Braviax

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

I'm sorry but you need to attach ALL of the logs requested in the procedure after you have run all of the steps in the order the are written. You have not attached the logs from SUPERAntispyware and ComboFix and that is because you have not even run them or even downloaded them. In addition another sign that you are not following the steps in the READ ME is that you have Spybot - Search & Destroy 1.3 installed which is 4 years out of date and it is not what we asked you to download, install and run in the READ ME. You must complete ALL of the steps or we cannot help you remove your malware. And you have a lot to remove which is why all the steps are important.

So this time start at the beginning and do not skip any steps. Then attach all of the logs requested when you finish. The logs are listed in the READ ME under the procedure for your Windows version which is Windows XP.

 

You still skipped an important part of step 1 in the READ ME. You ignored the instructions about not using MSconfig. You must put your system into Normal Startup mode as requested and you must remain in this mode. You have malware trapped in MSconfig.

Also note that ComboFix has detected that the below are infected:

Since an infected antivirus program really cannot be trusted to properly protect you and the other programs cannot be cleaned, we will have to delete some of these but first it would be better if you would just uninstall some of these and when we finish your malware removal, you can then reinstall what you need. Thus uninstall the below now:

ATI Catalyst Control Center
BT Yahoo! Applications
DAEMON Tools
Google Toolbar
McAfee
MSN Messenger
Pinnacle InstantCD/DVD Suite
OneTouch Version 3.0 <--- for the Visioneer stuff

And then we will just manually delete the below file that you don't need anyway:
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe


After doing the above (don't forget to get in Normal Startup mode with MSconfig) do the below.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

File::
C:\wpohl.exe
C:\WINDOWS\BM1fcc499e.txt
C:\WINDOWS\BM1fcc499e.xml
C:\WINDOWS\cefiwumec.dll
C:\WINDOWS\daxemezudo.exe
C:\WINDOWS\hyle.scr
C:\WINDOWS\kytanero.db
C:\WINDOWS\oqytonu.dl
C:\WINDOWS\pazujowes.vbs
C:\WINDOWS\pskt.ini
C:\WINDOWS\udadoh.com
C:\WINDOWS\yraxi.dll
C:\Program Files\Common Files\ciwyv.bat
C:\Program Files\Common Files\divylugy.reg

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

In your last MGlogs.zip file the HijackThis log was not new. Did you do something to block analyse.exe from running? Please delete the current, C:\MGlogs.zip file. We will get a new one at the end of this procedure.

It may be okay now, but we have some cleanup to do because of of using MSconfig. We will do it the easy way to remove a whole bunch of orphaned entries using a registry patch.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Look for the below file and delete it if found:
C:\WINDOWS\system32\encarwem.dll


Is the below link on your Desktop something you put there? If not then delete it.

Code:

"C:\Documents and Settings\All Users\Desktop\"
yjh.lnk        1 Mar 2008         792  "yjh.lnk"

Did you disable notification of of Microsoft Update being turned off?

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

How did yo miss the very large bold print saying don't forget to tell me how things are working? We'll try again this time!


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


After clicking Fix, exit HJT.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

​

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

Then you can reinstall any software that we uninstalled if you need them. Except do not reinstall McAfee since you have AVG7 installed.