Another infected pc

After you do the following, please delete the MGTools.exe and all the associated folders (C:\MGLogs.zip C:\MGTool, etc.) and then download the latest version from the Read and Run First instructions. I will ask for the new logs later.

1) If you haven't already, please disable the Guest account in User accounts.

2) Please go to Add and Remove programs and uninstall the following software:

Java(TM) 6 Update 7

3) Now we need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::



File::
C:\WINDOWS\SxsCaPendDel
C:\Program Files\Common Files\raby.sys
C:\Documents and Settings\All Users\Application Data\iwokevuqy.sys
C:\Documents and Settings\Administrator.METROCELL1\Application Data\vurydevo.pif
C:\WINDOWS\system32\geniquje.scr
C:\WINDOWS\system32\hoxeje.exe
C:\WINDOWS\cavydu.bat
C:\WINDOWS\system32\byhyfegoz.exe
C:\Documents and Settings\Administrator.METROCELL1\Application Data\bapykanunu.vbs
C:\WINDOWS\system32\zyxirorun.pif
C:\WINDOWS\system32\gavidoja.dat
C:\Documents and Settings\All Users\Application Data\lepyzy.exe
C:\WINDOWS\zyqy.bin
C:\WINDOWS\unudymeze.vbs
C:\Documents and Settings\All Users\Application Data\koxymawu.sys
C:\WINDOWS\system32\tupi.vbs
C:\WINDOWS\system32\jedikino.dat
C:\WINDOWS\pyro.dl
C:\WINDOWS\system32\hyzocenili.bat
C:\WINDOWS\yjatew.ban
C:\Program Files\Common Files\xeteliqyw.exe
C:\WINDOWS\system32\isihew.db
C:\WINDOWS\system32\afuq.dl
C:\Documents and Settings\All Users\Application Data\sykak.pif
C:\WINDOWS\zuwoj.com
C:\WINDOWS\sypig.ban
C:\WINDOWS\utibuciguc._sy
C:\Documents and Settings\metrocell\Application Data\ifamat.pif
C:\WINDOWS\ydih.reg
C:\WINDOWS\YVAJ3BDH.ocx
C:\WINDOWS\system32\SBE48W62.ocx
C:\WINDOWS\system32\ucucihuzyw.reg
C:\WINDOWS\cylax.lib
C:\WINDOWS\ypeda.dl
C:\WINDOWS\keteroga.com
C:\WINDOWS\system32\ecisyfyd.dl
C:\WINDOWS\system32\ijyb.lib
C:\Documents and Settings\All Users\Application Data\nikuguc.exe
C:\WINDOWS\system32\uxatic.bat
C:\Program Files\Common Files\zirohexev.sys
C:\WINDOWS\imepu.dat
C:\WINDOWS\lomxeqsn.exe
C:\WINDOWS\st_affiliate.ini
C:\WINDOWS\system32\emufehe.dl
C:\WINDOWS\otykizisus.dl
C:\WINDOWS\system32\yvydobazap._dl
C:\WINDOWS\system32\usafugu.dl
C:\Documents and Settings\All Users\Application Data\siluvytaj.vbs
C:\WINDOWS\yfasifypy._dl
C:\WINDOWS\ciput.dl
C:\WINDOWS\ikuxi.sys
C:\Program Files\Common Files\zazy.exe
C:\WINDOWS\system32\detydomuw.scr
C:\WINDOWS\system32\epysa.db
C:\WINDOWS\qahubijic.scr
C:\WINDOWS\maruki.db
C:\WINDOWS\system32\TDSSfxwp.dll
C:\Program Files\Common Files\usuneweco.lib
C:\Program Files\Common Files\usuneweco.lib
C:\Program Files\Common Files\ohijexo.ban
C:\Program Files\Common Files\ycituzoba.ban

Folder::
C:\Documents and Settings\metrocell\Application Data\VirusRemover2008
C:\Documents and Settings\All Users\Application Data\mbghgfip

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\a8a57186]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now Run Ccleaner!

5) Now run the new C:\MGtools.exe file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from combofix.

 

It appears as though you did not install the latest version of MGTools. And your NewFiles log is virtually empty. Did you get an error message when you ran the scan?

You also have two Anti-virus programs installed...you need to choose one and uninstall the other:
Avast! Antivirus
Norton AntiVirus

Your system is lacking in ram:
Total Physical Memory 384.00 MB
Available Physical Memory 68.36 MB

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Combo has cleaned most of it out...but I can not tell without a proper NewFiles log. You need to tell me what errors you get when you run the C:\MGtools\GetLogs.bat file.

 

Yes....please delete all the MG folders and then run CCleaner and re-download MGTools.exe....it has changed since you last downloaded it. Attach the new zip file.

 

Still empty...try doing this:
XPHomeFix

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

It ran and got the logs.

Now back to work.

You are still showing both anti-virus programs...I suggest you kill NOrton as it is a system hog and you already have little resources to run it.

You can use Norton Removal Tool.

What is this:
C:\Program Files\There

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe

KILLALL::

File::
C:\Documents and Settings\metrocell\Application Data\cojugesi.inf
C:\Documents and Settings\metrocell\Application Data\ekagac~1.ban  
C:\Documents and Settings\metrocell\Application Data\recu.dat
C:\Documents and Settings\metrocell\Application Data\yfit._sy
C:\Documents and Settings\metrocell\Local Settings\Application Data\izamepyjil.inf
C:\Documents and Settings\metrocell\Local Settings\Application Data\nalyqa.inf    
C:\Documents and Settings\metrocell\Local Settings\Application Data\vanocy~1.bin  
C:\Documents and Settings\metrocell\Local Settings\Application Data\wygo.scr      
C:\Documents and Settings\All Users\Application Data\abahe.bat
C:\Documents and Settings\All Users\Application Data\dygepe.ban
C:\Documents and Settings\All Users\Application Data\ivypepi.db
C:\Documents and Settings\All Users\Application Data\kexaza.inf    
C:\Documents and Settings\All Users\Application Data\legil.db      
C:\Documents and Settings\All Users\Application Data\sypi.ban"
C:\Documents and Settings\All Users\Application Data\ulowiv~1.db   
C:\Documents and Settings\All Users\Application Data\zahubu~1.db   
C:\Program Files\Common Files\axez.lib      
C:\Program Files\Common Files\coholy.db    
C:\Program Files\Common Files\idabo.db

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

 

* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::


DirLook::
C:\Program Files\There

File::
C:\WINDOWS\facov.com

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

 

Your logs look clean.

You can delete:
C:\Program Files\There as it appears to be empty anyway.

If you are not having any other malware issues, it is time for the final cleanup:

 

You are most welcome...safe surfing.