Similiar Virus...

Hello, THE CANADIAN

I am reviewing your logs and will get back to you with instructions as needed. Please be patient as the logs produce alot of information to go over.

 

Hello, THE CANADIAN

Comments: Important notice for users of Windows XP with Service Pack 2 (SP2) - The support for your product ended July 13, 2010.

*We recommend a MINIMUM of 1 GB for Windows XP and a MINIMUM of 2 GB for Vista or Windows 7 but the more memory you can add the better.

Step 1:
The current SAS version is 4.55.1000 - your version 4.29.1004 is 19 months outdated.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new "Quick scan" of your system. And attach this new log.

Step 2:
Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall if found. If you get any errors just make a note and continue on.

NOTE: SpywareBlaster v4.3 is an outdated version - the latest is v.4.4

Step 3:
Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:services
Inpahcwdewkf

:files
C:\WINDOWS\system32\Inpahcwdewkf.sys
C:\Documents and Settings\Cl‚mence\Local Settings\Application Data\tpu0w2k7uq8031ya
C:\Documents and Settings\All Users\Application Data\tpu0w2k7uq8031ya
C:\Documents and Settings\Cl‚mence\Templates\tpu0w2k7uq8031ya

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{67A46855-54CF-445F-B798-7C3A1F7A14CE}][start explorer]

:Commands
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Step 4:
Using Windows Explorer - Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

Step 5:
Now install the latest Sun Java Runtime Environment

Step 6:
Now do a scan with aswMBR.exe

• Please download aswMBR.exe to your desktop.
• double-click aswMBR.exe to run it
• Click the SCAN button to start the scan.
  http://i268.photobucket.com/albums/jj5/drmoriarty/UsingaswMBRexept1.png
• On completion of the scan click SAVE LOG and save it to your desktop.
  http://i268.photobucket.com/albums/jj5/drmoriarty/UsingaswMBRexept2.png
• Please attach the aswMBR.exe log to your next reply.

*Do not attempt to fix anything with aswMBR.exe until instructed

Step 7:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach these files your next reply.:

• updated SASlog.txt
• C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log
• aswMBR.exe log
• C:\MGlogs.zip

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

Give this a read: should i install java onto my computer or is it even important?

If it were my machine, I would temporarily create enough room on the D Drive -Volume Name: Programs to use an appl like EASEUS Partition Master Home Edition 8.0.1 to re-size that partition. You can receive help with that in our Software Forum.

Using Windows Exporer, delete this folder:
C:\Documents and Settings\Cl‚mence\Local Settings\Application Data\Conduit

Please download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Please run this online scanner and attach the resulting log -

Using ESET's Online Scanner

 

Can you run this successfully?

BITDEFENDER ONLINE SCANNER

dr.m

 

Hello, THE CANADIAN

Your logs are clean - before giving the final cleanup steps I will give you these links which should convince you (if your recent experiences hasn't) that Google Images are a well known source of malware.

http://www.huffingtonpost.com/2011/05/06/google-images-malware_n_858845.html
http://www.pcworld.com/article/227352/attackers_using_google_image_search_to_distribute_malware.html
http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/

*It is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

 

You're welcome!

The only reference to the "random files" folder in any of the logs was in the Drivers/Services section of ComboFix, and nothing was done to it.

dr.m