bolenja and more infection

If you ran MGtools and followed the instructions, you should be attaching the C:\MGlogs.zip file not a HijackThis log from the MGtools folder.

Did you try to run ComboFix in safe mode?

I'll will give you something to run below, but you will have to run these steps in normal boot mode because Avenger will not run in safe mode.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKLM\..\Run: [bolenjx] bolenjx.exe
O4 - Global Startup: bddm.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - AppInit_DLLs: kus109.dat

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

You are still infected. It is possible that your protection software is getting in the way of our removal.

First uninstall AVG Antispyware now. Then shut down any other protection software you have running (like Symantec or anything else). Then continue onto the below instructions.

Have you tried running ComboFix again? Have you tried running it in safe mode as requested if it would not run in normal mode?

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the
following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are
reading in right now:

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: kus109.dat

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

It is not a good idea to just delete things if they cannot be uninstalled. It will now not be possible to properly uninstall the programs so that all registry entries and other info can be properly cleaned up.

Sounds like you chose safe mode with command prompt? Is that what you chose?

Well not successfully. Avenger did not run properly. Try the Avenger fix again after making sure all protection software is shutdown. Then attach the same new logs that I requested.

 

I did not realize it until just now but you have not been using the current version of MGtools. Please follow the instructions in this link Using MGtools and download the new version of MGtools.exe from the link provided in those instructions. Then attach a new MGlogs.zip file.

Now I have another very important question to ask and I need you to answer this honestly. Had you been working on fixing malware problems in another forum at anytime? It is not a problem if you had but I need to know for sure because there are issues showing in your ComboFix log that seem to point towards an incorrect procedure being used to fix problems at one time and it is critical that I know if you had tried to fix problems elsewhere. If you did, can you point me to the thread where you were working on the problems. This may help us to get you properly fixed this time and it may serve to help others that show similar problems. Some of the valid programs installed on your PC may be infected. The below are indicated by ComboFix:

If these really are infected, you will have to uninstall these program and delete their folders. Then you will have to reboot, and reinstall any of these that you still need.

 

Okay thanks for the info.

Okay we will try to correct these issues although the printer issue may not be due to malware.

Please perform all the below steps in the order written.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Print Spooler
• then right click the entry, select Properties
• On the next form make sure the Start-up Type is set to Automatic
• And then make sure the Service status says Started. If it is Stopped, click the Start button.
• Click OK until you get back to Windows.

Let me know if the above fixes your printer issues.


Unless you know what the below shortcut link is then you should delete it as it looks like malware

Code:

"C:\Documents and Settings\All Users\Desktop\"
76mpo0~1.lnk  Sep 20 2007        1844  "76mpo0jhluo9nrik8ujtyfk98hu6.lnk"

Do you know what the below are? Possibly screen savers? If unknown then delete them.

Code:

"C:\WINDOWS\"
beach_kc.scr  Nov 23 2007     5627184  "beach_kc.scr"
beauty_k.scr  Nov 23 2007     5684212  "beauty_k.scr"
bonefish.scr  Nov 17 2007     5221944  "bonefish.scr"
uninst~1.exe  Nov 17 2007      231330  "uninstall bonefish.exe"
uninst~2.exe  Nov 23 2007      231330  "uninstall beach_kc.exe"
uninst~3.exe  Nov 23 2007      231330  "uninstall beauty_k.exe"

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After clicking Fix, exit HJT.


NOTE: Remember that we are now uninstalling the below because they are infected. Some of these are software items that came installed on your HP computer or are related to other hardware like your HP printer or camera. There are a few items that I have no idea what to uninstall inorder to remove the files. HP has about 25 or so different items installed on your PC and I don't know which particular software component caused certain files to be created. Thus we will just delete the infected files in those cases. We removed ceratin registry keys related to these startup programs above so that you do not receive errors when you boot up. You may have issues later on using certain software that these could effect. You will have to deal with those when the time comes and possibly reinstall other programs.

Uninstall all of the below. Do not attempt to reinstall any of these until I say you should. If you still cannot uninstall programs then STOPright here and come back and tell me. This also may not be a malware issue.
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 3
Norton Internet Security
LiveUpdate 2.7 (Symantec Corporation)
Google Toolbar for Internet Explorer
HP Boot Optimizer
MSN Messenger 7.0
PC-Doctor 5 for Windows
RealPlayer



Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run ComboFix again. Use Safe Boot mode if necessary.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below new logs:

• c:\avenger.txt
• c:\combofix.txt
• c:\MGlogs.zip

Make sure you tell me how things are working now!

 

Try using this Norton Removal Tool (SymNRT) If it runs, make sure you reboot and then run it a second time and then reboot again.


Does the below file still exist? If yes, please delete it:
C:\WINDOWS\system32\drivers\^foerhjk.sys

Also delete the below folder:
C:\Program Files\DISC


Let me know the results of all the above. If you got Norton uninstall using the removal tool, then attach a new MGlogs.zip file.