Antispyware 2008 (yes, another victim)

Welcome to Major Geeks!

Why are you running this PC with no protection software?

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Policies\Explorer\Run: [I7yKztGsWb] C:\Documents and Settings\All Users\Application Data\cnqhylcl\mlkvezwv.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O21 - SSODL: ActCfgSys - {3BFFC12A-F788-60D9-EB1A-08EA79FB9241} - C:\Program Files\hjdavqc\ActCfgSys.dll
O21 - SSODL: tkJWNIzLA - {D8D0A5E6-727A-0F4C-4737-E2ACB5FE55C5} - C:\WINDOWS\system32\dkpl.dll
O21 - SSODL: uidsc - {3A42CD4B-21FE-0D86-0C00-0972F86A9D26} - C:\Program Files\dezrqwe\uidsc.dll

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Based on your logs, it is not due to malware and neither are your problems with Windows Installer.

We do however have one more item to remove, but after this, you will have to post in the Software Forum since your problems are most like within Windows itself.



Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now double click the fixme.reg saved to your desktop in the last fix and allow it to be added to your registry again.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No your logs are not clean. Part of the infection did not get removed and another item showed up. Due to this I dug a little deeper into your logs and I noticed something else. Several of your Windows System files appear to be infected. They do not show as infected in the scans and their date and times seem correct; however, their files sizes are not correct which means something modified them and reset the date & time back to normal to keep it from being detected. The files that I can see that are infected are:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\spoolsv.exe

These are the ones that I can see. No telling if there may be others.

Let's see if we can fixed any of these the easy way. Click Start, Run, and enter sfc /scannow into the run box and click OK. There is a space after the sfc

Now see if you can find the below file and delete it:
C:\WINDOWS\system32\yayyhqhh.tmp


After sfc finishes running. Now download this zip file View attachment ShowNew.zip and save it to the C:\MGtools folder. Then extract the Shownew.bat file from this ZIP file into the C:\MGtools folder. Now run the C:\MGtools\ShowNew.bat file by double clicking on it and allow it to finish running. Be patient while it scans and collects a lot of information. A notepad windows will pop up when it finishes. Just close the notepad window. Now attach the C:\MGlogs.zip file which will have a new log added to it from ShowNew.bat


If the above does not fix all the infected system files, you may need to either install the Recovery Console as was requested in the procedure for running ComboFix in the READ & RUN ME or you need to have your Windows XP bootable CD so we can boot to the Recovery Console.

 

You're welcome. Since you reinstalled, you should work thru the below:

How to Protect yourself from malware!

 

You're welcome. Surf safely!