Please check my Active scan,runkey.txt and newfiles.txt files

Hi, My computer has been infected with malware and spyware. I followed the instructions on : http://forums.majorgeeks.com/showthread.php?t=35407 and would really like it if someone can give me some feedback on the attachment logs.
Please help,
thank you for checking my post,

 

Here you go. pls let me know if you need anything else.

Edit by bjgarrick: Inline log attached!

 

Please follow the steps here: Virtumonde aka Trojan Vundo Removal

Once you have completed this post back here with a new HJT log, a new newfiles log and the vundofix log

 

Here is the HJT log after using vundo.
Pls let me know if you need anything else.



ps.THanks for editing my last post bjgarrick

 

Please post the vundofix log. It will be located @ c:\vundofix.txt

 

Here you go

 

OK! That fixed a whole load of problems but you still have LOADS more. AS you can see from the below you are very infected. Some of these infections will have come from using Limewire to download things like D:\Call_of_Duty_2_V1.0_serial_number.rar

The below will not fix everything, once you have gone through the below I need to to post a whole new set of logs

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• HijackThis

OK lets start fixing this:

Using add/remove programs which can be accessed from the control panel, uninstall the following:

Download

- Pocket KillBox

- Process Explorer

Extract each to their own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)


- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vfryugq.dll once and then click the kill button. After you have killed all of the vfryugq.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vfryugq.dlland kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
zzaooji.dll
ainkr.dll
tpwxaugv.dll
gebyw.dll

Now just exit Process Explorer.


Run HijackThis. Click the 'Do a system scan only' button.


Once the scan has completed click Config

Click Misc Tools

Click Open Process Manager

Terminate the following processes by selecting them from the list and clicking Kill Process

If you don't see a certain process just move onto the next.

Click back to return to the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode and rerun the scans I indicated at the start of this post.

 

Thanks for your reply. I did as you told except :
1/ I was not able to delete
Java 2 Runtime Environment Standard Edition v1.3.1_04 and
2/ I was not able to run WindowsDefender and Bitfinder

I have attached the logs from running the other software. Please let me know if you need anything else.
Thank you so much!

 

and here is the HJT log:

 

What problems are you encountering with bitdefender?
You need to run counterspy if you cannot run windows defender as per the read and run me.

Run HijackThis. Click the 'Do a system scan only' button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

REBOOT to Normal Mode.

Let me know how things are running now

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.[/QUOTE]

 

Hi matt.chugg,

It wasn't loading up on my webpage. But after I installed the active x component it started running.

I couldn't run Windows defender so I did run CounterSpy.

I did as you had advised and have attached all the new logs. Please let me know if you need anything else and thank you for your continued help!!!

 

and the newfiles log.

 

You havn't told me how things are running now! Are you having any malware specific symptoms anymore?

 

oops sorry.

Its running pretty good. No signs or crazy behaviour of malware.

So is it clean now?

 

Nearly there

Reboot into safe mode and delete the following

Note: C:\Program Files\Common Files\?asks

The question mark in here will probably appear as a T but isn't really. some malware uses non standard characters to try and confuse scanners. The folder will probably be empty anyway but to help you find it it was modified Oct 12 2006.

I need to check the details of some files on your computer to see who made them etc. Download the zip file attached to this post and extract both files to a convinient folder. Run the GetFileDetails.bat file by double clicking it. This will create a log file in the root of c: called getdetails.txt upload it with your next post.

 

Did as you told.
here is the GetDetails.txt

 

Here it is.
please let me know if you need anything else.

 

Sorry there was an error in the batch file I created, entirly my fault!

Please can you repeat the prcedure with the zip attached to this post. Sorry Again

 

Not a problem, here it is. pls let me know if you need anything else.

 

ok it looks like those files have all gone!

Is everything still running smoothly? If so, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
3. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and enable System Restore to create a new clean Restore Point.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!