SorryKestrel, Had to repost - Is my computer clean?

wilmajean1 · Mar 16, 2010

1. What can you tell me about the below files?

Quote:
c:\program files\Uninstall Spy Blocker.dll
c:\windows\system32\B10C63D0F9.dll
2. Now we need to use ComboFix

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
cesfcd8
dft4b73
egec7f9
fhb5fb0
jlf661b
jlk77bb
kmgfa37
mti09f7
prlecac
ren292c
sao0828
tap1a85

FileLook::
c:\program files\Uninstall Spy Blocker.dll
c:\windows\system32\B10C63D0F9.dll

File::
c:\windows\system32\drivers\cesfcd8.sys
c:\windows\system32\drivers\dft4b73.sys
c:\windows\system32\drivers\egec7f9.sys
c:\windows\system32\drivers\fhb5fb0.sys
c:\windows\system32\drivers\jlf661b.sys
c:\windows\system32\drivers\jlk77bb.sys
c:\windows\system32\drivers\kmgfa37.sys
c:\windows\system32\drivers\mti09f7.sys
c:\windows\system32\drivers\prlecac.sys
c:\windows\system32\drivers\ren292c.sys
c:\windows\system32\drivers\sao0828.sys
c:\windows\system32\drivers\tap1a85.sys

c:\documents and settings\Wilma\Local Settings\Application Data\prvlcl.dat
c:\documents and settings\MAIRI~1\Local Settings\Application Data\prvlcl.dat
c:\documents and settings\Kids\Local Settings\Application Data\prvlcl.dat
c:\windows\system32\stu2.exe

Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\Wilma\Application Data\AVG8
c:\documents and settings\All Users\Application Data\Viewpoint

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODI02.01.01.01PRO"="BD23D3534F0F07D480634ADE24E7D1F3A63E31AB8B5020BB58C6AA328224EAA1F77095C44595745A0CD126C3B9E2282833CA92996EDCFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E6678EDD5E5BE2F6E667A6171C11EC38DE3DC5A584F69A96A9D66554DA301AF9ABD157241632E64DE56A38A54E50B75F1AB8932EA4CEBD941FABC52A3D015768DD8B73C9C2AEC236E1CD82FA7CDAEE64F13837ACF84853CB455A4EE93F58D8FB404D35459839D74EBE49C88B686020BF7A0C2BD18DD714A96F0DA0CADC5AD2BAE4FB8A6FA841F34C73A061F751BDD000A8754DA474E95F34339F45569A201DBC23B3C277052C8800B5CB8433FDC5AB473667E07C45DC3A00EA25266A7F34B4AE964313E046D3A94802F55004B53EFECB9F8C0C051683483A35E21538951737509EAB13028884119A197EC508C4613BD7263FD840882657A072D2C3C66B3EE9F45DA440846AFE1A820079CAADFCDD7648CE11B503BA7ED408CA22496D928FB5873B19FAE80FF8C71B7C2D293A32D36C1163C575F4D43C52D627B1A25C23E82401E1A58502A09BBD971D950DC33DDA783871D74F157F810A09B618AD14381867F2429E0BF3C782C4BA306308B77AFC1FD7C8715B32E7E6542D6B1E2F6B6EE251838D89963DB6BFCADFCAF811544BB6849DFEF39A71C0F531E57AC04D8AEA01DBE8BCA198AA9FD85FF2C4ED7F2E14FBF1CD6DF4ECCCBFAF43EBDEB214F0D19EA1EF8A55E55EB9463876BA8E922C3DB1573CB1BB1B8F1D0551895659F26FCFDB6278F4C636CF42F52EFE0DD9EA0CB3B24554AB45CCDB185D469FE3CDBC2C924B0377C0CBA64A7847BDB55E828CDCE74C7294024293A4F014319FCB5EA9A0CC778A75F3F038EC9E10885818F063014E40380F1D9660B3EEF8C4111A8AD51A365AA50D5A734D29FC19D238E5413B31DFC414E82A5B09A6DA4ED88F1D0A3E3C876423710245AF46E020853AB843C5799905A85E995CC76D02CB664B6546477A8179F7E33F8E8CDE9755AE57C4781938FA1EBB3CA29BBCCCB51A8D8549DA3A206472BB3EA9A8F162F6DD7D1D00992D2489A2B6E5BB4CE8DCCDDA9297E31BBFCA799A2BEC9A225693D4D3C8ADA992E042CE18285125D7348BA021596B938C69EB09B2246E323E11098D43073D408274EED5F7C2885D5AE6990FF16F817967A9C8636EAB5AD3F25FAC80AC5716073C0E5B30B05AA92A24309BF7C9816B7C9AD6FC5A756AD5A66A61BE9286F9938848B60AF1256AE61539A2F9C3176452C647AE74C4E4AA1E95841BD0A939522A8E625D53342A8F07EBD3B4725A3E8EEFC5C1CE71FDCA5E84CFD2F44AB221EBDBAB79D0E1138A8D64BEDEC19329141A94AB95BB8AE3AC966C491BBA659C90F1C2B0B04736"

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Reply With Quote Multi-Quote This Message Thanks
Kestrel13!
View Public Profile
Send a private message to Kestrel13!
Find all posts by Kestrel13!
Add Kestrel13! to Your Contacts
#2 Report Post
Old Yesterday, 11:58
wilmajean wilmajean is offline
Private E-2

Join Date: Mar 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Further logs: Is my computer clean?
Further 2 logs.

Any help would be great.

Wilma
Attached Files
File Type: txt RootReport15.03.10.txt (690 Bytes, 1 views)
File Type: zip MGlogs.zip (167.3 KB, 1 views)
Reply With Quote Multi-Quote This Message Thanks
wilmajean
View Public Profile
Find all posts by wilmajean
Add wilmajean to Your Contacts
#1 Report Post
Old Yesterday, 11:56
wilmajean wilmajean is offline
Private E-2

Join Date: Mar 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Is my computer clean?
I previously has AVG free installed on my computer and a couple of weeks ago it kept popping up with a trojan warning. I kept getting diverted to strange sites from my google search results. I cleaned my computer using Spy bot, adaware and malaware which seemed to work. Then came along antivirus 2010 which was a pest so I cleaned again. However AVG kept finding new trojans, so I found this site and have followed the READ ME post.
I have attached the logs and hope you can tell if I have to do anything further.

Thanks,
Wilma
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 03-11-2010 - 13-30-57.log (465 Bytes, 1 views)
File Type: txt mbam-log-2010-03-15 (12-37-23).txt (3.1 KB, 2 views)
File Type: txt ComboFix.txt (32.3 KB, 1 views)

wilmajean1 · Mar 16, 2010

I had to re register so could not post to my previous thread.

Anyway I want to thank you for looking at my logs.
I am not sure what these are:
c:\program files\Uninstall Spy Blocker.dll
c:\windows\system32\B10C63D0F9.dll

I ran ComboFix and GetLogs.bat and have attached the logs as requested.
I noticed when Avira scanned this morning it suspected 3 viruses - log also attached, one of which I think is the MGTools programme.

The computer seems to be acting normally at the moment - no redirect etc, but I haven't been using it very much today - apart from running the programmes you recommended.

I hope the logs show everything is clean, and thanks again for your time.

Wilma

Kestrel13! · Mar 17, 2010

I had to re register so could not post to my previous thread.
Click to expand...

Well that is rather bizarre, I have not known this to happen before. What exactly was the error message/problem? :confused Perhaps you tried to attach a log you had already attached before or something similar?... I cannot really merge the threads together because you will not have priviledges to post in it considering you have a new membership/account. Not to worry, I can flip back to the old thread as and when I need to refer back to other logs posted there.

I'll review your logs now and post back with a response as soon as possible.

LINK to other thread:

http://forums.majorgeeks.com/showthread.php?t=212346
Click to expand...

Kestrel13! · Mar 17, 2010

Rename this file to give it a .old extension like this:

c:\windows\system32\B10C63D0F9.dll.old
Click to expand...

See how your PC behaves after a day or so and a few reboots, then if nothing unusual is happening you can delete the file.

The other file I had questioned is just part of zone alarm spyblocker, which you no longer have installed anyway.

Yes what avira found was just false positives.

Your logs are now clean anyway You can follow these final steps:

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

wilmajean1 · Mar 18, 2010

Hi again,

The reposting was my fault - mistake in email address, then forgot password and tried to reset - obviously was not able to get the email sending the new password - DUH!:-o

I have renamed the file as suggested, and deleted the zonealarm one.

Avira picked up 1 detection yesterday (attached the log) but today seems to be OK.

I will follow the steps you outlined.

Thanks so much for your help.

Wilma

Kestrel13! · Mar 18, 2010

avira just snagged on something in system restore, which after you complete final steps will not happen anymore as SR will be toggled

Log in or Sign up

SorryKestrel, Had to repost - Is my computer clean?

wilmajean1 Private E-2

wilmajean1 Private E-2

Attached Files:

CFlog.txt

MGlogs.zip

AVSCAN-20100316-054049-23AAFD8C.LOG

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

wilmajean1 Private E-2

Attached Files:

AVSCAN-20100317-051116-272287A2.LOG

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member