Need help, logs attached.

pseudonym6 · Apr 25, 2009

hi, I think i was infected with some sort of virus about a week ago. I don't remember what website I was looking at, but my avast protection popped up and said a trojan virus was found. I took the necessary actions and soon after the problem began. Now whenever I use the internet, half the time pages won't load and when they do I have to click on the link twice. Also, I now have pop-ups which I never had before, and my internet is extremely slow. I will attach the results from the four tests I was supposed to run under the Malware removal instructions. Thanks in advance for any help.

TimW · Apr 28, 2009

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\users\All Users\holusifo
c:\programdata\holusifo
c:\users\All Users\kibalebe
c:\programdata\kibalebe
c:\users\All Users\vurosuju
c:\users\All Users\mifahowi
c:\users\All Users\lowakoda
c:\programdata\vurosuju
c:\programdata\mifahowi
c:\programdata\lowakoda
c:\users\All Users\bumujuna
c:\programdata\bumujuna
c:\users\All Users\vijufezi
c:\users\All Users\kimefeya
c:\users\All Users\gakevozu
c:\programdata\vijufezi
c:\programdata\kimefeya
c:\programdata\gakevozu
c:\users\All Users\kafidevo
c:\programdata\kafidevo
c:\users\All Users\limowuyu
c:\programdata\limowuyu
c:\users\All Users\jonanimo
c:\programdata\jonanimo
c:\users\All Users\bozagudu
c:\programdata\bozagudu
c:\users\All Users\luveseja
c:\programdata\luveseja
c:\users\All Users\rofefuzi
c:\programdata\rofefuzi
c:\users\All Users\kudavori
c:\programdata\kudavori
c:\users\All Users\jodilose
c:\programdata\jodilose
c:\users\All Users\yibavisu
c:\programdata\yibavisu
c:\users\All Users\hetuyevo
c:\programdata\hetuyevo
c:\users\All Users\zayitigi
c:\programdata\zayitigi
c:\users\All Users\zurufalo
c:\programdata\zurufalo
c:\users\All Users\firupifo
c:\programdata\firupifo
c:\users\All Users\wifekeba
c:\users\All Users\huwiyuke
c:\users\All Users\gazizisa
c:\programdata\wifekeba
c:\programdata\huwiyuke
c:\programdata\gazizisa
c:\users\All Users\roredopu
c:\programdata\roredopu
c:\users\All Users\ninukoso
c:\programdata\ninukoso
c:\users\All Users\zelosubo
c:\programdata\zelosubo
c:\users\All Users\toronitu
c:\programdata\toronitu
c:\users\All Users\jarugimo
c:\programdata\jarugimo
c:\users\All Users\tosofove
c:\programdata\tosofove
c:\users\All Users\hojubisu
c:\programdata\hojubisu
c:\users\All Users\diheweru
c:\programdata\diheweru

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\[u]0[/u]002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

pseudonym6 · Apr 29, 2009

Yesterday, my internet just seemed to magically work great again(before I ran the combofix and mgtools). Today I ran the things you suggested and I will attach the logs you asked for. Thanks again for the help.

TimW · Apr 29, 2009

Please stay off the internet ( physically unplug ) until I get you a new fix.

Log in or Sign up

Need help, logs attached.

pseudonym6 Private E-2

Attached Files:

combofixlog.txt

mbam-log-2009-04-25 (12-19-06).txt

SASlog.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

pseudonym6 Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member