malware removal - helping a friend

hi,

my friend had some pretty bad problems with his computer. he doesn't really know a lot about computers (as you can see from these logs), so he asked me to take a look at it.

i've done all the scans in order and have posted the results. thanks in advance!!!

my bdscan.txt file is 822kb, so it won't let me attach it. i might be able to break it into 4 parts which you can reconstruct (sorry!). i could also email it to you if that's easier... i've attached runkeys in its place.

more logs to follow...

 

more logs...

 

Hi Fred,
Can you zip the bd scan?
abri

 

rolleyes

well, ok.

wish i thought of that!

 

thanks!
will get back to you after awhile.
abri

 

Hi Fred!

1) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

4) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7) After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know how things are working!

abri

 

hi abri,

1) per your instructions i removed:
- Java 2 Runtime Environment, SE v1.4.2_03
- Viewpoint Media Player
- CounterSpy

2) i removed Windows Messenger

3) i ran HJT and fixed the items you told me to fix. some of them were not there. i might have fixed some of them myself while i was waiting for your reply. the net result is that everything you wanted gone is gone.

4) i added fixme.reg to the registry.

5) i downloaded The Avenger and ran it according to your instructions and rebooted.

6) ran ATF Cleaner according to your instructions.

everything seems to be running fine. things got progressively better after running the various scans. AntiVir would pop up every once in a while to tell me about a malicious dll, but that hasn't happened since running this last set of removal instructions. so hopefully we're all set. i can't thank you enough. you guys should really get paid for doing this. you should add a little PayPal link so people can throw you a couple bucks for helping. it is certainly worth it.

also, i was not able to attach files in Firefox. i switched to IE7 and was then able to attach files. not sure if this will work for everyone, but i thought i would mention it.

Avenger log follows.

thanks again!

 

here's the Avenger log.

 

Hi Fred!

Sorry this has been slow. I live in a different part of the world from the rest of the malware section so there is sometimes a communication lag on questions. I read another malware thread you posted and wanted to caution you about using the tools to make changes of your own. Some of them can make changes that can't easily be reversed. Patience in this area is necessary.
Changing from Firefox to IE to do the attachments may have worked because the IE cache was empty if you hadn't been using it. So far I haven't had any trouble with Firefox, so what is actually causing the vBulletin problems with attachments might be one thing or it might be several.


I missed one important infection and would like for you to do the following:

1) Please scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Please follow the instructions at FixWareoutby LonnieR.Jones

3) Please post fresh logs for HijackThis and Runkeys. We may still have to get rid of the registry key for AppMasterCenter.exe. If the above tool fixes it, we can run the last cleanup procedures to get rid of all logs and tools you don't need from the READ ME, but I'd like to check first.

Thanks!
Abri

 

hi abri.

i followed your instructions to the letter. it looks like the AppMasterCenter.exe line is gone from HJT now.

here are the logs you requested.

thanks again.

 

Hi Fred!
wow! cool! I'm glad it's gone! Your logs look good!
If you are not having any other malware problems, it is time to do our final steps:

Thanks for your patience!
abri

 

crap. sorry 'bout that... here's the FixWareOut log.

also, i am not sure the AppMasterCenter.exe file has been deleted. its line in HJT was gone, but i'm not sure about the file.

thanks.

 

ok. all done. logs are attached.

everything is running perfectly, thanks.

 

thanks again guys. you are both rock stars! :cool :cool