Cant get rid of malware (i think)

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You need to attach the log from running C:\MGTools.exe --> C:\MGLogs.zip.

 

Please download and put ComboFix directly on your desktop. Do not run it yet.

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 2


Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now download and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. We have one more little fix to do.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O20 - Winlogon Notify: cryptnet32 - Invalid registry found

After clicking Fix, exit HJT.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes, your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Did you complete all of my final instructions including the toggling of System Restore in step # 9? If not then this is likely why.

 

Random window?
What does it say and when do you get it?
Is it only when on certain websites?
What browser are you using when it appears?

 

You need to be exact or instructions cannot be exact and you need to answer the rest of the questions I asked.

 

Did you toggle System Restore? Did you uninstall Combofix? If not, you must make sure you do both of these steps.

Attach a log from a full scan with AVG.

 

Also download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

Do what I asked in my last two messages. That is, run a full scan with AVG and attach the log. Then run a scan with TDSSkiller and attach the log.

We may need to have you download and run ComboFix. We will tell you if/when this is needed, but you will have to uninstall AVG before trying to download and run ComboFix since AVG is problematic for some specialty tools including ComboFix. ComboFix will not run properly with AVG installed.

 

Do you have your operating system CD?

 

No, we need to replace two system files. So we need the XP CD to do this. We can try having you create a recovery console disc, which you could then boot to. You will need to use another computer to create the disc and then change your boot record file in the bios so that the cd drive is the first boot device.

Here is the link for creating an xp recovery console disc:
This is a download of an .iso file of just the Recovery Console for XP.
Burn to CD with Nero or other 'disc image' capable tool and boot.

XP Recovery Console.

Tell me if you are able to do this.

 

That may or may not work. Can you use it to boot into the recovery console?

 

No, you have to get into the bios before you can run it. That means on startup, you should see a message telling you what to hit to access the bios, possibly F12. Once in the bios, you need to click on the boot order tab and change the first boot device to the cd drive. Make the hard drive the second device. Then put the disc in the computer and reboot. It will ask you if you want to boot from the cd and you will just hit the enter key. Then see what options you have with that disc. It may only give you the choice to put it all back to factory settings, meaning you will loose everything. But we need to know if it will give you the option to get into the recovery console.

 

If you can get into the Recovery console, do this:

This assumes that D: is your cd drive letter. The last command should reboot your PC. Remove the CD and see if Windows will boot.

 

It sounds as though the Recovery Disc will only allow you to re-image your computer ( though one may allow for a re-image that keeps your files and settings, but I don't know if that is the case). I would suggest you create the Recovery CD that I linked you to before and try booting to that. Then we can try replacing the two system files.

 

If you are able to create that disc, then run what I posted in message #34. I will be back to check on you tomorrow.

 

That link should just open a download file. Is your brothers machine also an xp system? Does he have an XP CD of the same version as what you have?

 

See if this link works:
http://www.thecomputerparamedic.com/files/rc.iso


This is a download of an .iso file of just the Recovery Console for XP.
Burn to CD with Nero or other 'disc image' capable tool and boot.

 

You are going to have to find an xp cd of the same version as what you have installed. Ask around. See if you can borrow one from someone, otherwise you will be stuck with having to re-image your system with the recovery disc. That will wipe out everything and put you back to when you first got the machine.

 

Is your CD drive letter D:\ ?
It should first come up as:
C:\Windows and you would just type:
copy D:\i386\explorer.ex_ explorer.exe
cd system32
copy D:\i386\winlogon.ex_ winlogon.exe
exit

 

If this is the same version of windows as what you have installed and you have your installation key somewhere on the computer ( usually the bottom of a laptop or the back of a desktop ) then you can try doing a repair install. That means you don't hit R the first time, but do the second time.