malware

Tell me which account this is.

Do you have the exact name of the file it was finding, and it's file path?

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
quryfer
DirLook::
C:\spyware removal
File::
c:\documents and settings\lisa colasurdo\local settings\temp\~df4575.tmp
C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\Lisa Colasurdo\Local Settings\Application Data\F6j8qA244a63
C:\Documents and Settings\All Users\Application Data\2509137411
C:\Documents and Settings\All Users\Application Data\3469191438
C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\All Users\Application Data\F6j8qA244a63
C:\~QTWTMP.TMP

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this

 

You will need to download MGTools.exe to the C Drive of the afore mentioned account. There is something we can try, and then when we have made some progress, you can run other scans on that account too. But do not do this until we have finished up with the account we are focussing on now.

Fair enough... but then you say:

Give me some more detail What exactly are they picking up on?

Use windows explorer to find and delete the below bold folder:

Do the same then for this file:

Answer my questions that I asked regarding what avg and Spybot are scoping out. Let me know also if that file and folder deleted quietly.

 

Yep, avg is just doing it's job, and what it's flagging in system restore will not occur any longer when you have followed final steps on this account.

But first..

So let's begin by having you log into the Mike account and downloading MGTools.exe to the C drive where specified, run it, and attach the C:\Mglogs.zip providing you are able to run it successfully.

 

How about in safe mode?

Failing that please try this:

http://www.dougknox.com/xp/file_assoc.htm (scroll down to the 9th fix, EXE file association fix. Then try running the scans starting with SAS and MBAM, finishing off with RootRepeal, Combofix and MGTools. Let me know how you get along.

 

Sorry for the delay in a response. Let's continue on shall we?

1. Important Notice: A new version of SUPERAntiSpyware is available.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

2. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

3. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\windows\isRS-000.tmp
C:\Documents and Settings\Mike Colasurdo\Local Settings\Application Data\2509137411
C:\Documents and Settings\Mike Colasurdo\Local Settings\Application Data\3469191438
C:\Documents and Settings\Mike Colasurdo\Local Settings\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\Mike Colasurdo\Templates\2509137411
C:\Documents and Settings\Mike Colasurdo\Templates\3469191438
C:\Documents and Settings\Mike Colasurdo\Templates\50vGiJ1FW7x2

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also attach the new log from SUPERantispyware.

 

Run SAS on the Mike account now and attach the log from it, because that's which account we are fixing now. After that, as long as everything seems well still, I shall be giving final steps.

 

And I trust the PC is behaving itself on all accounts now? Let me know...

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!