posible problems still...

Hi, it looks like I still have problems with some Malware so I have attached the required files. I went through your "Windows XP Cleaning Procedure" I got hit yesterday while searching on the web. Sort of knew that something was wrong when AVG started to tell me that had problems. However it removed itself as the Trojan infected AVG and a few other apps.

Please help... thanks.

 

I think I got it fixed!! I went through with ComboFix while running in Safe Mode and it looks like it has removed the Trojan (though I'm not 100%).

I'll post a new set of files for you to have a look at. Just one question, should I remove Microsoft.WindowsSecurityCenter.AntiVirusOverride when in Spybot? It's the only thing that has come up so far...

 

Ok here are the new files. I hope they help!! If everything looks good, what should I do next?

I suspect I need to set up a new System Restore point. All of mine were lost when I got hit... not good. I've also lost some apps so I'm not sure what to do about that. Install them again if everything is clear.

Thanks again... the site has been very useful, and great work everybody!

 

Hi barbednebular!

Your MGTools didn't run correctly and we will need the logs from those. I'm not sure why they didn't run so please do the following and we will come back to this:

1) Go to the Windows Explorer folder C:\MGTools and open it. On the right side of the screen find the program called analyse.exe. Double click on it and click on "Do a System Scan and Save a Logfile". Attach the log to your next post.

2) Download and install Erunt. Use it to create a backup of your registry.

3) Next please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Run CCleaner at the default settings with the windows tab as the one on top.

6) After you finish the above, please go back to the READ & RUN ME FIRST and scroll down to the bottom of the page and select the instructions for your operating system. On the next page, find the link for the MGTools.exe and reinstall it. To install this, you only need to click on the link. It will produce a set of logs when it installs. If it asks you if it should install over the existing version, say yes. Tell me if you get any errors and attach the MGlogs.zip (located directly under C:\ ) with your next post.

You'll have two things to attach, the log produced by HijackThis (analyse.exe) which will be called hijackthis.log and should be located in the MGTools folder and the MGlogs.zip located directly under C:\ . Also, please let me know if you got a success message for the registry patch in step 3.

abri

 

Hi Abri
Great, thanks for the information!
Step 3:Went well, installed with no problems.

Step 4:When running Avenger, it pointed out that the files it was about to remove are no longer there.

Step 5:Ok no problems here.

Step 6:No errors running, mind you it didn't say about installing over the existing version.

The new file have been posted. So far things are good, no problems...

A lot of the apps that were infected have been removed so they no longer run at startup. Oh well... probably best without them

Should I un-install all apps which are no longer running?

Thanks again...

 

Hi barbed Nebular!
I noticed you have the same kinds of things as in this thread:
http://forums.majorgeeks.com/showthread.php?p=1091305

Please continue as follows:

1) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2_03

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {C577A083-E105-4805-B9C4-BAC99917079D} - C:\WINDOWS\system32\pmkji.dll (file missing)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

Did you put these in your trusted zone? If not, fix them as well.

O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

Do you need the following program to load at startup? If not, fix it too.

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

8) After you finish the above, please

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger and RenV logs.



Let me know how things are running now?

abri

 

Hi Abri
1: Done
2: Reboot went ok, no problems
3: Installed Java, no problems
4: All files fixed apart from "O4 - Startup: OpenOffice.org 2.0.lnk", this is Open Office and is launched from startup which I left out as I use Open Office.
5: Removed early on in the day as well as other apps
6: When I ran this, it failed to remove the folder. This was removed manually with no problems and Cleaned using CCleaner from the bin.

I re-ran the script, the log is in this post.
7: All done with no problems.
8: No problems and log is in this post.
9: Ran Getlogs.bat from MGTools. No problems, zip file in this post

The PC is running much quicker now, better than before. However I have another user account on the PC. Should I go through this process again?

Thanks very much for all the help!!

 

Hi, can some one check this to make sure it's all clear...

I would be most apricated. Thanks.

 

Hi barbed nebular!

Please copy the bold text below to notepad. Save it as Log.txt to your desktop.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip (can be found directly under C:\ )

Run CCleaner on the other user account.

abri

 

Hi Abri
Thanks for getting back to me. Just a question... I have another user on the PC. Would I have to do anything for them after the next set of tasks?

Thanks.

 

Hi Abri
Ok all done. Here are the new logs.

Thanks again for helping out. Would it be a good idea at some point to rebuild the OS or should everything be fine as it is?

 

Hi barbedNebular!

If your computer is working all right, I would not undertake any repairs. It would not hurt to run the other pc's through the READ & RUN ME, but if they're not showing any symptoms, it's not pressing.

If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

I don't find anything further in your logs. I'll post you our final clean-up instructions:

abri

 

Hi Abri
Thanks for everything... you're the best!

Luckily I don't use Windows Messenger. I've removed it from the Window Components Wizard as I can't find it anywhere else. It doesn't seem to be under the Add/Remove programs..

So far I've installed AVG Virus Scan, but I will go through the " How to Protect Yourself from Malware " link to work out what else I need.

Again, many thanks. I'll keep you posted on how things go after the final clean up instructions.

 

Thanks so much!
All the best to you and your computer.
abri