Not sure..:(

I found some viruses and I tryed to remove them following step by step.."READ & RUN ME FIRST Before Asking for Support"

I have an MSN virus but it didn't deleted...When i talk to someone with my MSN it suddenly closes the window and types "wtf you naked o.o http://mail.xeross.net/18nakedq4bo.jpg.exe"DON'T CLICK THE LINK

And i found Virtumode in my scan with S&D which i dont know if its gone...

Last part says to attach the MGlogs.zip in the Malware Removal Forum.So here it is.

 

Hi Tr3LoSGr,
Welcome to Major Geeks!

Your computer is still infected. Do you have the other logs which were requested in the READ & RUN ME? Depending on when you downloaded it, they would be either Combofix and SuperAntiSpyware, or MalwareBytes Antimalware and SuperAntispyware. If so, please attach these as I need to see them. If you have all three of them, please attach them all.

abri

 

Hi Tr3LoSGr,

Please begin by running CCleaner at the default setting with the Windows tab as the one on top. Then I would like for you to do the following:


1) See if you can find the following files in Windows Explorer and right click on them. Go to Properties and see if there is any information about what these files belong to:

C:\FileIn.Cns
C:\FileOut.Cns
C:\lol

2) Then if you can find the following folder, tell me if there is anything in it. Do not open any files.

C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: (no name) - {0818B69F-DC15-41E4-9017-B9F5F89AF6EC} - (no file)
O2 - BHO: (no name) - {C66AF7F0-2CF6-48cb-9F94-04EC2504B4FC} - (no file)
O2 - BHO: (no name) - {CEAAE0CF-D843-41C4-9C90-7132CDC7C1EC} - (no file)
O2 - BHO: (no name) - {D8B51FE9-8D34-496A-9A58-7A21045A46AE} - (no file)
O2 - BHO: (no name) - {E06BBC93-6660-46A6-9784-D2E07235EBCB} - (no file)
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] xcopy32.exe
O8 - Extra context menu item: &Search - ?p=ZC
O20 - Winlogon Notify: hggefgd - hggefgd.dll (file missing)
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx

After you click fix, just close hijackthis.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri,

Unfortunatly I couldnt find ComboFix log, but I got the other too...
I will now start following your response...

Thnx a Lot!

 

1) I found these files C:\FileIn.Cns and C:\FileOut.Cns but i didn't found C:\lol none of these had any information.

2) I found C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP folder and these files are in it WiseCustCall64.dll , WiseCustomCall.dll , WiseCustomCalla.dll and WiseData.ini

3) Done everything else and got the logs...For some reason I cant click on attach files... and on other symbols...I will try post it the other day after today

 

Hi Tr3LoSGr,

There are sometimes problems here with attaching things. You can try switching to a different browser or clearing your browser cache. Also, it's important to check the Remember Me button when you log on.

abri

 

Ok i got em...

 

Hi Tr3LoSGr,

The Avenger logs shows that many of the files we need to remove are gone now, however the MGTools didn't run properly. I think they sometimes get damaged when we fix malware. I will ask you to reinstall them over the old ones in a moment, but please do the following first:

I would like for you to rename the following files by adding .zzz to the end:
C:\FileIn.Cns ----------> FileIn.Cns.zzz
C:\FileOut.Cns ------> FileOut.Cns.zzz
C:\lol -----> lol.zzz (If you can't find this one, don't worry about it. I'll check your logs for this one to see if it's still there. )

After you do the above, please go back to the Windows XP Cleaning Procedure and reinstall the MGTools and run them again according to the instructions. If it tells you there is already one installed and do you want to install over it, say yes. This should correct the problem.

Attach the new MGLogs.zip to your next post.

abri

 

Here is the MGlogs.

BTW I wanna thank you for helping me

 

Hey... I am 99,9% sure that the MSN virus has gone!

When i chat now it doesn't come up...

I am not sure about the Virtumode thought
Anyway thanx for your assistance!

 

You're welcome!

How is your computer working now? If your computer is working better, please go ahead with the final cleanup instructions in the box:

abri

 

Woooohooo...By PC is ready for take off...Its Flying

Thnx a lot...Its much better than it was!

I have a final question.When my PC starts SuperAntiSpyware and Iobit SmartDefrag run... Should I unistall em or keep em like that?

 

Hi Tr3LoSGr,
Thank you.

If those two programs are not trial versions, I recommend keeping them. Otherwise I would uninstall them. If you decide to keep them and need to change the settings so they can be run manually, that should be possible.

Good luck with your computer.
abri