Malware Removal Step 3

warmum · Jan 5, 2009

I am doing a follow-up to the Malware Removal. I am currently at Step 3 and am attaching all my logs to see if I can get help making sure I'm getting rid of everything.
I am running a laptop with Windows XP Professional. It is a work computer and has VPN connection for the company and regular wireless connection for everyday use. I went through every single step on the malware removal guide after getting these symptoms on my computer:

Lots of pop-ups
Antivirus and firewalls disabled
Even when I try to turn them on, they don't
They say they're running when I go to their properties but Windows Security says they are turned off
LimeWire has been present on the computer previously

warmum · Jan 5, 2009

4th Log

TimW · Jan 8, 2009

You had some real problems, but the scans took care of most of it.

Let's do this:

Please use add/remove programs to uninstall:

Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O20 - AppInit_DLLs: zffmsx.dll
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-

[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

Files to delete:
c:\windows\system32\tmpAA339.FOT
c:\windows\system32\tmp66439.FOT
c:\windows\system32\tmp4B439.FOT
c:\windows\system32\tmp49439.FOT
c:\windows\system32\tmp3E439.FOT
c:\windows\system32\tmp12539.FOT
C:\WINDOWS\ITZ70V8V.DDP
C:\WINDOWS\KU2RZNUI7E3BRZ7W

Folders to delete:
c:\program files\AskBarDis
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now download and install:
Java Runtime

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

warmum · Jan 11, 2009

Okay, I did all the steps above and I am attaching the new log from MGtools and the log from Avenger.

Everything on my computer seems to be running fine, no pop-ups or anything have come back. The only issue I have is that my Windows Security still does not recognize my antivirus program. It is Symantec Professional put on by the company that owns the computer and some of the programs on it. I've never noticed a problem before. The antivirus program is always running and can never be disabled, and the security warnings only started occurring when I got the malware problems. I don't know if it's something I need to worry about, but I just told my Windows Security that I would monitor the antivirus program myself so it would quit showing warning errors.

TimW · Jan 13, 2009

Windows security does not recognize various AV programs. You are clean, but I would like you to use windows explorer to find and ( unless you know what it is) delete:
C:\WINDOWS\KU2RZNUI7E3BRZ7W

If you are not having any other malware issues, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection, but are effective as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

warmum · Jan 18, 2009

I'm having one more problem. I'm now getting an error message when the computer starts:

Error loading COCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt
The specified module could not be found.

I used to have Kodak Easy Share and took it off my computer a long time ago, but now this message is showing up. It says it is a RUNDLL at the top. Any help?

TimW · Jan 19, 2009

Do a search for easy share and delete anything that is found. Then run CCleaner, both the cleaner and the issues/registry ( making sure you do the backup when prompted).

warmum · Jan 22, 2009

Thank you for all your help! My system is clean and running great!!

TimW · Jan 23, 2009

You are most welcome...safe surfing.

Log in or Sign up

Malware Removal Step 3

warmum Private E-2

Attached Files:

MGlogs.zip

SASlog.txt

ComboFix.txt

warmum Private E-2

Attached Files:

mblog.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

warmum Private E-2

Attached Files:

MGlogs.zip

avenger.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

warmum Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

warmum Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member