Had (?) malware, need to identify

Let me start by saying I may have solved my problem, but I can't be sure, and I'd like to know more about what happened, and if there's anything else I should do to avoid a relapse.

Some time in the past several weeks, my computer got infected with a link stealer of some sort. It started out just stealing google links, but branched on to others, cross browser and all.

I started the cleaning process - removed java, emptied temp folders and recycle bin, ran CCleaner, and the other recommends apps.

Spybot, MalwareBytes, SuperAntiSpyware, and AVG all turned up nearly nothing. Nothing unordinary in the hijackthis log. Even MGTools and ComboFix could not help. The more tools I ran, the worse my computer got, until I could not start windows any longer.

I was only able to use my computer normally again after an entire afternoon of fighting and finally getting to a point where I could do a system restore to two weeks ago. I had to run a diagnostic CD (Ultimate Boot CD For Windows, has many useful utilities for registry editing and such if you can't load Windows) to delete files the malware created (which I also discovered by using one of the utils on this CD) and then had to use it again after the malware took over winlogon (created a file called winlogon86.exe in its place) and hijacked my desktop, disabled the task manager, and most other explorer related functions.

Can someone identify it from some of these symptoms? In firefox, these are some of the redirects I got:

http://www.kevinsworkathomeblog.com/2/?from=ahoo+com_113232
http://www.smarttechnik.com/search-results.aspx?keywords=home+virginia
http://www.primosearch.com/jump2/?affiliate=5269&subid=4892&terms=virginia
http://www.searchfindsite.com/6963/search.php?keyword=virginia&sid=1767cbaaa05454d57326cc3754d97219&cid=BPO

http://www.sorry,.com/
http://www.but.com/
http://www.service.com/
http://www.temporarily.com/
http://wwwz.websearch.verizon.net/search?qo=unavailable&rn=xK4N20HVoVYQfHK&rg=

http://thedailyheralds.com/finance/index5.php?c1=62&c2=82&c3=132&sub=113232.com
http://mtm107tq.in/adi5/

I lost my batch file I made to delete some of the files, but these are some files I had to delete/repair from outside of my windows installation:
all in the C:\windows\system32 folder
winlogon86.exe
winupdate86.exe
several files with just numbers as names
a file similar to AVj10.exe (not sure on the actual name)

Attached also find two screenshots of what happened while I was in the middle of running SuperAntiSpyware, and it still found only that one object seen in the photo which is completely unrelated to this infection.

I have assorted log files which I will attach, from MGTools, ComboFix (2 logs and a quarantine log... ran it several times while pulling my hair out) SuperAntiSpyware, Spybot S&D. They all show bits and pieces, but nothing huge or overly helpful. Each one lists something different infection-wise, though none appear to point to the actual main issue.

Any ideas on what it actually is/was? And do I need to do anything else for it?

 

Here are the normally asked for logs, but again, they really don't show too much that's useful.

 

I started running scans today to verify that it is clean. SuperAntiSpyware required a reboot, and now I get a blue screen error. Sigh.

Forgot to include system specs earlier, so here they are...
I am running Windows XP, SP1 on an AMD Athlon 64 2GHz with 512MB of RAM.

Back to the fight. :-o

 

Are you able to log onto your computer or is it stuck at the blue screen?

 

It was stuck at the blue screen. Didn't matter what I tried. Couldn't get in to normal or safe mode. The error I got was
STOP: 0xF894D640,0xC0000034,0x00000000,0x00000000)

I ended up doing a repair install using a XP SP2 disc, and was able to get everything up and running. I previously had SP1, so could not upgrade my AVG past 7.5, so it was almost a year old. With the new AVG 9.0, I ran a full scan and it found numerous things:
Trojan horse SHeur2.BVEL - a new file in my temp folder
Trojan horse Rootkit-Pakes.U - this was disguised as atapi.sys, but I found my CD drive malfunctioning quite a while back, and had renamed it to atapi.old and replaced it with a different version of the file

Trojan horse BackDoor.Generic11.AKOW
Trojan horse BackDoor.Generic11.AYOC
Trojan horse Generic15.SKX
Adware Generic2.JPM
These were in old zip files from one of my friends, never opened, but also never previously detected

The resident shield also came across "Trojan horse Generic13.XHS.dropper" in one of the system restore files.

 

Run a new SAS, MBAM, ComboFix, RootRepeal and MGtools scan and attach the logs please. In that order and be sure you have the most recent version of SAS. http://majorgeeks.com/SUPERAntiSpyware_d5116.html SUPERAntiSpyware 4.31.1000.

Be sure to update SAS and MBAM before the scan. A repair install will not remove malware so the whole process needs to be done again. It's also not good to install a new Service Pack while a computer is infected. Hopefully you can get out of this without a full format and reinstall.

 

Here they are.

 

MGtools log

 

Did you create these folders?

And do you know what these are?

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code:

c:\windows\Reyalp99.dll

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

 

Yes, those are folders I made. The antivirus folder was going to hold all my newly downloaded AV stuff. I deleted it and made a new folder elsewhere to download and run the latest scanners last night. The other folder is my younger brother's school work.

Those other two files are mystery files. I have deleted them. They are in my Recycle bin if you think I should scan them.

As for c:\windows\Reyalp99.dll
Every scan came up clean, except for "norman", which timed out.
http://virusscan.jotti.org/en/scanresult/f44faf27ef0f0b9c8948540fc25c170632f8f3a8

 

From what I can tell no malware survived. Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!