Need help with some malware

james250 · Jun 11, 2013

I have a friends PC that I feel has some serious malware problems. When I got the PC it had the blue screen of death at start up stop 0x0000008e. I had to work in safe mode and down load to a flash drive on my pc to get things to halfway work. It starts and runs in normal mode with internet access but i can't access this site or Microsoft for updates.
I downloaded rogue killer, hitman Tsskiller to a flash drive but I cant get them to work. Malwarebytes and mgtools did work. I uploaded two mabam logs cause I forgot to check unhide files.
Thanks
Bax

chaslang · Jun 13, 2013

I know you said there is a problem with Windows Update but this PC has not been updated in MANY years. It is still running Windows XP SP1. Why wasn't it ever updated?

Note: It also does not have enough memory to properly run Windows XP anyway. The logs show
Code:
Time Zone	Eastern Standard Time	
Total Physical Memory	512.00 MB	
Available Physical Memory	295.41 MB
It need another 1.5 GB.

I'm not too sure all the problems are due to malware, but let's cleanup what I see and go from there.

Uninstall the below software:
Viewpoint Media Player (Remove Only)

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {AA55747E-8B36-4155-B4BF-6BCE253CF530} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)

After clicking Fix, exit HJT.

Now Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe and select Run as administrator to run it.

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe

 
:Files
C:\PROGRA~1\Toolbar
C:\windows\system32\ynzyro.dll
C:\WINDOWS\Tasks\WebReg 20040312164716.job
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\ME\Local Settings\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msci]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cleanup]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

[HKEY_USERS\S-1-5-21-3095973372-2566870310-846188212-1006\Software\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Try to do the below in Normal Boot Mode if possible.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

the JRT.TXTlog

C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

Need help with some malware

james250 Private E-2

Attached Files:

mbam-log-2002-10-25 (12-19-47).txt

mbam-log-2002-10-25 (12-35-25).txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member