazarro

    lazarro Private E-2

    All right. Thanks man!
     
    lazarro, Apr 2, 2012
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. :) Safe surfing!
     
    Kestrel13!, Apr 3, 2012
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds