Small.bgx apparently won't go away

Welcome to Major Geeks!


UninstallSpyHunter

Is Weather Services something that you installed? If not then uninstall it too.

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it too.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

More than that. It has never been effective at finding and removing real malware problems and has always had problems with false positives. There are many better choices of tools to use especially if you are willing to pay.

I still would not recommend using it. There are better alternatives. Even using the free Teatimer in Spybot is a better choice. And you should not be using two realtime blocking tools anyway since they can clash.

When did you install SpyHunter? Before or after this infection?

 

You did not answer my question about Weather Services.

Yes but now it appears to be the real one based on the logs you attached. Check the date, time, and size of the C:\WINDOWS\system32\ctfmon.exe file now and what do you see. It does not show in your newfiles.txt log now and it did previously because it was new and was the wrong size. Since it does not show in newfiles.txt now, it means the file is now older than what we look for and I would expect that your system may have restored the original. You cannot just stop this from running, you have to follow Microsoft's instructions to disable this. See the below link:

http://support.microsoft.com/kb/282599

Where? Also I did not notice that you had AOL's Antispyware program installed. Again I would not suggest having multiple realtime antispyware blocking programs installed so exactly what are you referring to from AOL. Is it just an online scan?

What registry issue?



Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then I cannot help you with it because we are not seeing any valid indications of an infection. If AOL is not telling you what or where it is finding something and it is not fixing it then it is nor worth using. In addition, you have Spyware Doctor and should not need anything from AOL which would most likely be less competent than Spyware Doctor.

Does the below folder exist? If yes then delete it:
C:\Program Files\Bifrost


And just to be on the safe side, let's run the below and get the log.

Using Sophos Anti-Rootkit

All of our recommendations are in the How to protected yourself from malware sticky thread which will also be included in final instructions which I will post after seeing the Sophos log if it is clean.

 

Then at this point you appear to be all clean and I suggest you do the below. Perhaps after toggling System Restore, the issue that AOL is finding will go away.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. Uninstall COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN
   • Now type cf /u in the runbox and click OK.
   • Note: The space between the cf and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Had you followed my instructions, these would already be gone as they would have been remove when you did step 12.

 

What happens if you use cf.exe /u instead

 

Where? Was it in system volume information? What file did it point out?

Not malware. It was used by ComboFix and or other programs.

If ComboFix had uninstalled properly this would already be gone. It is just where combofix stores backups.

No you should not need to. You may not be detecting anything to worry about.


Does the below work to uninstall ComboFix?

C:\Documents and Settings\main\Desktop\cf.exe /u

If not, is cf.exe still at the above location?

 

So McAfee says it is BackDoor-AWQ.b ??? Here is a link to the this trojan description on their own website. http://vil.nai.com/vil/content/v_100938.htm It does not mention anything to do with that file. However, that file still does not belong there. Let's see if it really is there. Download and install this: ExplorerXP

It is very easy to use. It is similar to Windows Explorer but much better as far as showing what is really on your hard disk. Use ExplorerXP to navigate to the C:\Documents and Settings\Local Service\Local Settings\Application Data and see if it shows the spool.exe file. If so, see if you can delete it.

Try renaming cf.exe back to combofix.exe
Could you rename it? If so does the below work?

C:\Documents and Settings\main\Desktop\combofix.exe /u

 

Then odds are that it is not there.

Okay let's do it the easy way.

• Click Start, Run and enter cmd and click OK to open a command prompt
• Type cd Desktop at the command prompt and hit enter.
• The prompt should change to show you are on at your Desktop folder now.
• If still named combofix.exe, enter combofix /u at the prompt an hit enter.

Any luck

Changes to the regisry happen all the time for many valid reasons. It does not make it a problem. This is just a notification from Spybot.

 

You're welcome. If McAfee finds anything after clearing our System Restore per my instructions, get their current update, and then boot into safe mode and run a fullscan and see if anything is found and removed.

 

You're welcome. Surf safely!