Mustafx2.exe and kurva.dat

Worked through the Malware FAQ.

Combofix, Spybot, and AVG Spyware all won’t run. Spybot used to run previously, but doesn’t since infection.

MGtools did, log attached.

Problems started last week when I clicked on a website. AVG Free and Ad-Aware currently identify the problems, but do not fix.

Have created dummy files for mustafx.exe and mustafx2.exe and have set to read-only system files in C:\WINDOWS and C:\WINDOWS\system32 to hopefully prevent access or further problems while I work on removal.

Currently AVG and Ad-Aware are only detecting kurva.dat

Mustafx2.exe and mhxfa.exe both show up in msconfig Startup, btw

Any help would be much appreciated, thanks in advance.

 

Hi Lars!
Welcome to Major Geeks!

The instructions which follow are lengthy but not difficult. The question is more whether you can do them all or not. Please read through them so you understand the logic to the steps and if you have any questions just ask. I will be asking you to disconnect from the internet and doing several steps while you are disconnected.

Let's begin here:

Can you run CCleaner? If so, please run it at the default setting with the Windows tab on top.

Next I would like for you to do the following. If something isn't possible, just continue.


1) Go to How to Protect Yourself from Malware and find the links for Antivirus programs. Download the installation program for Avast, but do not install the program. Remember where the installation program is so you can locate it later on.

2) Next I would like for you to download The Avenger by Swandog46, and save it to your Desktop.
[*]Extract avenger.exe from the Zip file and save it to your desktop. We will run it later.

3) Now, please print out these instructions so you can disconnect from the internet. After you print these out, please shut down your computer and physically disconnect it from the internet. Then reboot and disable all antivirus and antispyware programs before you fix anything.

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [mustafx2] mustafx2.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Chris\Application Data\mhxfa.exe
O20 - AppInit_DLLs: kurva.dat

After you click fix, just close hijackthis.

5) Next, please run Avenger (which is on the desktop)

• Run avenger.exe by double-clicking on it. (it should already be extracted)
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now, please uninstall AVG Antivirus via add/remove programs.

5) Run CCleaner at the default setting.

7) Find the installation program for Avast and allow it to install.

7) Reconnect to the internet and allow Avast to update. Then have Avast perform a system scan and have it fix whatever it finds. If it quarantines the files from the above infections, delete these from the quarantine and run CCleaner again.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Ok, have followed all steps.

Avenger generated a syntax error in one line.

mustafx2 now runs again in a dos box on startup, with a system error message that pops up in another box.

Logs attached.

 

Hi Lars!

Please go to post 2 and rerun Avenger only this time use the contents of this box:

When you finish, please run CCleaner and then attach the Avenger log to the next post.

abri

 

I assume you meant follow steps 1-5 of your original post, so that's what I did.

These two still show up in MGtools\analyse.exe

O4 - HKLM\..\Run: [mustafx2] mustafx2.exe
O20 - AppInit_DLLs: kurva.dat

Told it to fix.

Ran Avenger, log attached.

Doesn't look like it worked. mustafx2 still there on reboot.

 

Hi Lars,
Oh, my numbers are very bad. I only meant for you to go back to post number 2 and rerun Avenger. The other steps I think you already did.

Let's try the following now.

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Tell me if you get a success message or not.

3) Now, please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter kurva.dat
Save the results to a file called rskurva.txt

Repeat the above search for mustafx2 and mustafx and give the results the names rsmustafx2.txt and rsmustfx.txt respectively.

Attach the results with your next post.

abri

 

fixME.reg merged ok

AVG picked up a couple of new ones this morning. Deleted them from the virus vault. Looks like some are coming in through the XP system restore points, so I turned that off for now.

Here's the latest from RegSrch.

 

Hi Lars,
Please run the GetLogs.bat which is in the MGTools Folder under C. Double click on it to run it and when it's finished it will tell you to close it by hitting any key. Then look for the logs directly under C. MGlogs.zip
Attach them here.
Thanks.
abri

 

Here you go.

 

Well, I think you got it. System seems to boot normally.

Logs attached for your review. Please advise if you think this system is now secure.

And thank you very much!

 

This line was not found by Mgtools.

O4 - HKLM\..\Run: [mustafx2] mustafx2.exe


Ran your script, logs attached.

 

Done, done, and done.

Thank you very much Sir!