[cinders]

Hello,

Is my sister-in-law's PC clean from malware? Attached is a HiJackThis log and a combofix log. I ran AVG Antispyware and AVG Anti-Virus and no infections were found. I also ran Panda Anti-Root and no rootkits were found. Thank you in advance for your help.

Regards,
cinders

[tomrca]

hello cinders and welcome to TST. howard or evilfantasy will soon be along to let you know aout your log.
enjoy your stay

[bushwhacker]

Hey Cinders, was you from the TS ?

Welcome to our community!

[Jason]

Please can you stop making completely unnecessary posts. Howard or Evilfantasy will deal with this when they are here.

Do NOT reply to this!

Regards Jason

[evilfantasy]

Open Hijackthis then select Do a system scan only and place a check mark next to:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: mljkjhi - C:\WINDOWS\

Close all windows except for Hijackthis and click Fix checked

Exit Hijackthis.

----------

Download RegASSASSIN to your desktop.

Open RegAssassin and copy then paste this registry key into RegAssassins window then click Delete. (if it is not found don't worry)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkjhi

Exit RegAssassin.

----------

Install the Recovery Console.

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Choose Windows XP Service Pack 2 (SP2)




Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

----------

Next post please attach
Combofix log (CF_RC.txt)
New Hijackthis log

Also let us know how the computer is now.

[cinders]

Hi,

Attached is a Combofix log and a new Hijackthis log. Does everthing look ok now?

Regards,
Cinders

[Howard]

Hello and welcome to TST.

Your HJT log is clean, so no worries there.

However the other log you posted is a boot.ini file.

Please run Combofix again and post the resulting log file.

Regards Howard

This thread is for the use of only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[evilfantasy]

That's the right log. It is from the Recovery Console being installed by combofix.

It wouldn't hurt to see a fresh combofix log as well to be sure.

Delete the copy you have on th edesktop and download a new one in case there have been any updates.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post
Combofix log

[cinders]

Hello,

Attached is a new Combofix log.

Is it ok if I delete/uninstall the following:

SmitfraudFix
AntiRootKit
VundoFix
RegASSASSIN
HiJackThis

Also, I currently have installed Ad-Aware 2007, Windows Defender, AVG Anti-Spyware (Free Edition) and Spybot Search and Destroy. Do I need all these? Would two be enough, and which two would be the best?

Again, thank you for your help.

Regards,
Cinders

[bushwhacker]

you can leave the 4 of these...

Ad-Aware 2007, Windows Defender, AVG Anti-Spyware (Free Edition) and Spybot Search and Destroy

They are your protections =)

[evilfantasy]

The logs look fine. Is the computer running OK now?


Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.

[cinders]

Hi evilfantasy,

I followed your instructions in the post above. The desktop still shows an icon for RegASSASSIN and a folder for AntiRootKit and AntiRootKit.zip. Can I just delete these?

The computer seems to be running fine except it could be a bit faster. I'm going to check out the slow computer thread. Thanks again for your help.

Regards,
cinders

[evilfantasy]

Yes please delete any leftover tools and logs.

Hopefully the slow computer thread will help.

Safe surfing.........

[tomrca]

Quote:

Cinders:The computer seems to be running fine except it could be a bit faster. I'm going to check out the slow computer thread. Thanks again for your help.

look and see how many processes are running, may be more than you need

[evilfantasy]

Marking this thread as solved.

If you need this thread reopened please PM me.

[evilfantasy]

Thread re-opened at the request of OP.

[cinders]

Hi,

I would really appreciate it if you would take a look at the hijack this and combo fix logs from the other two user accounts on this PC. Please let me know if there is anything that should be fixed. Thank you.

Regards,
cinders

[evilfantasy]

hijackthisloguser#2.txt - OK

ComboFixlogUser#2.txt - OK

----------

hijackthisloguser#3.txt

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries:

• R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
• O4 - HKCU\..\Run: [xpsp1res] C:\WINDOWS\System32\xpsp1res.exe
• O4 - HKCU\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
• O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Go to add/remove programs and uninstall (if present)

LimeShop
MessengerPlus2 <<--NOTE: this is NOT the MSN Messenger 'MessengerPlus' extension. This is malware!

----------

Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
• Copy everything in the Code box below, and paste it in the box that opens:

Code:

Folders to delete:
C:\VundoFix Backups

Files to delete:
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\xpsp1res.exe
C:\WINDOWS\pgtaff.exe
C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Registry keys to delete:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MessengerPlus2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpsp1res
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgtaff

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
• Click on the Green Light and OK the prompt.
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger's actions.

• This log file will be located at C:\avenger.txt

• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

• Please attach the C:\avenger.txt in your next post.

----------

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
• An Express Scan of your PC notice will appear.
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button.
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

----------

Next post please add
Avenger log
Dr Web log
NEW Hijackthis log

[cinders]

Attached is a new hijackthis log and an avenger log. Below is the Dr Web log.

[evilfantasy]

This needs to be uninstalled.

MessengerPlus2 - Info - http://www.bleepingcomputer.com/star...s.exe-871.html


Once that is gone I believe the PC will be clean.