Ready for additional help!

Hello, I went through the read me run me. The main virus that was stopping me from doing anything which was some kind of fake anti virus software was removed, but there is still another virus.

I can see it in the process task manager panel and there is always the hour glass next to the mouse, computer sounds like it is working hard. there is like 5 duplicates, all named something like hk132.exe I have to go back on normal mode and check the exact name. It makes the computer go slow.

I need help finding the logs from the scans that I ran, I did the windows 7 (64 bit) procedures and ran all 4 programs. Just not sure where all the logs are. Thanks

 

found mgtool log

 

i just need to find the combo fix log, when you get a chance to view this let me know where it would be. I am on windows 7 like I said earlier

 

C:\ComboFix.txt

 

heres the last one, combofix

 

Go back and complete Step #6 here: READ & RUN ME FIRST Malware Removal Guide -- Using DeFogger

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Ask Toolbar
• Java(TM) 6 Update 26
• StartNow Toolbar

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]AtJob::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uStart Page = hxxp://www.ask.com/?l=dis&o=15007
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\u49vccjt.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=15007
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15004&locale=en_US&apn_uid=7CFCFD34-7825-4009-AF40-A467B08D034A&apn_ptnrs=PW&apn_sauid=27A7CF93-9724-4999-8AE5-1C29DE0C4EA7&apn_dtid=YYYYYYYYUS&&q=
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\SysWow64\HDtt52.com_
c:\windows\system32\HDtt52.com_
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\temp\lsflt7.ver
C:\Windows\assembly\temp\kwrd.dll
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\bckfg.tmp
C:\Windows\assembly\temp\@
C:\Users\David\Local Settings\TEMP\236A.tmp
C:\Users\David\Local Settings\TEMP\236B.tmp
C:\Users\David\Local Settings\TEMP\30EE.tmp
C:\Users\David\Local Settings\TEMP\57DF.tmp
C:\Users\David\Local Settings\TEMP\75DC.tmp
C:\Users\David\Local Settings\TEMP\7B4C.tmp
C:\Users\David\Local Settings\TEMP\7B5C.tmp
C:\Users\David\Local Settings\TEMP\9701.tmp
C:\Users\David\Local Settings\TEMP\B173.tmp
C:\Users\David\Local Settings\TEMP\E0AE.tmp
C:\Users\David\Local Settings\TEMP\E32D.tmp
C:\Users\David\Local Settings\TEMP\KO25mY5C.zip.part
C:\Users\David\Local Settings\TEMP\_isdelet.ini
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\assembly\temp\U
c:\users\David\AppData\Roaming\bJ6dEK8fR9TwUeI
c:\users\David\AppData\Roaming\EvobF4pmGs
c:\users\David\AppData\Roaming\NVelOBtzPyA
c:\users\David\AppData\Roaming\cD3onF4am
c:\users\David\AppData\Roaming\LG5sQJ6dE8R9TwU
c:\users\David\AppData\Roaming\NeellOBttP0yc1v
c:\program files (x86)\Ask.com
c:\program files (x86)\StartNow Toolbar
C:\Users\David\Local Settings\TEMP\AskSearch
C:\Users\David\Local Settings\TEMP\isp7A40.tmp
C:\Users\David\Local Settings\TEMP\isp95AC.tmp
C:\Users\David\Local Settings\TEMP\ispB176.tmp
C:\Users\David\Local Settings\TEMP\ispD02D.tmp
C:\Users\David\Local Settings\TEMP\ispD319.tmp
C:\Users\David\Local Settings\TEMP\ispD7DA.tmp
C:\Users\David\Local Settings\TEMP\ispF79A.tmp
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the computer is running after you have completed the above steps

 

When I ran that script through comboFix it had me do an update, then combofix restarted. I am not sure if that interfered with the script or not, let me know.

thank you

 

It did not.

Just a few more things remain. This should finish them off. Remember to let me know how the PC is running afterwards.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\ProgramData\TQK4c3K0.dat
C:\Windows\SysWOW64\HDtt52.com.b
C:\Windows\system32\HDtt52.com.b
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33EC226C-DD46-4001-81E0-62EFE18A6613}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)


http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

thank you, I ran it and here is the log. I will report back with how it is running soon

 

Ok.

Remember to attach your updated MGlogs.zip as requested in the previous post.