please check logs

dena · Aug 26, 2008

this morning, my computer became infected with something that changed my desktop, blocked certain sites (including major geeks), modified google searches, etc. after running the steps in the read me thread, most of these problems have been cleared but whatever my computer was infected with also made a fake avg icon in my tray that says that it is running scans when it actually isn't. the real avg icon is still there but this fake one won't go away and i can't close it (i'm sorry if i'm not making sense). i've attached my logs... superantispyware gave me the bluescreen twice so i've only attached malwarebyes, combofix, and mgtools. thanks in advance...

TimW · Aug 27, 2008

You need to re-run MalwareBytes and have it fix everything it finds! There is no point in running it without fixing the malware.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file as well as the MWB's log.

dena · Aug 27, 2008

i think the log i uploaded was saved before my computer was restarted because the log that was automatically saved says that everything was quarantined and deleted. i've attached the right log.

dena · Aug 27, 2008

dena said: ↑

i think the log i uploaded was saved before my computer was restarted because the log that was automatically saved says that everything was quarantined and deleted. i've attached the right log.
Click to expand...

here is the log

TimW · Aug 27, 2008

Sweet.......scans got most all of it. Let's just do this:

Please disable the Guest account in User accounts.

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please use add/remove programs to uninstall:
Java 2 Runtime Environment, SE v1.4.2_03

Open notepad and copy and paste the following text in the quote box into the window:

sc stop hpdj00
sc delete hpdj00
Click to expand...

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Tell me if you are having any other malware issues.

dena · Aug 27, 2008

awesome! thank you so much! i finished all of the steps and received a success message. it looks like all of the problems that i was having before have been eliminated.

i have another question: i had zonealarm installed up to a few weeks ago. i removed it because it was causing my computer to start up really slowly (took up to 10 minutes sometimes) and hogged a lot of memory. while i had it installed, i never had any problems with malware. do you think i should reinstall it and if so, is there a way that it can run without using up so much of my resources? is there another firewall that you would recommend?

thanks again!

TimW · Aug 27, 2008

Good to hear! I would suggest you check the Top Freeware Picks on the main page and try PCTools firewall....lite and not a hog.

If you are not having any other malware problems, it is time to do our final steps:

# We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

# If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

dena · Aug 29, 2008

i've gone through all of the steps listed but avg ran a scheduled scan this morning and removed combofix. the files that were removed are:

Infections
File;"Infection";"Result"
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000011.dll;"Trojan horse BackDoor.Generic10.DQK";"Moved to Virus Vault"

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000042.old;"Virus found BackDoor.Hupigon";"Moved to Virus Vault"

Spyware
File;"Infection";"Result"

C:\Documents and Settings\Dena\Desktop\ComboFix.exe;"Potentially harmful program HideExec.EV";"Moved to Virus Vault"

C:\Documents and Settings\Dena\Desktop\ComboFix.exe:\327882R2FWJFW\hidec.exe;"Potentially harmful program HideExec.EV";"Moved to Virus Vault"

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000111.exe;"Potentially harmful program HideExec.EV";"Moved to Virus Vault"

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000111.exe:\327882R2FWJFW\hidec.exe;"Potentially harmful program HideExec.EV";"Moved to Virus Vault"

are there any other files that i should delete manually?

thanks so much for all of your help

TimW · Aug 29, 2008

The files in your system restore folder as well as the false positive about ComboFix would all be removed had you done the cleanup steps.

Log in or Sign up

please check logs

dena Private E-2

Attached Files:

MGlogs.zip

mbam-log-08-26-2008 (16-55-25).txt

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dena Private E-2

dena Private E-2

Attached Files:

mbam-log-08-26-2008 (16-55-51).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dena Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dena Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member