Help please!

Welcome to Majorgeeks.

We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

 

Hello, Treble

This pc has been infected for quite awhile - let's clean it up.

The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

** Although your logs should that you ran the tools in Normal Boot mode, you must stop using MSconfig to control your start-ups --- refer to this section in the below link:

Msconfig must be set for Normal Startup mode

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed

Step 3:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Step 4:
Now we need to use ComboFix to remove some malware.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Step 6:
* All Removable drives and writable media
Using Windows Explorer - search for and delete the following if found:

Step 7:
Run Ccleaner

Step 8:
Now install the latest Sun Java Runtime Environment


Step 9:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).


Then attach the below logs to your next reply:

• C:\MGlogs.zip
• C:\combofix.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!


dr.m

 

Actually I would recommend expanding the instructions in step 6 of what dr.moriarty gave you to the below because this infection could potentially have spread to any other hard disk and any removable device and also to any other PC that the removable devices have ever been plugged into. So here is a revised step 6 and I DO NOT recommend using Windows Search since the list of files is very long and also because the default settings of Windows Search will not find files if they are hidden or system type files. You may or may not find any or all of these but you do need to check before you reinfect or 1st time infect other PCs.


Step 6:

You also need to look for this infection on all removable drives and re-writable media as it may have spread to them or orginated on them.

All hard disks in this PC and any removable devices containing re-writable media ( like flash drives, cameras, MP3 players, games, ...etc) have to be checked for this infection. In addition, every PC where these removable devices may have been used, also need to be checked for possible infection.

To that end right click Start and select Explore to run Windows Explorer, use it to look for the below list of files. Most of these will normally be found in the root folder of the infected device so begin by looking there.

 

I'll research them and look at your latest logs, Treble.

Edit: How is your machine now running?

Thanks!
dr.m

 

Hello, Treble

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Yes --- they are all from the same infection.

Step 2:
Using Windows Explorer - manually search all hardrives and plug-in any removable devices you have recently used containing re-writable media ( like flash drives, cameras, MP3 players, games, ...etc) and delete these files if found:

Step 3:
Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Step 4:
Run Ccleaner

Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).


Then attach the below logs to your next reply:

• C:\MGlogs.zip

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!


dr.m

 

The good news is no malware is now found.

However, at least three important system files don't show the correct size - which may be a result of your machine being infected for some time.

*Try updating to XP SP3 to see if they get fixed:
Microsoftupdate

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach C:\MGlogs.zip to your next reply.


dr.m

 

Treble


Please visit Virustotal

Copy/paste these files and paths (one at a time) into the white box at the top:

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in a notepad document.

Next - update your anti-virus and run a complete system scan.

Reply with the results of these scans in your next reply.

Thanks!

 

Hello, Treble

Step 1:

Uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

• Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
• "%userprofile%\Desktop\combofix" /u
  • Notes: The space between the combofix" and the /u, it must be there.
  • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
• Delete the C:\combofix folder from combofix (if it exists)
• Delete the C:\Qoobox folder (if it exists)

Step 2:
Please delete the C:\MGtools\Backups folder

Step 3:
Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Step 4:
Run Ccleaner

Step 5:
You should backup any important data before continuing since it is unknown what, and how many files may be infected and what may be removed by additional scanning/cleaning procedures.

Step 6:
This procedure explains how to get to the PandaActiveScan site to setup and perform an online scan. It also explains how to obtain a log so you can attach it to a message. You must use Internet Explorer to run this scan and make sure your Sun Java version is current.

* If you are in safe mode, reboot into normal mode now.

To start the online scan go here: Panda ActiveScan


To run the Online Scan continue with the below steps.

1. . When the page appears, click the Scan your PC button.
2. . In the next window, click the Check Now button
3. . Click the Scan Now button
4. . If you get a prompt about an Active-X component, allow the component to be installed.
5. . Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
   • A second prompt will appear to allow the component to be updated
6. . When the scan is finished close the popup window and then click See Report
7. . Click Yes to the prompt, then click Save Report
8. . The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message. See: HOW TO: Attach Items To Your Post[

Step 7:
Now also run Using BitDefender Online Scan

Step 8:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).



Then attach the below logs to your next reply:

• C:\MGlogs.zip
• ActiveScan.txt
• bdscan.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!


dr.m