More Malware Logs

I ran through the malware 'read and do this first' sticky. This greatly lessened my problems but did not eliminate them.

I still get random IE windows when on the internet. I'd say about 1 a minute. Most of them are totally blank. Once in a while there will be advertising on the page.

Here are the logs for combofix, AVG, MGlogs

I also ran the smitfraud remover.

Thanks!

Mike

 

Hi trillium!
Welcome to Major Geeks!

Your computer is still infected with the newer version of Vundo. Please use it as little as possible and don't boot unnecessarily until we can post some instructions to you.

Thank.
abri

 

abri,

This is my first post on Major Geeks. I'm not sure how long it usually takes to get instructions on how to remove the virus.

This wasn't an intentional bump.

Thanks,

Mike

 

Sorry Trillium!
You slipped under the radar!

Working on this now!
abri

 

Hi Trillium!

There are quite a few steps here. Please read through them carefully and do them one at a time. The order is important. If you have questions, just ask.

1) Begin by doing the following:

Rename C:\WINDOWS\system32\D003E2288F.sys to D003E2288F.sys.zzz
(Use the same name, but tack 3 zzz's on the end.)

2) Next I would like for you to do these steps:

• Copy the bold text below to notepad. Save it as Log.txt to your desktop.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.

3) Now run ComboFix


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\RunOnce: [SpybotDeletingA7875] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9158] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7174] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD181] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O20 - Winlogon Notify: yabcywx - yabcywx.dll (file missing)

After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Download and install Erunt. Use it to create a backup of your registry.

7) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

8) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2_03


9) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Install the current version of Sun Java from: Sun Java Runtime Environment

11) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


12) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Attach the below new logs:

• Avenger.txt
• Log.txt
• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know how things are running now?

abri

 

I went through and did all this and I ended up with 15 trojans, viruses, malware when I was done (up from 1). I'm wiping the hard drive and starting over. Thanks for your help.

 

Sorry you had to reformat! I hope this solved everything. Please take a few minutes to read the How to Protect Yourself from Malware
There are some good tips in there and it's especially useful to get Spyware Blaster on your system as it prevents some problems from getting started. Also, the immunize feature of Spybot S&D helps.
Good luck to you!
abri