virus, trojans, malware oh my....

My gf's mom gave me her comp cuz it was infected and i cant get to download cc cleaner or hijack this or anything cuz of the problems. I had the same problem a cpl weeks ago on my comp and you guys were a miracle worker so i have returned. I read in a post about a program that allows you to get into task manager if a trojan disabled it but i cant remember what it was called or what post it was from. If I can get task manager to work i might be able to end task the programs so i can download everything i need and post the logs. If anyone knows the program plz help me..... i think it was something like infiltrate this or that dont remeber...

did you try downloading the programs onto a flash drive?

[Malware Removal Specialist]

Can you get anything to download to the desktop but not get the installer to run?

try to boot to safe mode with network and try downloading your programs you want again.

Also, download hijack this, run it and post the log that the program generates so evilfantasy can help you clean the computer 

Ok first i couldnt get explorer to open for more  than 3 secs so my first post came from my spare computer since my gf's mom is borrowing mine. I booted the comp in safe mode and am currently following the directions for the logs. only snag so far is that superantispy cant run in safe mode. im currently downloading HJT and will post the 2 logs in a few.

[Malware Removal Specialist]

Superantispyware can't update in safe mode but it can run.

It comes up with a box that starts with "Windows installer servied could not be accessed. Can not be run in safe mode".  So im gonna try and reboot to normal with all 3 programs downloaded to desktop and see if i can get them to run that way.

Ok back on the spare now, Im currently runing superantispyware on the infected comp. depending on how long it takes i might have to continue this thursday after i get off work, but i should have the logs for you then

Here my logs.....evil you the man

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Go to add/remove programs and uninstall:

MyWebSearch Email Plugin
My Web Search Bar Search Scope Monitor
Viewpoint Toolbar or anything with Viewpoint in the name


----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- F3 - REG:win.ini: load=C:\WINDOWS\system32\mpreg.exe
- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mpreg.exe,
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
- O2 - BHO: (no name) - {C76D014D-9F8F-B804-A2D8-B3DECEB35CC0} - (no file)
- O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
- O3 - Toolbar: (no name) - {0CAA216D-B1AF-4C4A-8EDC-FB2D822570CB} - (no file)
- O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vpms.exe
- O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
- O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe" /m=0
- O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwssvc.exe (file missing)
- O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mpreg.exe (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Anti-Virus"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

----------

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
sc stop COM+ Messages
sc delete COM+ Messages
sc stop nlc
sc delete nlc
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.
Run CCleaner and then restart the computer.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

ok evil, how can i exit mcafee, the guide says right click and choose exit but that is not an option.

[Malware Removal Specialist]

Try to run ComboFix. If McAfee tries to block it just allow it to run.

here is the logs


[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Found something new. You also have an AWF trojan. Easy enough to cure but it is a multiple step process.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
COM+_MESSAGES
MYWEBSEARCHSERVICE
COM+ Messages
MyWebSearchService

File::
C:\WINDOWS\SET64.tmp
C:\WINDOWS\SET61.tmp
C:\WINDOWS\SET70.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe by Noadfear to your Desktop.

• Double-click FindAWF.exe to start the tool.
  
  
• If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  
• When the tool has completed, a report will open up in notepad.
• Please post the results of the awf.txt in your reply.

[Malware Removal Specialist]

Almost forgot an important step!!

You can do this after the other steps are complete but be sure to do it.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.safewebnavigate2008.com/index.php?sid=0&aid=0&pn=&said=0&pid=0

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer to register the changes made by HijackThis.

after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe

does that mean anything to ya?

continuing with next step atf cleaner

[recovering disk space -- attachment deleted by admin]

k here are the logs for combofix and awf

also i did the HJT for that one item

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

after the combofix restarted i got a mcafee waring about something called RemAdm-ProcLaunch!171 in folder c:\327882r2fwjfw\psexec.cfexe

does that mean anything to ya?

Yes that's part of ComboFix, which is why we suggest turning off the AV before running it. ComboFix uses scripts that are seen as malicious by antivirus. Kind of like the old saying "you have to fight fire with fire."

Double click FindAWF.exe to start the tool.

• Select option #2 - Restore files from bak folders by typing 2 and press Enter
  
• A text file will open up.  Please copy/paste the text in the Code box below into the text file:

Code: [Select]

"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxpers.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"

• Close the .txt file and click Yes to save the changes.
  
• When the tool has completed, a report will open up in notepad.
• Please post the results of the awf.txt in the next reply.

afw log

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Getting closer.

Double-click FindAWF.exe to start the tool.

• Select option #3 - Remove bak folders by typing e and press Enter
  
• A text file will open up.  Please copy/paste the text in the box below into the text file:

Code: [Select]

C:\PROGRA~1\DELLSU~1\BAK
C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\MESSEN~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COMMON~1\WRUM\BAK
C:\PROGRA~1\HP\HPCORE~1\BAK
C:\PROGRA~1\INTEL\MODEME~1\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK
C:\PROGRA~1\COMMON~1\AOL\ACS\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK
C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

• Close the .txt file and click Yes to save the changes.
  
• When the tool has completed, a report will open up in notepad.
• Please post the results of the awf.txt in the next reply.

afw

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Folders to delete:
C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

.
----------

Last step with FindAWF

Double-click FindAWF.exe to start the tool.

• Select option #4 - Reset Domain Zones by typing 4 and press Enter
  
• You will be prompted to answer  "Reset the domain zones?"   Type 1 and press Enter.
  
• After completion, then type E and press Enter

Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

Download ResetProtocolDefaults to your desktop.

Double click ResetProtocolDefaults.reg and answer Yes to any prompts and allow it to merge into the Registry.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
-----

Go to:

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

.
Click OK or Enter

----------

Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save
  
• Save the file to your desktop.

Post the Kaspersky log in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

OTMoveIt has encountered a problem and needs to close.

does it everytime i try to open it, about 1 sec into it

[Malware Removal Specialist]

Is this when you are trying to enter the text into it?

no trying to launch it

[Malware Removal Specialist]

I know. There is two sets of instructions for OTMoveIt2. Did you do the first step in entering the text and clicking MoveIt or is it the second when trying to run the CleanUp option?

I downloaded it, dbl click to open and it crashes, i never get to imput the text

[Malware Removal Specialist]

Ok thats what I needed to know.

I just edited the post with new directions to use another program.

otcleanit will not launch when i dbl click it, same error mesg.

[Malware Removal Specialist]

Lets try one more.

Download http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe

Unzip it to the Desktop, open the folder and then open OTScanIt.exe

Click the CleanUp button and start the cleanup process. Choose NOT to restart now.

Close OTCleanIt and then re-open it and click the CleanUp button again and start the cleanup process. This time re-start the computer when prompted.

downloaded it, unzipped it, dbl click it, same error mesg.

[Malware Removal Specialist]

Try restarting the computer and launching it again.

no dice, same problem, im headed to bed as i have to get up in 4hrs. but ill be back tonight after work to try again, but on the bright side the comp is running 99% better than it was before you started helping me, thanks for everything man.

[Malware Removal Specialist]

OK. Don't know what might be blocking it. Delete OTMoveIt2, OTCleanIt, OTViewIt and The Avenger from the desktop. Then go on with the rest of the instructions.

I am going to sign off pretty quick also. You might want to wait on the Kaspersky scan as it takes an hour to run at the Least.

See you tomorrow....

After 2hrs here we go again!

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Yes but we are getting closer to the end!

I had you delete the Avenger but we need it again.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\WINDOWS\SYSTEM32\discpci.exe
C:\WINDOWS\SYSTEM32\smbt.exe

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

Avenger

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Please run The Avenger again and enter this line:

C:\WINDOWS\SYSTEM32\discpci.exe

after i imput the line Avenger comes up with this     
error:invalid  script. A valid script must begin with a command directive. Aborting execution!

Code: [Select]

Comment:

Files to delete:
C:\WINDOWS\SYSTEM32\discpci.exe


[Malware Removal Specialist]

Open the attachment at the bottom of this post and save it to your desktop.

It will be named avenger.txt

Open The Avenger and click the folder icon

Locate the file you just saved to the desktop and double click it.

Now click Execute.

Post the log from Avenger.



[recovering disk space -- attachment deleted by admin]

avenger


[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

How is the computer now?

seems to be running as fast as 512mb will let it (gonna have to upgrade that for her)
now i got a lot of logs and programs to clean up. any special instructions for them?

[Malware Removal Specialist]

Try to run this one more time.

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
----------

If thay doesn't run then you can delete all of the logs and The Avenger. Hopefully it will run this time as it will remove all of the specialized tools we have used.

Will post final instructions in a minute...

once again that dog didnt hunt. but oh well they wont have a clue what it is anyway.
once again evil you have saved the day.  although this is increadibly more difficult than mine was. I think most other sites would have ignored me after the first day of work, but you never waivered, I have spread the word on Computer Hope and hopefully the world will appriciate it as much as I do. Thank You once again.

[Malware Removal Specialist]

It's what were here for. Glad it's running better now.

Final instructions/advice.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

One final question, what do you think of sp3? ive read both good and bad and dont know if i should install it on my gf's mom's comp or not.

[Malware Removal Specialist]

You should be fine. The main people who were having problems were running MS business software.

Back agin    i took the comp to my gf's mom and pluged it in. she logged on to one of the logins (the one i didnt check) and poof back to crap.  this time it wont let explorer do anything. it will bring up the window but when you try to go to a website it opens another explorer and that has just a white screen on it. gonna try safemode admin and see if i can get explorer to work.  K safemode admin is a no go, But thanks to the systems restore i can get back into the working login.  Now i need help trying to get the other login defunkified. Evil...... its back to driving you nuts....btw the only way i know to get on admin login is through safemode so if i need to do something else let me know. or should i start a new topic?

[Malware Removal Specialist]

Try creating a new user account and see how it works. If needed delete the account(s) that are messed up and use the new one(s) instead.