Malware System Cleaning

Pretteyes · Sep 2, 2008

Good Day All
I believe I have completed the READ & RUN ME FIRST. Malware Removal Guide as you advised and I have included the log postings for your expert review. Thanks in advance.

Original Post
Hello

I would like to first thank you for helping me to resolve some previous issues with my system. I think you are AWESOME!

I recently had a problem accessing automatic windows updates(error 1058). I went through some scaning & cleaning recommendation I found on your site. I believe I have resolved that issue. I am now able to get the updates automatically (Thanks 2 U).

I would like to be certain that all malware and possible infections have been removed. Please tell me what I need to provide so that you can evaluate my system and point me in the right direction if I need take further action.

Thank you Computer GODS!!!

Pretteyes · Sep 2, 2008

ComboFix log

Pretteyes said: ↑

Good Day All
I believe I have completed the READ & RUN ME FIRST. Malware Removal Guide as you advised and I have included the log postings for your expert review. Thanks in advance.

Original Post
Hello

I would like to first thank you for helping me to resolve some previous issues with my system. I think you are AWESOME!

I recently had a problem accessing automatic windows updates(error 1058). I went through some scaning & cleaning recommendation I found on your site. I believe I have resolved that issue. I am now able to get the updates automatically (Thanks 2 U).

I would like to be certain that all malware and possible infections have been removed. Please tell me what I need to provide so that you can evaluate my system and point me in the right direction if I need take further action.

Thank you Computer GODS!!!
Click to expand...

TimW · Sep 2, 2008

We need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::


Folder::
C:\Window\U2hhdW5l
C:\WINDOWS\system32\imp32
C:\WINDOWS\system32\olixds18
C:\WINDOWS\system32\provdll
C:\WINDOWS\system32\sfig
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Pretteyes · Sep 2, 2008

Hi Tim & Thank you for time and expertise

Here are the updated logs you have requested.

TimW · Sep 3, 2008

Let's try one more time:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::


Folder::
C:\Window\U2hhdW5l
C:\WINDOWS\system32\OBDE
C:\Temp
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Pretteyes · Sep 4, 2008

Tim W, I can't thank you enough for your time and assistance

Here are the additional logs for further eval.

Did I THANK YOU already?

TimW · Sep 5, 2008

And maybe this time will be the charm:

* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\WINDOWS\system32\vbzip10.dll

Folder::
C:\Window\U2hhdW5l
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Pretteyes · Sep 5, 2008

Hello TimW

Here are the latest log results.

More Thanks

TimW · Sep 5, 2008

Aaaggghhh.......stubborn little thing.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

FolderLook::
C:\Window\U2hhdW5l
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Pretteyes · Sep 5, 2008

I was'nt sure if you wanted me to complete both of the previous steps like before so I did. I hope it's what you presumed I would do, if not I will re-do the the first step with copy paste & combofix only.

By the way, combofix auto restarts at a certain point. Not sure if it should or if this is something that I should share.

UR a Trooper Thanks

TimW · Sep 5, 2008

Well...I have no idea what that folder is.....are you having any issues?

If not, then I think we should give you the clean up and just see how your system is running.

Let's clean up from combo:
Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you get a success message, then it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Pretteyes · Sep 5, 2008

OK TimW
1. I have not identified any issues after cleaning system.
2. I received the following message: FixMe.reg has been successfully entered into the registry.
3. I proceeded with the final steps as indicated and I am working through the How to Protect yourself from malware link provided.

Just one more question; Can I delete the fixme file from the desktop?

You have been a tremendous support and I appreciate all that you have done:major

TimW · Sep 6, 2008

Yes you can remove the registry patch as per item #7

You are most welcome...safe surfing.

Log in or Sign up

Malware System Cleaning

Pretteyes Private E-2

Attached Files:

SSASlog.txt 09-01-2008 - 11-51-00.log

mbam-log-09-01-2008 (13-11-44).txt

MGlogs.zip

Pretteyes Private E-2

Attached Files:

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Pretteyes Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Pretteyes Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Pretteyes Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Pretteyes Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Pretteyes Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member