Please help, can't figure out what it is still infected with

I am trying to clean this PC for a family member and i have to say that it has been most challenging. I have tried everything I know but still can't get rid of it. I am not sure how long it has been infected. I suspect it was infected by her son who was using Morpheus to download stuff.

I have gone through the cleaning steps here but still having issues.

Attached are the logs requested. Thanks ahead of time for any help.

 

and the last log....

Thanks again.

 

Hi cismaxz,
Welcome to Major Geeks!

The scans got rid of a lot of the malware, but there is still some left. I will put together some instructions for you. This takes time, so thanks for being patient!

abri

 

Hi cismaxz,

There are some fairly serious things wrong here. We'll see what can be done.

1) Please disable your guest account if this has not already been done.

2) Install the current version of Sun Java from: Sun Java Runtime Environment


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - AppInit_DLLs: mrjhtjd.dll,qrhhb.dll,xdfntt.dll,hgfhk.dll,hjaiq.dll,kduy.dll,frntrn.dll,dnteh.dll,chmfcmh.dll,jwlah.dll,crugd.dll,lariytrz.dll,thurh.dll,
mgmgmm.dll,oqrthc.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,gmnait.dll,hfjg.dll,xdndn.dll,rgfjj.dll,dscef.dll,xfng.dll,njritc.dll,setrhes.dll,cdxbfxdb.dll,
xfgnxfn.dll,gjkhj.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,rhs.dll,atehhz.dll,gjjte.dll,xgnfn.dll,
xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,hkfgh.dll,drghszd.dll,fngn.dll,xdhdg.dll,
zdbfbd.dll,fjyjy.dll,awef.dll,msepbe.dll,

After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

9) Before you run the MGtools again, I would like to ask you to run a rootkit scan. Go to Alternate Scans and scroll about halfway down the page. There you'll find a list of rootkit scans. Please run the one from TrendMicro and attach the log when it's finished.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Thanks a lot for taking the time to look at the logs and put this together. I will be working late tonight so it may not be until after 10pm EST that I get a chance to do anything on it.

I'm glad to see that it was pretty bad and not just me

 

Here are the latest logs. I am still seeing some files in C:\Windows like tfyjni.exe and AVPSrv.exE

 

Hi cismaxz,

I don't see these two. Could you paste the pathways for me?


Please continue as follows:

1) Do you know what Kwari is which contains the following file?

C:\Documents and Settings\Lachlan\Local Settings\Application Data\Micro Forte\Kwari\Kwari.xLoader.32

2) Please run the
Norton Removal Tool (SymNRT)


3) Next I would like for you to run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS\WSockDrv32.exe
O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\syn00-0C-6E-FB-05-D3\system\smss.exe
O20 - AppInit_DLLs: mrjhtjd.dll,qrhhb.dll,xdfntt.dll,hgfhk.dll,hjaiq.dll,kduy.dll,frntrn.dll,dnteh.dll,chmfcmh.dll,jwlah.dll,crugd.dll,lariytrz.dll,thurh.dll,
mgmgmm.dll,oqrthc.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,gmnait.dll,hfjg.dll,xdndn.dll,rgfjj.dll,dscef.dll,xfng.dll,njritc.dll,setrhes.dll,cdxbfxdb.dll,
xfgnxfn.dll,gjkhj.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,rhs.dll,atehhz.dll,gjjte.dll,xgnfn.dll,
xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,hkfgh.dll,drghszd.dll,fngn.dll,xdhdg.dll,
zdbfbd.dll,fjyjy.dll,awef.dll,msepbe.dll,

After you click fix, just close hijackthis.

4) Now Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

They are in C:\windows
c:windows\QTFont.qfn
c:\windows\AVPSrv.exE
c:\windows\tfyjni.exe

There are also a lot of .dll files in the c:\windows\system32 directory that do not look good. If I sort the files by modified date there are about 20 or so dll files modified recently which do not look like they should be there.


As far as question #1 that you had - are you sure you were looking at the correct logs? There is no profile on this PC with the user name
Lachlan as in - C:\Documents and Settings\Lachlan\Local Settings\Application Data\Micro Forte\Kwari\Kwari.xLoader.32

 

Ok so like i said in my previous post there is no profile on this PC with that name so i obviously didn't do that step. I did do the test but I can not get mgtools to finish. I have tried it several times but it eventually just hangs and sits there doing nothing.

 

Hi cismaxz,

Well, I've lost that person, but I'm sure they will show up again. However, did you do the rest of the instructions? And if so, did you get the Avenger log? I can't tell anything further until I can see at least one of the logs.

As for the files you are mentioning in Windows, I have seen them today, just not in the logs attached to your thread but in a different thread. I find that most mysterious.

As for the MGTools hanging, please go to the XP Cleaning Instructions and follow the instructions for installing the MGTools. When it asks if you want to install over the old ones, just say yes. Then run them as per the instructions and see if you still have the same problem. If you get a log, please attach it with your next post.

Thanks.
abri

 

Ok here are the attached logs. I am almost out of patience with this PC. I was still having problems with MGTools. It would start the first process and hang. Even after reinstalling it. I had to kill it and kill regedit, delete all of the files in the directory and reinstall it again and it ran.

Also when I ran everything this time I am under the other user profile on this PC.

 

Hi cismaxz,
Sorry I had to be away. Your computer is getting infected faster than we can keep up. Is it possible for you to run first CCleaner and then Combofix again? It can be in normal or safe mode. I need to see the combofix log, if at all possible. Please try not to use the computer for anything else.
abri

 

No problem. Thanks for all of you help. I decided I was spending way too much time on this one problem that just get multiplying so I reinstalled Windows.

 

Hi cismaxz,

Thanks for letting me know. I can tell you that I've never seen a computer quite as badly infected as yours was. All of your programs were infected and it would have taken a lot of work to get it back. If you go to the page How to Protect Yourself from Malware you will find the recommendations of this site for a combination of antimalware programs that will give you the most protection using the least amount of resources. You can have good protection using free programs. I highly recommend using Spyware Blaster and the immunization feature in Spybot Search & Destroy. You can read more about these at the above page.

If you have any other questions, just ask.

All the best to you!
abri

 

Yea, I know it was bad. It was not mine it was a family members. I work in the IT field and haven't seen one that bad before. I loaded them up with all of the needed software before I gave it back to them. He son is going to college this fall so hopefully that was the end of the viruses rolleyes

 

LOL at end of viruses

I know the value of the gift you gave them and wish you well in your work. I know his son will enjoy the computer.

abri