Malware check

It seems I came down with the infamous "Warning!" blue desktop malware. I seem to have fixed the problem, but I was hoping someone could look over my logs and make sure there isn't anything left that I'm not seeing.

First, what I did to clean it up. After running a few programs I found in other advice threads, I came across your READ & RUN ME FIRST. I ran through it and it got rid of most of the annoying effects of the malware (a screensaver that mimicked the Windows boot-up screen and the fake Windows XP spyware program), but the blue Warning! background remained. The Screensaver and Desktop tabs were absent from the Properties tool. I ran through it a second time and this time it seems to have cleared up all my problems: the previously mentioned missing tabs are back on the Properties tool. I even got rid of some annoying left-overs from my last battle with malware (alerts telling me Windows could find certain files each time I would boot up).

I was hoping, however, that someone could look over the logs from my latest run-through in case I'm missing something. I'm not particularly good with computers; I know how to run the programs, but not what they do.

I thank you in advance for any help you're able to provide!

My logs:

ComboFix (CClog.txt)
Malwarebytes Anti-Malware (MAMlog.txt)
SUPERAntiSpyware (SASlog.txt)

 

And finally,

MGtools (MGlogs.zip)

 

Hi Torres2008,
Welcome to Major Geeks!


There are a few items which still need to be fixed. I'll get back to you with a set of instructions for this. Thanks for being patient.

abri

 

Hi Torres2008


1) Please disable your guest account if this hasn't already been done.


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {61DC1D22-BD4C-2EBA-8353-605509A02D4B} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML


Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Does the following program need to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


After you click fix, just close hijackthis.


4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
jfdcd

DIRLOOK::
C:\Program Files\rhclkcj0e5a7
C:\Documents and Settings\Chris\Application Data\rhclkcj0e5a7

FILE::
C:\WINDOWS\SYSTEM32\lphcgkcj0e5a7.exe
C:\WINDOWS\SYSTEM32\phcgkcj0e5a7.bmp
C:\DOCUME~1\Chris\LOCALS~1\Temp\jfdcd.sys


REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61DC1D22-BD4C-2EBA-8353-605509A02D4B}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.




5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

My machine seems to be running just fine! Thank you for your help! Here are my latest logs:

ComboFixer (CFlog.txt)
MGtools (MGlogs.zip)