checking with HijackThis

Discussion in 'Malware Help (A Specialist Will Reply)' started by bestspirit35, Jan 20, 2011.

  1. bestspirit35

    bestspirit35 Private E-2

    On the suspicion that someone or something had control of my computer, I came here to use HijackThis. I have followed all the instructions for use, and d/l and run all the various programs. I did have some problems with the last two, RootRepeal and McTools. They were hampered by some program or control that wouldnt allow them full access to all the files on my computer. I tried to disable everything, but seemed to have missed something. I am attaching the logs that were created by these programs. I would appreciate your efforts at analyzing them and determining what my next step should be.
     

    Attached Files:

    bestspirit35, Jan 20, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ensure that hidden files and folders are set to be shown, then rename C:\MGTools.exe to magpie.com and try to run it again. If successful then attach the C:\Mglogs.zip.
     
    Kestrel13!, Jan 21, 2011
    #2
  3. bestspirit35

    bestspirit35 Private E-2

    Hi Kestrel, thanks for the reply.

    I checked re hidden files.. and they are still UNhidden. I don't understand why they were undetected. I ran the MGTools file again, and have attached it. Hope this is what you were looking for.
     

    Attached Files:

    bestspirit35, Jan 21, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Running from: c:\users\Reg\Desktop\Downloads\ComboFix.exe <--- You have combofix running from the wrong location. You need to move it to your desktop as requested before we proceed.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

    You have two antivirus installed which is a very bad idea. You need to uninstall one of the two below before we continue.
    • Microsoft Security Essentials
    • BitDefender Internet Security 2011

    Java(TM) 6 Update 22 <--- Uninstall this outdated Java.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\ProgramData\AVP11
C:\ProgramData\bdch
C:\ProgramData\Dumps
c:\windows\system32\SystemX
File::
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
RegLock::
[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="PhotoViewer.FileAssoc.Bitmap"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
"Progid"="ACDSee Pro 2.5.dib"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.djvu"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.emf"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.erf"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.fpx"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="PhotoViewer.FileAssoc.Gif"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.hdr"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.ico"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.j2c"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
"Progid"="ACDSee Pro 2.5.jfif"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.m4b"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.m4p"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.mef"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.mos"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.pbm"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.pcd"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.pcx"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.psd"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.rle"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="Google.PhotoViewer.3.0"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.***"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.THM\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.thm"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="PhotoViewer.FileAssoc.Tiff"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
@Denied: (2) (LocalSystem)
"Progid"="PhotoViewer.FileAssoc.Tiff"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.ttc"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.ttf"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.wmf"

[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-443914778-2165998768-3064115887-1000)
"Progid"="ACDSee Pro 2.5.xpm"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 21, 2011
    #4
  5. bestspirit35

    bestspirit35 Private E-2

    I"m sorry, I find this procedure a wee bit confusing. I never saw "KILL", on any log produced, so I don't understand that at all. I believe that I disabled ALL the anti virus programs on my computer. I have run those programs again, and have attached what I believe it is you have asked for.

    If they aren't, my apologies, and let me know what it is I did wrong. I really appreciate what you are doing, and especially your patience with "computer challenged" people like myself.. LOL:confused:confused:confused
     

    Attached Files:

    Last edited by a moderator: Jan 22, 2011
    bestspirit35, Jan 21, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I"m sorry, I find this procedure a wee bit confusing. I never saw "KILL", on any log produced, so I don't understand that at all.

    You need to go back and read the instructions carefully. Here are a few key things to pay attention to:
    So all in all you need to re run my fix in post # 4 from the combofix part onwards. :)
     
    Kestrel13!, Jan 22, 2011
    #6
  7. bestspirit35

    bestspirit35 Private E-2

    Ok....:) Hopefully I have done everything correctly this time. As far as how my computer is running now, it seems to be running ok. However, I will know better after a day or two experience.

    Again, I thank you for your help, and especially for your sterling patience.

    Reg Harris

    PS, will you be able to tell me anything from your perusal of the files I have attached?
     

    Attached Files:

    bestspirit35, Jan 22, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jan 22, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes. You still did not run the script properly by the looks. Let me give you a new one, otherwise we are going to have to use a different tool, or you are going to have to give me the exact contents of the folders I am curious about.

    You are still not set up to use normal mode. Check MSCONFIG and change to normal start up.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\ProgramData\AVP11
C:\ProgramData\bdch
C:\ProgramData\Dumps
c:\windows\system32\SystemX
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jan 22, 2011
    #9
  10. bestspirit35

    bestspirit35 Private E-2

    Hello again Kestrel

    I believe I have done it all correctly this time. ( God, I sure hope so!) My sincere apologies for past errors.

    Bestspirit
     

    Attached Files:

    bestspirit35, Jan 24, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, that was correct this time. Just a little left to do now.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\programdata\{DE8EABB5-1C85-4410-A68D-79BD8A4518F4}
Folder::
c:\programdata\AVP11
c:\windows\system32\SystemX
c:\users\Reg\AppData\Local\Temp(1092)
RegLock::
[HKEY_USERS\S-1-5-21-443914778-2165998768-3064115887-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.5.***"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jan 24, 2011
    #11
  12. bestspirit35

    bestspirit35 Private E-2

    Ok... here it is.
     

    Attached Files:

    bestspirit35, Jan 25, 2011
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 25, 2011
    #13
  14. bestspirit35

    bestspirit35 Private E-2

    Thank you for all your patience and your help. My computer seems to be running quite well now. I have now completed all the steps you listed in your last report.

    I would appreciate knowing if you saw any evidence of any virus or malware on my computer from the logs and information I submitted to you over the past few days.

    BestSpirit
     
    bestspirit35, Jan 26, 2011
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good to hear things are running well for you. To answer your question, apart from the minor nuisance MalwareBytes removed, no, there was not really any malware, just junk. :)
     
    Kestrel13!, Jan 26, 2011
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds