Not sure what's going on

You never followed the final instructions you were given last time you were here. As a result you are a year out of date with your version of MGtools. You need to download and run the current version and attach a new log before we can continue.

Also an important note!! Your Windows operating system files have been infected and may not be repairable. Do you have your Windows XP SP2 boot CD? Also it is advised that you backup important personal data immediately as it is possible that further cleaning could render your PC unbootable and even without cleaning, this could happen soon if the infection keeps spreading.

Is your copy of Spyware Doctor a paid version that actually fixes problems?

 

Your PC is badly infected, yet you continue to install software which we specifically stated you must not do in the instructions. Everything you install is making our job harder and it is also subject to being infected as you install it. You should only be doing what we ask you to do and nothing else. You just installed Messenger Plus and this is a program that we specifically indicate you really should uninstall (see step 1 of the READ & RUN ME).

We are going to have to work this in a few stages since your operating system files are infected. First I have to try and create uninfected backups that we can use before we try to fix these files. I hope you took my previous message seriously and started backing up your important data. DO NOT backup executable type files. This includes anything you have downloaded that is an executable installed program or ZIP files containing executable...etc. They may all be infected.

First I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

Copy the bold text below to notepad. Save it as Wfix.bat to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it to run it. You should see a brief black command prompt window open and then close.

This is the first step in creating useable copies to replace your infected files.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
Ad-Aware SE Personal <-- very old and very ineffective
Java(TM) 6 Update 10
Spybot - Search & Destroy 1.4 <-- very old
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [27446] C:\WINDOWS\system32\4.tmp.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [Ckololu] rundll32.exe "C:\WINDOWS\uyasamav.dll",e
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\guest3\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\guest3\Local Settings\Temp

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!