Are my logs clean?

I just finished the malware guide (very helpful!) and was going to proceed to the toggle system restore step. I wanted to make sure that my logs were clean before I move onto that step, just so I don't get a problem along the way.

Everything seems clear and clean, but just to be on the safe side. Thanks ALOT in advance.

P.S. After finishing the malware guide, are there anything programs or files that I should remove?


Thanks!

 

Here's my fourth log.

 

Oops...triple post.

 

Hi Mikesjr_19,

The scans removed a lot of malware and there is still malware on your computer that we'll now work on removing manually. Please don't use your computer any more than necessary and don't reboot it unnecessarily until one of us can post a set of instructions to you. Rebooting causes some forms of malware to get going again.

abri

 

Hi Mikesjr_19,

Please don't bump unless someone hasn't answered for at least 36 hours. It has the effect of putting you at the bottom of the list. It does occur that one of us overlooks a post, but not very often.

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

Nielsen//NetRatings


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {77201374-C2C3-4BBB-ABC2-085D2F2CEE31} - C:\WINDOWS\system32\jkkIYsRH.dll (file missing)
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\YMBOLS~1\arpa.exe" -vt ndrv
O4 - HKCU\..\Run: [Toecbk] C:\DOCUME~1\Owner\MYDOCU~1\WNSXS~1\MDTC~1.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

After you click fix, just close hijackthis.


5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
a3066
nnrnstdi

DIRLOOK::
C:\Documents and Settings\Owner\!

FILE::
C:\WINDOWS\system32\drivers\a3066.sys
C:\Documents and Settings\Owner\Local Settings\temp\okal010p.exe
C:\WINDOWS\BM27d0048e.txt
C:\WINDOWS\system32\g46.exe
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\jkkIYsRH.dll
C:\WINDOWS\system32\nlqtdywx.dll
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\system32\g46.exe
C:\WINDOWS\system32\hljwugsf.bin

FOLDER::
C:\WINDOWS\system32\vntiho05
C:\WINDOWS\system32\igv
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\dvd2
C:\WINDOWS\system32\at1
C:\WINDOWS\system32\1064a
C:\Documents and Settings\Owner\!
C:\Temp\vtmp2

REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77201374-C2C3-4BBB-ABC2-085D2F2CEE31}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF95F1FE-88E6-42B1-AC6E-A5D348C41532}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notn"=-
"Toecbk"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Alright, thanks abri. I ran everything and it seems to be clean (then again, it seemed that way before I posted this topic). Here are my logs from the new scan.

Thanks a ton for helping me out.

[UPDATE] The file size for Combofix.txt exceeds the forum attachment limit. How else would you me to get them to you?

 

Hi mikesjr_19,
Zip the combofix log please. I expect the reason it's so large is because it couldn't read the ! and gave me a listing of your entire owner directory. I'd rather not have you redo it though, because then it will write over this log and we'll lose the information we need.
abri

 

Hi mikesjr_19,
Because I didn't know the end result of what happened when I asked for the search of and the deletion of the folder called ! under the folder Owner, I wanted to ask if you could post back and let me know what happened after this last combofix run? The information from this log would be useful to understand what combofix does with a search for a character that it may or may not recognize, but more importantly, I would like to know how your computer is doing.
Thanks for taking a moment to get back to us.
abri

 

Back from the hiatus...sorry for the absence.

I have the combofix.txt file now (hopefully) compressed, so I attached it onto this post. As to how my computer is running, it's great. I really wouldn't have noticed anything wrong with it if you hadn't asked me to manually fix some things.

Here you go, and thank you for everything (especially being patient in my absence).

 

Hi mikesjr_19,

Did you happen to open the file you posted to me and look at it? I meant to look at the contents of the folder called ! but left it to be deleted at the same time, so what's in your log is a list of everything that was in that folder and since all those files were deleted, there will additionally be a backup of all of them as well. Please open the log file (it's a text file) and look at the contents. You can open it directly here at the site by clicking on the zip file you attached and then selecting open rather than save to disk. Then just click on the .txt file inside. They are very um ... entertaining.

Please see if you can get the following folder out of your computer:

C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Wildtangent

It may complain when you try to delete it. If so, delete the contents of the folder first and then the folder.


abri

 

Yes, yes...I've been working on building my video collection for the past five years.

Not at all.

I thought that list was a database of all the bad movie files that the program used to search with...apparently it was a list of all the files on my computer? I don't think they were complete movie files, because I couldn't store them all. Always good for a laugh, though.

Other than that list, am I all clear?

(I was able to delete the folder and all of its contents)

 

Hi mikesjr_19,

They're a marketing device used by companies that want to sell you the more complete version. They offer a small sample to try and get you interested in paying. (and paying. and paying)

Now I will give you a set of instructions to remove all the tools and logs we had you install and for clearing your previous restore points and setting a new one. There's also a good and easy read on How to protect yourself from malware, which I recommend. If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in brown at the bottom of the box.

abri