Help with log files

[FaCt0R]

I had some pretty bad malware that was making my computer have problems connecting.

It took like 10 minutes to load a webpage that was very simple or connect to aim or w/e.

It seems fine now. I just want to make sure.

so if you can read this for me that would be great just to check to make sure i got everything worked out

Thanks for your help

 

[kritius]

You really should get a firewall, comodo or zone alarm would be good. Also what antivirus stuff do you have? I saw all the defender pro stuff but then also AVG.

Think these ones should be ok to fix because they are saying no file or file missing,

R3 - URLSearchHook: (no name) - - (no file)

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O20 - Winlogon Notify: rqrpqno - rqrpqno.dll (file missing)

O23 - Service: Omniquad MyPrivacy - Unknown owner - C:\Program Files\Defender Pro Private Surf\MyPrivacy\mpsvc.exe (file missing)

Dont know about these ones though,

O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

Do you recognise them?

 

[Blind Dragon]

You are still heavily infected. It appears you followed the preliminary removal instructions already.

I will edit with instructions shortly

 

[FaCt0R]

Kritius i do have an anti virus i use the AVG one the defender pro is the old one that i should probably uninstall it is no longer registered. I just got Comodo as well

I do not recognize those entries i will fix the other ones though and if i dont recognize should i fix them?

Also thanks for the help Blind Dragon

 

[Blind Dragon]

Ok,

First lets install the recovery console.

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Windows XP SP2

Download the file and save it as it's original name to your desktop

Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

 

[kritius]

I would just follow all of Blind Dragon's advice, hes very good at this and will sort you out.

But yes, uninstall the defender pro, if its no longer registered its no longer necessary.

 

[FaCt0R]

Ok hows it look

 

[Blind Dragon]

First go to add/remove programs and uninstall anything thats looks like these
Quicklinks
Jalmp
Forethought

If not there its ok, follow below
---------------------------------------------------------------------------------------------------------------
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Documents and Settings\Kevin.YOUR-1SFDBKYKFJ.000\abutton.dll
C:\Documents and Settings\Kevin\Application Data\tvmcwrd.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\kjkmp.bak2
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\w?aclt.exe
C:\windows\system32\qldsregk.exe
C:\WINDOWS\system32\kcnzrop6.exe
C:\WINDOWS\ms05488354408.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E1-13-39-93-ZN}"="C:\windows\system32\qldsregk.exe" [ ]
"FQQERQ"="C:\WINDOWS\system32\kcnzrop6.exe" [ ]
"ms05488354408"="C:\WINDOWS\ms05488354408.exe" [ ]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[FaCt0R]

Ok how do they look

Also just wondering how many infections or like how bad were the infections on my computer?

Just to point out that i am having a new problem that i just noticed last night.

When i try to shut down the computer it closes all the programs like it always does then just sits there looking at my desktop. (havn't tried it from the log on screen)

 

[Blind Dragon]

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 206.225.145.32:80
O4 - HKLM\..\Run: [{E1-13-39-93-ZN}] C:\windows\system32\qldsregk.exe FI002
O4 - HKLM\..\Run: [FQQERQ] "C:\WINDOWS\system32\kcnzrop6.exe"
O4 - HKLM\..\Run: [ms05488354408] C:\WINDOWS\ms05488354408.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {76CA9E30-5094-46F9-BE90-D47AD59C2C2C} (CClientInfo Object) - http://qsr.radiantenterprise.com/02.136.0007.00/pe/clientdownloads/SuperCab.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab

Select Fix Checked


Use Windows Explorer to navigate to and delete the following files:

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

Files:
C:\WINDOWS\ms05488354408.exe <-This file only
C:\WINDOWS\system32\kcnzrop6.exe <-This file only
C:\WINDOWS\system32\qldsregk.exe <-This file only

Reboot the computer into Normal Mode

After you reboot to normal mode can you please run and attach a new combofix and hijackthis

 

[FaCt0R]

I could not find any of the files you said to delete.

I just looked for them first then when that failed i pasted in the file names you posted and that showed nothing.

here are the logs

 

[Blind Dragon]

Your logs look clean except for the fact your old firewall is allowing malware as authorized applications.

I recommend you uninstall Defender Pro entirely especially if you can't update it. It should have an uninstaller in add/remove programs.
------------------------------------------------------------------------------------------------------------
Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 4
• The 4th option down is the one you want
• After the download locate and double click the installer jre-6u4-windows-i586-p-iftw.exe
• Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions

-------------------------------------------------------------------------------------------------------------------------------------------------------------

After that

Go to start -> Run -> type in combofix /u
*note the space between
This will uninstall combofix
*remove vundofix backups
*remove quarentine files
*create a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

keep them updated.

*You can turn back on your resident protection on your anti-virus

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

 

[FaCt0R]

sorry for the slow reply.

Thanks for all the help it was great

 

[Blind Dragon]

Your welcome, if you have any more problems please use this thread