Malware Removal Help Required

Welcome to Major Geeks!

Your Malwarebytes log shows that you took no action. Did you fix what it found?


Please do the below so that we can boot to System Recovery Options to run a scan.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.


Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

You're welcome.

Download this >> View attachment fixlist.txt

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


​

 

You need to remove the illegal copy and activator of Office Pro
re:
2012-03-30 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-01-27 22:07]

See the below link:
Warning about Porn, Keygens, Cracks, and other Illegal Software


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The activator job ( task ) file was not deleted.

We still have some more to do. A fix will be posted in a little while.

 

Uninstall the below old versions of software:
Java(TM) 6 Update 23

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Policies\Explorer\Run: [34412] C:\PROGRA~3\LOCALS~1\Temp\msaaxiyo.pif
O4 - HKUS\S-1-5-18\..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe (User 'SYSTEM')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Users\Steve\Documents\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Users\Steve\Documents\msmsgs.exe (file missing)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Run the below on your user account.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [34412] C:\PROGRA~3\LOCALS~1\Temp\msaaxiyo.pif

After clicking Fix, exit HJT.


Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the new fixlog.txt
• C:\MGlogs.zip

You will need to run cleaning procedures on each user account that is having problems. This could be the reason I see some common files returning after deleting them.

And by the way, you should not have 4 user's setup as administrators. Only one user account should have administrator priviledges.


Pick one other user account now that is having redirections and run the below after logging into that account. Make sure you logout of any other user accounts first ( that is do not use switch account ).

• SUPERAntiSpyware
• Malwarebytes
• ComboFix
• MGtools.

 

What exactly are you doing with frst64.exe?

Also when you are using System Restore, you have been restoring all the malware that we have already removed. Everything we fixed and more has been undone. It's all back again. Thus all logs may now be out of sync with what your real system state is.

The MGlogs.zip file you just attach is for the Alan account. What about the SUPERAntiSpyware, Malwarebytes, and ComboFix logs for this account? They should have been run before MGtools.

 

Is Eset NOD32 still installed?

Redownload TDSSkiller to make sure you have the current version and then run a new scan and fix any malware it finds. Attach the new log.

Now delete the current copy of ComboFix.exe that you have. Then download and save a new version to your Desktop. Download it here: BleepingComputer.com


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. You forgot to tell me how things are working.

This is not what I asked you to do. I just asked was it still installed because it looked to be semi broken.

We have a few more things to remove.


Now download The Avenger by Swandog46, and save it to your Desktop.

See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now rerun TDSSKiller and attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes because the Avenger fix did not work and as you can see from TDSSkiller, you still have the ZeroAccess infection. Don't worry about what ESET is reporting since we already know all of this and ESET is basically ineffective at resolving this like just all other protection programs. Once I tell you all your logs are clean and give you final cleanup instructions and you have finished those instructions, then you can look at ESET info again.

Since Avenger and Combofix are failing to remove this, there are other items hiding that need to be found and removed. And again as you can see from TDSSkiller, the infection keeps spreading to more system files. Let's try some several different scanning tools to see if we can locate what else is hiding that we don't already know about.


Now download Yorkyt.exe Disinfection Tool See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Save the file to your hard disk; to your Desktop
• Double click the yorkyt.exe file to run it (if running Vista or Win 7 right-click and select Run as Administrator)
• A reboot will be requested to install a driver. Immediately allow it to reboot. You can close anything you have open first.
• After reboot, you will notice a Panda icon in your tray and the scan will start to run. Do not do anything. Just allow the scan to run.
• When it finishes, another reboot will be requested complete the disinfection. Allow it to reboot again.
• When the disinfection is completed, accept the message that will be displayed.
• The log will be save to your Desktop as yorkyt.exe.log. Attach this log to you next message.
• Now continue on with the below.

Please download aswMBR to your desktop.

• Double-clickaswMBR.exe to run (if running Vista or Win 7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (See: How to attach)

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the yorkyt.exe.log file
• the log from aswMBR
• both OTL.txt and Extras.txt
• C:\MGlogs.zip << you will have to attach this to a second message since you can only attach 4 logs in a single message.

 

Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
SRV:[B]64bit:[/B] - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\bthmodem.dll -- (spbbcdrv)
DRV - [2012/04/07 14:49:57 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\kwpci.sys -- (iajcpo)
IE - HKU\S-1-5-21-3627112931-1370171150-2433351369-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [URL]https://www.hsbc.co.uk[/URL]
IE - HKU\S-1-5-21-3627112931-1370171150-2433351369-1003\..\SearchScopes,DefaultScope = {1DB8E6F7-1FB3-4ECB-AC40-D417DA74FAF8}
O2:[B]64bit:[/B] - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 34412 = C:\PROGRA~3\LOCALS~1\Temp\msaaxiyo.pif
[2012/04/07 14:49:57 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\kwpci.sys
[2012/04/07 00:49:44 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_trash_log.cmd
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
:Files
C:\Windows\system32\consrv.dll
C:\PROGRA~3\LOCALS~1\Temp\msaaxiyo.pif
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00
[HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00
[HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00 
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes they do. While looking better, we still need to get rid of a few things that we tried to remove earlier, but they kept coming back. The last fix with OTL will hopefully have removed the reason the kept coming back.

Uninstall the below old versions of software:
Java(TM) 6 Update 23


Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:Files
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\temp\@
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\oemid
C:\Windows\assembly\temp\version
C:\Windows\assembly\temp\U\00000001.@
C:\Windows\assembly\temp\U\00000002.@
C:\Windows\assembly\temp\U\00000004.@
C:\Windows\assembly\temp\U\000000c0.@
C:\Windows\assembly\temp\U\000000cb.@
C:\Windows\assembly\temp\U\000000cf.@
C:\Windows\assembly\temp\U\80000000.@
C:\Windows\assembly\temp\U\80000004.@
C:\Windows\assembly\temp\U\80000032.@
C:\Windows\assembly\temp\U\80000064.@
C:\Windows\assembly\temp\U\800000c0.@
C:\Windows\assembly\temp\U\800000cb.@
C:\Windows\assembly\temp\U\800000cf.@
C:\Windows\assembly\temp\U
C:\Windows\assembly\tmp\C7EJ51EE
C:\Users\Steve\AppData\Local\Temp\6F2.tmp
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!