Large infection that i think i have removed

Do you have the requested log from AVG Antispyware?

In the future please be sure to follow instructions properly. You ran MGtools.exe from here:


C:\Documents and Settings\Greg\My Documents\Downloads\Programs\ISO-8859-1''MGtools.exe

The instructions specifically say that it must be run from C:\MGtools.exe You were lucky this time, but you may not be so lucky the next time or with other tools. When we say to download to a particular location or to run something a particular way, it is important that you do what is requested.

The source is quite possibly from downloading and using things like the below:

Code:

IDMV51~1.10_  16 Dec 2007              "IDM.v5.11.Build.10 + Perfect Crack"
pc-war~1.tor  17 Dec 2007       35708  "PC-Warhammer.40K.Dawn.of.WAR.Dark.Crusade-RECHARGED.rar [mininova].torrent"
w4rh4m~1.tor  17 Dec 2007      253084  "W4rh4mm3r 4o0o0 pack [mininova].torrent"
_uploa~1.rar  16 Dec 2007     3452024  "[uploaded by - sirqueza] IDM.v5.11.Build.10 + Perfect Crack.rar"

If you install any of these illegally (and I do see IDM running) you should uninstall them because the may well be infected and the cracks more than likely are.

In addition to the above files, I also see the below in your Desktop. Unless you know what they are and need them, you should delete them

Code:

"C:\Documents and Settings\Greg\Desktop\"
1-45b9~1.zip  18 Dec 2007           0  "1-45b9e-warcraft 3.zip"
2-d28e4.zip   29 Nov 2007   405624544  "2-d28e4.zip"
3-ff3e4.zip   29 Nov 2007     3460728  "3-ff3e4.zip"
chinky~1.001  22 Dec 2007   315621376  "cHinKys.H.avi.001"

Do you know what the below folder is for? Is it for Brilbo Screen Saver that is installed? Did you install this?

Code:

"C:\WINDOWS\system32\"
BRIBLO~1      25 Oct 2007              "briblo dir"

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Why are you running the below again?

C:\Documents and Settings\Greg\My Documents\Downloads\Programs\ISO-8859-1''MGtools.exe

My instructions said to run C:\MGtools\GetLogs.bat

Also I still see the below in your HijackThis log. Why didn't you fix them?

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Did you attach old logs???? I think that is why I'm still seeing the above!!! I would bet that you did not allow GetLogs.bat to finish running. You must wait for ALL scans to finish running. DO NOT close the window after the first scan. The command prompt window will look something like below show in the below when scans are finished

http://forums.majorgeeks.com/attachment.php?attachmentid=78790&d=1198613293

Run GetLogs.bat and this time wait for all the scans to complete. Then attach a new log.

 

Okay that's better. Your logs are clean other than the stuff I already mentioned about the cracks and possibly pirated software which could still contain malware. Unless you remove them you still have chances of reinfection.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely and enjoy your New Year malware free.