I got it too

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to attach the log from ComboFix as requested.

Please remove MGtools.exe from your C:\Windows folder. We requested that you save it as C:\MGtools.exe

You appear to have ignored the first area of the READ & RUN ME where we specify that only one antivirus must be used. You must either uninstall AVG7 or Norton now. If you choose to uninstall Norton, you should also run this:Norton Removal Tool (SymNRT) and then reboot.

After uninstall one of the antivirus programs, you need to do the below.

Download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Etomi\Plugins\RazaWebHook.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [Etomi] "C:\Program Files\Etomi\Shareaza.exe" -tray
O8 - Extra context menu item: &Search - ?p=zuzed004MBUS_ZZzer000
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Andrea Walsh\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)


After clicking Fix, exit HJT.


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Sean Walsh\Local Settings\Temp


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• FindAWF log
• C:\MGlogs.zip
• and don't forget the C:\ComboFix.txt log

 

Please wait until we finish removing all malware to run any additional scans. For now, just run what we ask you to run.

Next, we need to run FindAWF again.

• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
• Use the following option: Press 2 then Enter to restore files from bak folders
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

• Next, close and click Yes to save the changes.
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please attach the new FindAWF log to your next message.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

DirLook::
C:\WINDOWS\bak
C:\WINDOWS\SYSTEM32\bak
 
File::
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\1551301930.exe
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\3844655526.exe
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\440098350.exe
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\802051224.exe
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\abc123.pid
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT4C.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT4D.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT4E.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT4F.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT50.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT51.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT52.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT53.xml
C:\Documents and Settings\Sean Walsh\Local Settings\Temp\IMT54.xml
 
Folder::
C:\Program Files\Java\jre1.5.0_06
C:\Program Files\MyWebSearch
C:\Program Files\screensavers.com
C:\Program Files\Uninstall Fun Web Products.dll
C:\Program Files\Viewpoint

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip
• and don't forget the new log from FindAWF

Make sure you tell me how things are working now!

 

You don't need to attach CFScript.txt You need to attach only what I requested at the end of my message (ComboFix, MGLogs.zip, FindAWF). Did you run FindAWF as requested and select option 2? Where did you save the log to? As long as the log is different then the first log, you should be able to attach it. But before attaching anything, please doe the below:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

File::
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\bak\PCMService.exe
C:\Program Files\Dell Support Center\bin\bak\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\bak\dsca.exe
C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Verizon\bak\McciTrayApp.exe
C:\Program Files\Windows Defender\bak\MSASCui.exe
C:\QooBox\Quarantine\C\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe.vir
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\m3SrchMn.exe.vir
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir
C:\WINDOWS\bak\UpdReg.EXE
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
C:\WINDOWS\SYSTEM32\bak\hphmon06.exe
C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb11.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now we will re-run option 1 of FindAWF:

Double-click the FindAWF icon.

• If a Security Alert shows, allow the program to run.

As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your next post.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip
• FindAWF log

Make sure you tell me how things are working now!

 

Based on your last logs you are clean. But do the below.

Delete the below folders:
C:\WINDOWS\bak
C:\WINDOWS\SYSTEM32\bak


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Are you still having problems? A slow PC does not necessarily mean malware. If you still have problems, please follow the instructions in the below and attach the requested log:

Using Sophos Anti-Rootkit

 

They are from each Windows Update you have done. When they are installed these folders are created with backups that allow you to uninstall a particular update. You will also see them as Security Updates for Windows XP ........ in add/remove programs unless you hide showing of these updates.

Well here is the full final set of instructions.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It should not take too long. Kill the process if still running and check to see if the below are gone:

• ComboFix.exe file
• C:\ComboFix.txt file
• C:\QooBox folder

It is possible that your protection software was interferring with it. You could also try running it in safe boot mode.

 

Yes it is more than likely deleted already. It was on your Desktop with the red icon which you cannot miss. Yes continue on thru all steps now.

 

This is not malware. It may be due to some of your HP software. You could use HijackThis to remove the below startup and it may fix it:

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe