Malware issue

Please download RKill to your desktop from the following link.

RKill Download Link - (Download page will open in a new tab or browser window.)

When at the download page, click on the Download Now button labeled iExplore.exe . When you are prompted where to save it, please save it on your desktop.

Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Windows Vista Recovery and other [FONT=inherit ! important][FONT=inherit ! important]Rogue [/FONT][/FONT][FONT=inherit ! important][FONT=inherit ! important]programs[/FONT][/FONT]. If you cannot find the iExplore.exe icon that you downloaded, you can also execute the program by doing the following steps based on your version of Windows:

For Windows 7 and Windows Vista, click on the Start button and then in the search field enter %userprofile%\desktop\iexplore.exe and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.

For Windows XP, click on the Start button and then click on the Run menu option. In the Open: field enter %userprofile%\desktop\iexplore.exe and press the OK button. If you Windows prompts you to allow it to run, please allow it to do so.

Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Windows Vista Recovery when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Windows Vista Recovery . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new window or tab.

Do not reboot your computer after running RKill as the malware programs will start again.

Now try to do this:
TDSSkiller - How to run

Now see if you can run the other scans:
SAS
MBAM
ComboFix
C:\MGTools.exe

Attach any logs you are able to get.

 

Try running this: W32.Blaster.Worm Removal Tool

 

Try running the tools in safe mode. If necessary, you can rename them to something like 123.com. I would really like to know if you can run MGTools and ComboFix. Again, try renaming them and doing it in safe mode. Also, check task manager for any processes related to the infection.

 

Go ahead and reboot to normal mode, run MBAM again ( your log indicated that you didn't fix what it found, though I guess you saved the log before you did have it fix those items ) and then re-run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Attach both logs.

 

Looks good. I will suggest that you use windows explorer to find and delete these:

Code:

C:\Users\toshiba\AppData\Local\"
bit1b6d.tmp   29 May 2011           0  "BIT1B6D.tmp
bit8db0.tmp    5 Jun 2011           0  "BIT8DB0.tmp
bitdbec.tmp    6 May 2011           0  "BITDBEC.tmp
bitfae3.tmp   29 May 2011           0  "BITFAE3.tmp
cgilabu.bin    5 Jun 2011           0  "Cgilabu.bin
tvegec~1.dat   1 Apr 2011         120  "Tvegecaba.dat

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

 

Yes, it is part of Combo. Run the uninstaller and it should go away.

 

You are most welcome. Safe surfing.