READ ME FIRST has been run

Found malware on my HP Pavilion running XP SP2. Various pop-up windows and error msgs indicated the presence of malware.

I've already followed ALL instructions in your READ THIS FIRST thread.
After your instructions, everything appears to be okay, but I thought I'd ask you to look at the logs to be sure.

Since I can only send 3 attachments per thread, I'll attach SAS, mbam, and ComboFix logs now; and I'll post a 2nd thread with MGtools log.

Please let me know if there's still anything hanging on that I need to handle.

Thanks!

 

Here's the 4th attachment, MGTools logs.

Thank you.

 

Thanks Lydster!
Welcome to the Malware Forum!

One of us will look through your logs and get back to you. This takes some time, so thanks for being patient!

abri

 

I just thought I should mention that I posted at the same time as this one another thread for a different laptop that Chaslang worked on. Just didn't want you to think that it was the same laptop in both threads. They are two different laptops having malware issues. Thanks!

 

Hi Lydster,

Please do the following

1) Install the current version of Sun Java from: Sun Java Runtime Environment

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: {4f696102-9604-6f1b-f5a4-f2e0b6037d85} - {58d7306b-0e2f-4a5f-b1f6-4069201696f4} - C:\WINDOWS\system32\xdgioywh.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AE83D3B5-32E3-48A5-BD06-76CA32360DAD} - C:\WINDOWS\system32\geeba.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: cbxvssq - cbxvssq.dll (file missing)


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.



3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\system32\kdozq.exe
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\xdgioywh.dll
C:\WINDOWS\BM6a644833.txt

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58d7306b-0e2f-4a5f-b1f6-4069201696f4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE83D3B5-32E3-48A5-BD06-76CA32360DAD}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxvssq]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.


5) Combofix showed a hidden file and I would like to look at that more closely. Please follow the instructions in Running GMER to detect rootkits



6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix and GMER logs.


Let me know how things are running now?

abri