Result from Malware removal Guide

Attached are the logs requested. runkeys.txt says there are still problems:

List of Malware found in SharedTaskScheduler
-----------------------------------------------------------------------
SpyAxe {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}
-----------------------------------------------------------------------

List of Malware found in C:\WINDOWS\system32
-----------------------------------------------------------------------
SmitFraud in C:\WINDOWS\system32\ot.ico
-----------------------------------------------------------------------
Also, I am constantly recieving the pop up "cannot find C:\windows\system32\drivers\detect.htm"....whats this about?

 

Hi kene_kj!
Welcome to Major Geeks!

I've glanced through your logs. A lot of the infection was removed, but there are a number of files which still need to be gotten out. Please use your computer as little as possible until we have time to work up a set of instructions for you. This takes a bit of time, so thanks for being patient!

abri

 

Hi kene_kj!

I have some further instructions for you now.

1) Your AVG Antispyware didn't run. It may have been blocked by Teatimer which should be turned off because it can block all of the fixes. Please disable Spybot's Teatimer as follows:


Disable Spybot's TeaTimer. This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

2) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 6

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Run HijackThis (it's called analyse.exe under C:\MGTools) and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab

After you click fix, just close hijackthis.


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGTools.exe again (located under C:\ ) and attach a fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

Thank you so much Abri!

I will not be at my home computer until tonight, and will apply these instructions at that time.

Kene

 

Abri,

I have completed your instructions up to and including running The Avanger. One difference I noted is that for HijackThis, there was no entry for 04-HKCU QdrModule10.
Not sure, but I may have removed this in Control Panel Add/Remove last night

Other than that, everything is running great. No more "Cannot find ....detect.htm" messages.

I am about to proceed with ATF Cleaner and MGTools.

thanks again for the help.

Kene

 

Atached are the Avenger Log and MGlogs.zip.

Do the following in runkeys.txt mean something bad?


List of Malware found in SharedTaskScheduler
------------------------------------------------------------------------
SpyAxe {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}
------------------------------------------------------------------------


List of Malware found in C:\WINDOWS\system32
------------------------------------------------------------------------
SmitFraud in C:\WINDOWS\system32\ot.ico
------------------------------------------------------------------------

Kene

 

Hi kene_kj!
Yes and thanks. I missed those. Please do the following steps now:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O22 - SharedTaskScheduler: Windows Update - {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} - (no file)

After you click fix, just close hijackthis.

2) Go to Removing Zlob aka SmitFraud, SpySheriff, Infections and run as per the instructions:

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri, for some reason I cannot run the SmitFraud program. When I download and extract the software I do not get a window with options (as shown in the sff1.jpg. The download and extract seem to work, but no window to execute.

 

Hi kene!
When you extracted the files to the desktop, did you then press any key so that the box would appear? I'm hoping this is the problem. If not we will do the more lengthy process.
abri

 

Save Rapport.txt

 

Attached is the result from running SmitFraudFix........The previous email contained the file rapport.txt BEFORE running "delete the infected files" option in SmitFraudFix

How does my system look now?

thanks

 

Hi kene_kj!
This looks like the first rapport.txt log. I would like to see the second one. I only see one of these attached to your different posts.

Your host files were corrupted. Make sure you have run SmitFraudFix completely and then do the following:

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created along with the 2nd rapport.txt log.

Make sure you tell me how things are working now!

abri

 

Abri,

Attached are the results from SmitFraudFix, with rapport.txt from search, and Raport.txt from Clean, plus Mglogs.zip from running MGtools.

Thanks so much for your help...!!!!!!

Kene

 

Not sure whay I cannot edit my post....in any case, I had to load SmithFraudFix to c:\ location becuase I couldn't clean in Safe mode from my user desktop location due to needed file not being available in Admin account.....

Attached is first Rapport.txt file, after SmithFraudFix Search

 

Abri,

I have problems running Clean function of SmitFraudFix from Safe mode on XP. A file cannot be found during Clean. When I enter safe mode I have to log in as Administrator and don't have the desktop from the user account I downloaded SmitFraudFix to. I tried downloading to C:\ directory and running there and that didn't help either. Here is what I get when running Clean and SmitFraudFix is in C:\

Deleting Infected Files..
CScript error: can't find script engine "VBScript for "C:\Windows\Systems32\GetValue.vbs"
Scanning IEDT.IX

I get similar message when running from user account desktop. The clean completes, but I don't know if it did what it needs to. See attached files.

Is this a problem?
Can I run in normal mode?

 

Hi kene_kj!
Your last set of logs look good. Those infections are gone. I don't know if you may have already deleted them the first time you ran SmitFraudFix. If you don't have further symptoms of malware, I'll post our final cleaning instructions for you. There are a two more things you should do first:

1) Go to add/remove programs and uninstall the following:

- Viewpoint Manager (Remove Only)


2) Run HijackThis (it's called analyse.exe under C:\MGTools) and select Do a system scan only. Select the following line but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

abri

 

Well, thats a relief. Thank you again so much for your time and attention to this problem. It is quite a commitment of time to help so many people.

Regards and best wishes.

Kene

 

You're welcome!
Do take the time to look through the How to Protect Yourself From Malware page. It's an easy read and has some very good information.
Enjoy your computer!