Malware removal help needed

Welcome to Major Geeks!

We relly require logs from Normal Boot mode to properly help you. So unless if is impossible for you to run in normal boot mode, please do this from now on. However I will attempt to get started with what you have posted thus far. If you cannot run in normal boot mode, please tell us this. Also we need all of the logs whether they show anything or not. Please take note of where the instructions say the files are located or where you save them so that you can attach them when finished.

You also need to tell us exactly what problems you are having. You did not descibe your problems at all; however base on what you attached thus far, I can tell that you have several problems including one of the newest forms of Zero Access infection along with multiple other infections.

Also note that you have multiple antivirus programs installed ( Avast and Microsoft Securty Client ). As stated in the READ & RUN ME FIRST, you should never do this. Uninstall both of these now. We will reinstall one and only one later ( not now ).

Okay so let's try to get started with your cleanup. Continue in normal boot mode if possible otherwise use safe mode.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: SearchHook Class - {D8278076-BC68-4484-9233-6E7F1628B56C} - "C:\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll" (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Toolbar BHO - {4F524A2D-5637-006A-76A7-7A786E7484D7} - (no file)
O3 - Toolbar: (no name) - {4F524A2D-5637-006A-76A7-7A786E7484D7} - (no file)
O4 - HKLM\..\Run: [ApnTBMon] "C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
O4 - HKUS\S-1-5-21-1614895754-1035525444-725345543-1003\..\Run: [wwvn] "C:\Documents and Settings\Joanne\Application Data\Microsoft\Konjyj\konjyj.exe" (User 'Joanne')
O4 - HKUS\S-1-5-21-1614895754-1035525444-725345543-500\..\Run: [zarw] "C:\Documents and Settings\Administrator\Application Data\Microsoft\Uxcdgaa\uxcdgaa.exe" (User 'Administrator')
O4 - S-1-5-21-1614895754-1035525444-725345543-1003 Startup: konjyj.lnk = ? (User 'Joanne')
O4 - S-1-5-21-1614895754-1035525444-725345543-1003 User Startup: konjyj.lnk = ? (User 'Joanne')
O4 - S-1-5-21-1614895754-1035525444-725345543-1008 Startup: aquafk.lnk = ? (User 'Ro')
O4 - S-1-5-21-1614895754-1035525444-725345543-1008 User Startup: aquafk.lnk = ? (User 'Ro')
O4 - S-1-5-21-1614895754-1035525444-725345543-500 Startup: uxcdgaa.lnk = ? (User 'Administrator')
O4 - S-1-5-21-1614895754-1035525444-725345543-500 User Startup: uxcdgaa.lnk = ? (User 'Administrator')

After clicking Fix, exit HJT.

Along with uninstalling Avast and Microsoft Security Client, also uninstall the below software:
Ask Toolbar
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Uniblue DriverScanner 2009
Uniblue SpeedUpMyPC 3
Uniblue System Tweaker
Viewpoint Media Player

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Services
APNMCP
Viewpoint Service
weujmvu
 
:Files
C:\Documents and Settings\Joanne\Application Data\Microsoft\Konjyj
C:\Documents and Settings\Administrator\Application Data\Microsoft\Uxcdgaa                   
C:\Documents and Settings\Alan\Local Settings\Application 
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\All Users\Application Data\APN
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork
C:\Documents and Settings\All Users\Application Data\coNtinuuetosave
C:\Documents and Settings\Alan\Desktop\
C:\Documents and Settings\Alan\Desktop\HijackThis.exe
C:\Documents and Settings\Alan\Desktop\hijackthis.log
C:\Program Files\AskPartnerNetwork
C:\Program Files\ContinueToSave

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ApnTBMon"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8DE1B9F2-9747-42D6-AA90-D56346E8400A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F524A2D-5637-006A-76A7-7A786E7484D7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F524A2D-5637-006A-76A7-7A786E7484D7}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

• Now exit any programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Rerun RogueKiller ( if running Vista,Win7, or Win8 user right-click and select Run as Administrator to run ) for WinXP and Win 2K just double click to run
• Wait until Prescan has finished
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and attach the content of the Notepad into your next reply.
• The log should be found in a new RKreport[x].txt on your Desktop
• Exit/Close RogueKiller and reboot your PC.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXTlog
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Just continue on with the rest of my instructions and we will come back to this later because this program's file system has been corrupted by the ZeroAccess infection

 

Okay we need to get OTM to run. Please reboot into safe boot mode and run the fix with OTM. Afterwards, reboot into normal boot mode and then continue with the below.

• Run a new scan with Hitman Pro and save a new log.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
  
  Then attach the below logs:
  • the C:\_OTM\MovedFiles log
  • the new Hitman Pro log
  • C:\MGlogs.zip

 

Okay let's see if we can fix this first before doing anything else.


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

RestDesk.bat

Now reboot your PC to see the affects.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip
• C:\MGtools\cpylist.txt

Did this restore your Desktop files and also Application Data files (probably the cause of Windows installer running )?

 

I modified RestDesk.bat. Please try the whole process all over again starting with downloading the file again.


No the DiskKeeper issue ( the dkservice.exe service ) is not related, You may need to reinstall later.

 

There were quite a lot of files to restore in Application Data. Don't reboot yet.

Just attach a copy of the cpylist.txt file as it is right now.

 

Okay I see the problem. I have made new batch file name RestDesk2.bat which will write to a new log file named C:\MGtools\cpylist2.txt Follow the below instructions.

You should be able to terminate the existing batch file by click the command prompt window and type CTRL-C a couple of times. If that does not work then just close the command prompt window by click the X


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

RestDesk2.bat

Now reboot your PC to see the affects.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip
• C:\MGtools\cpylist2.txt

Did this restore your Application Data files ?

 

I'm not too sure about that, there were a lot of different folders in there for many applications ( like Adobe, Epson Printer, DivX, Intuit......many more ).

Do you know how to copies folders/files using Windows Explorer from one location to another?

 

Yes what I want you to copy ( not move ) is the below folder and all contents

C:\_OTM\MovedFiles\07222013_223927\C_Documents and Settings\All Users\Application Data

Back into the below folder ( overwrite any existing files ):

C:\Documents and Settings\All Users\Application Data


Also since OTM was used at two different times, copy the below folder and all contents:

C:\_OTM\MovedFiles\07222013_230648\C_Documents and Settings\All Users\Application Data

Back into the below folder ( overwrite any existing files ):

C:\Documents and Settings\All Users\Application Data

 

Okay sounds good. If everything is back to normal and you have everything you need copied out of the C:\_OTM folders then you can work thru the below. The below will remove most of what we have done ( including the C:\_OTM folder ) when you run MGclean.bat. So make sure you are really good before running these steps.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome and thanks.

Yeah I never really added too much about this into the How to Protect... thread other than a little bit mentioned in the Firewal section. There are quite a few tips out there that are helpful. See the below:

http://www.pcmag.com/article2/0,2817,2409751,00.asp

https://www.grc.com/nat/nat.htm

http://www.ciscopress.com/articles/article.asp?p=461084

https://krebsonsecurity.com/2011/12/new-tools-bypass-wireless-router-security/

http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says-study/

http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm