Multiple Malware

I would try using a thumb/jump drive and first try to run ComboFix.

Can you see the files on the cd using windows explorer?

 

You need to try to stop those processes from running....either with task manager or by manually finding them in the C:\Windows\system32 folder.

 

See if you can open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key.

sc stop afinder
sc stop tdxdowkc
sc stop macidwe
sc stop nobicyt
sc stop perfmons
sc stop routing
sc stop sobicyt
sc stop wserving
sc delete afinder
sc delete tdxdowkc
sc delete macidwe
sc delete nobicyt
sc delete perfmons
sc delete routing
sc delete sobicyt
sc delete wserving

If the above works, see if you can get any of the other tools to run now.

 

Yes I assumed that they all may not be but they all are related and often arrive together. Thus I was just covering all the bases.

 

Glad you got that figured out and working.....now let's see what is left.

Please disable all anti-virus and anti-spyware programs while we do the following:

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Workstation NetLogon Service
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run C:\MGtools\analyse.exe, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste Workstation NetLogon Service into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run C:\MGtools\analyse.exe by double clicking on it(Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now download The Avenger by Swandog469, and save it to your Desktop.
* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

 

My bad....

Please use windows explorer to find this file:
2004-11-24 14:48 389,120 --sh--r C:\WINDOWS\system32\??chost.exe

Be very careful as it may appear as svchost ---> which is a legit file. You must look at the date and the size of the file which should be around 380 kb. Delete it.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now * Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.