HP Pavilion a305w XP 2.7 Ghz malware issues.

So, a friend from work has a daughter that has this computer. Very nice kid that just graduated, unfortunately before she goes off to college her computer is running really, really, slow. So, I said I would take a look at it. I followed the Read and Run Me Malware instructions to a "T."

I think, I did at least. Here's what I got, she uses myspace a lot. Had a Zwinky avatar, was way behind on her updates.

Had a lot of adware and other things similar, mywebsearch, some variant of that. Also, a Win32.h.....(sorry I can't find my notes). It was something Spybot found and had to reset to delete it.

So, here are my logs, I have a zip from MGTools downloaded from you guys. Also, 3 logs from the programs listed in the Malware Removal Guide.

 

And, here is the MgTools.zip file. If you could look at it, I'd appreciate it. It runs wayyyyyy better now. I would just like a second opinion if all the bad stuff is gone. Then, I'm going to do the Maintanence Guide, the one with the IOBit Defender and a few other programs. After that, the How to Prevent Malware Guide.

I appreciate what you guys accomplish here. Thank you.

 

Hi blackcaboftucson,
Welcome to Major Geeks!

I've given your logs a cursory glance and you still have some malware in there. Please use your computer as little as possible until one of us can get a set of instructions to you to remove those last things. This takes some time, so thanks for being patient!

abri

 

Thank you sir. I will shut it down after this message and wait on your reply. I appreciate your effort.

 

Hi blackcaboftuscon,

I'm having you remove the startup entry for P2P Networking. P2P is an entry point for a lot of malware. If you are interested in alternatives to this, you may wish to look for threads about this in the Software Forum, or simply start a new thread there.

1) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.1_02

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [yqbDC] C:\WINDOWS\aucmlb.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aucmlb.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


Did you quit using Comcast? If so, please fix the following entries as well.

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

Do the following entries have to be in your trusted zone? If not, please fix them as well.

O15 - Trusted Zone: *.instantplugin.com
O15 - Trusted Zone: *.vladzone.com


After you click fix, just close hijackthis.

6) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::aucmlb

FILE::
C:\WINDOWS\aucmlb.exe

REGISTRY::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yqbDC"=-
"Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe"=

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.



7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Updated Java by your link.
Removed Windows Messenger.
Removed entries in HijackThis
Ran CFscript.txt with Combofix and recieved a log.
Ran getlogs.bat and uploading logs now.

Thank you for help. It seems to be running great now. Anyways, thanks Abri.

 

Hi blackcaboftuscon,

A couple of small things and then I'll post you the final cleanup instructions.

See if you can delete these two folders:

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Acuvk

Did you create the following folder? (If not tell me)

C:\Program Files\maint

Next please run C:\MGtools\analyse.exe by double clicking on it. Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you click on Fix, please click on Main Menu. There I would like for you to select None of the above, just start the program. Then click on Config and then click on Backups. In the backups list, see if the following two entries are still there and if so, put a check mark next to them and then click on delete. I will have you keep your backups, but not those two. They are bad.

O4 - HKLM\..\Run: [yqbDC] C:\WINDOWS\aucmlb.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\aucmlb.exe

Now run CCleaner.

And now I'm going to give you the final cleanup instructions. Please delay resetting your restore points until you've used your computer a bit and rebooted a few times.
If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri