need help removing malware!

Google, Facebook, Hotmail, etc werent loading. I got the start page for all of them, but after i logged in or looked something up, it stayed stuck. Besides I didnt get the task bar cause it said it's been disabled by an administrator.

I solved the problem with spybot... also i deleted syggjtae.dll which was causing the problems with google, facebook, etc. but now when windows opens it appears that syggjtae.dll is not found. how can i stop that window from appearing?

And i dont know if it's got something to do with this, but also since then it appears that "a new hardware was found" but its "unknown" and it never gets installed. What should i do?

Apparently i fix the problems with spybot but when i turn the computer on again, somehow they're back and i have to run spybot again. The taskbar problem is fixed but then when i reboot it still persists until i run spybot again.

these are the problems spybot detects:

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Configuración (Cambio en el registro, fixed)
HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Configuración (Cambio en el registro, fixed)
HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Configuración (Cambio en el registro, fixed)
HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

help please!

 

Hi cold_blur_20
Welcome to Major Geeks!

You need to go through the instructions in the READ & RUN ME FIRST and attach the requested logs. It sounds like you have malware problems.

abri

 

okay so i went through all the instructions in the READ & RUN ME FIRST, and one of the problems disappeared but when windows starts, it stills detects an unknown hardware.
here are all the logs i got:

 

Hi cold_blur_20,

Did you run Combofix? If so, please attach the log. You can find it directly under C. I have a set of instructions for you, but would like to see the combofix.txt or cf.txt log first in case anything needs to be added.

abri

 

yeah, here it is.

 

Hi cold_blur_20.

1) Do you know anything about the following two files which were put on your computer yesterday? Could they be the result of an online transaction of some sort? You can right click on them and look for more information in Properties, but do not open them.

In this directory - C:\WINDOWS\Tasks\ - the following two files:

1-clic~1.job 15 May 2008 512 "1-Click Maintenance.job"
sa.dat 15 May 2008 6 "SA.DAT"



2) Please delete this file:

C:\WINDOWS\BMbf693712.txt


3) Please disable your guest account if this hasn't already been done.



4) The following program is an old version. Go to add/remove programs and uninstall it. I will give you a link to the download for the most recent version farther down after we remove malware.

- Java DB 10.3.1.4



5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: (no name) - {019F425A-6B6A-4338-90AB-48955DF58CE1} - (no file)
O2 - BHO: (no name) - {B3CE4235-09FB-4912-8174-601C5512327B} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: iifFxYSL - iifFxYSL.dll (file missing)
O20 - Winlogon Notify: ssqPhfGW - ssqPhfGW.dll (file missing)
O20 - Winlogon Notify: tuvwtsTJ - tuvwtsTJ.dll (file missing)


Do you need for the following to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Archivos de programa\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe


After you click fix, just close hijackthis.


7) Download and install Erunt. Use it to create a backup of your registry.

8) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the save as file type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Do the following belong to programs you know or want to keep? If not, please fix them as well.


After you click fix, just close hijackthis.



9) Now go to Java Developer Downloads and download the most recent version of Java DB.



10) And now I would like for you to run CCleaner at the default setting with the Windows tab as the top one.

11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

ok i will do as you say and let you know how things go... sorry i took so long to answer back, i was away for the weekend.

 

alright then... about the two files in the task folder you asked about, the first one is from TuneUp Utilities 2008, the second one i couldnt tell cause when i checked the folder, none of them was there.

I did everything and i still get the "new hardware detected" problem at windows startup. Im attaching the logs you requested, though i'm not quite sure where to look for the avenger log cause you said nothing bout it until instruction 11) and i dont remember running any program with that name or anything like it. i think you might have skipped a step between 8 and 9 after the regedit quote:

thanks for your help so far. i hope we can fix this for good.

 

Hi cold_blur_20,

Please do the following:

1) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

2) Run CCleaner, run GetLogs.bat and attach a fresh set of MGlogs.zip

Thanks.
abri

 

here goes

 

Hi cold_blur_20,

Sorry, just sloppy. I use some copy/paste instructions that are repeated alot and forgot to remove the request for the Avenger log. You're right, there was no Avenger log.

1) The following registry changes which were created by Combofix when you first made it didn't get fixed in your REGEDIT4 patch in Post 6, Step 8. I'm curious about this. Did you by any chance run Combofix in between that fix and the present MGlogs you showed me today? Everything else in the registry patch is gone from your logs.

Please try that again:

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the save as file type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Let me know if you got a success message with this?

2) Then I would like for you to disable your Invitado account if this has not been done already.

3) After that, please go to add/remove programs and uninstall Messenger Plus! Live

4) After you've completed the above, I would like to know a little bit more about the message you're getting at startup. When did it start? Did it start in relation to any new downloads or installation of new hardware?

Please do the following: After you click cancel on the new hardware found wizard go to Start and right-click on My Computer. Left-click on Properties (the bottom one). Select the hardware tab. Click on device manager. See if there are any yellow warning signs next to any of the items in the list. Let me know if you find anything here.

abri

 

hi again.

i didnt run combo fix apart from the first time so i dont know what could've happened but i did the the fixMe.reg thing once again and like all the other times it said it was succesfully merged with the registry.

about the hardware wizard, i started getting that after i deleted a .dll file which was causing problems with facebook, google, hotmail, etc.

i checked the device manager and indeed theres a yellow sign next to an item. i right clicked on it and checked the properties; in the general tab, everythings unknown, same as in the drivers tab where everything is either unknown, unavailable or "digitally unsigned". in the details tab, it appears something like "drivers instance id." and below there's a box which says:
ROOT\LEGACY_MSISERVER\0000

im not quite sure wether the terms in between the quoting signs are the correct ones cause my windows's in spanish, i just translated them as precise as i could.

 

Hi cold_blur_20,

On the basis of what we've done so far, I don't see any further malware. It may be necessary to do further scans. To begin with however, I will have you fix the three registry keys you mentioned manually, and see if they stay fixed or if they just get changed back. Please do the following:

Download and install Erunt. Use it to create a backup of your registry.


Next go to the registry editor (go to Start / Run type in regedit and click on ok) and look for:

HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

See if there is a d-word for this entry. If so, set it to 1. If there's not a d-word, you need to create one. To do this, highlight iexplore.exe of the above registry entry. Then go to the top of the window and click on edit. In the dropdown menu, there should be something like New. Click on that and another small menu should appear. Look for dword value. Click on that. After you've created it, go back to the iexplore.exe and see if you now have reg-dword next to iexplore.exe. If so, is the dword set to 1? If it's not set to 1, then right-click on iexplore.exe and select change (edit?) and click on that. In the dword box, set the value to 1.


Next go to the following key and see if DisableTaskMgr is one of the entries of System. If so, make sure the dword value is set to 0

HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

The next one also needs to be set to 0

HKEY_USERS\S-1-5-21-725345543-117609710-2146778517-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools


After you finish the above, just close the registry editor.

Then I would like for you to go to the device manager again (click on start, right-click on my computer, click on properties, select the hardware tab and click on device manager)

In the window that opens up, go to the device which is marked with the yellow sign and see if it offers you the possibility to stop it and disable it? If so, do this.

Then shut down your computer completely and allow it to sit for a minute before rebooting. Tell me if you still get the same messages? Can you still get into Facebook, etc.? How is your computer doing in general?

abri

 

alright, everything seems to be workin fine now.
thanks a lot for your time and dedication abri.

 

You're welcome cold_blur_20,

Were you able to fix those three keys and did the problem with the error message about new hardware get resolved? (helps people reading your thread to know if something worked or not)

Before you leave us altogether, I want to give you the final cleanup instructions which will have you take all the tools and logs off your computer that we had you put on. You don't need the clutter and the tools are updated periodically, so you only need to come back and get new ones in the READ & RUN ME whenever you need them.

If everything is functioning the way it should be, please carry out the following instructions.quote]

• Uninstall SuperAntiSpyware
• If you installed Combofix to the desktop and renamed it cf.exe, it can be removed by going to Start/Run and copy-pasting in "%userprofile%\Desktop\cf" /u
• Check for the following and if found, remove them as well by deleting them: ComboFix.exe (if it wasn't renamed), C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
• If we had you run Avenger, you can delete all files related to Avenger now.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• Go to add/remove programs and uninstall HijackThis.
• Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
• Open the MGTools folder and delete the contents.
• Then delete the folder itself.
• Look for any leftover logs on your desktop and if found delete them
• Run CCleaner
• After you've completed the above, please follow the instructions at this link for setting a clean restore point. Disable and Enable System Restore!
• Once you've done this, please take a look at the link that follows. It's a good read and has some good information to help you prevent further malware invasions.
  
  How to Protect Yourself from Malware

Let us know how things went!
[/quote]abri

 

I was able to change the registry keys without problem and regarding the hardware problem, i disabled and uninstalled it on the device manager.
again thanks for your help.

bye abri.

 

You're welcome!
All the best to you!
abri