Request for help!

[Jsto]

I've been having some adware issues (that I thought I had eradicated) on my Dell XPS laptop and everything seems to have come to a head the other night. 

Currently, my desktop has been replaced with "YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction.  Spyware activity has been detected" etc. and I am unable to change it, some program (a shortcut shows on the desktop, but not in Add/Remove programs) called Internet Security 2010 is running and throwing scans and updates at me (it is a red circle with a white X in the system tray).  It's also now giving me a "Critical system warning!  Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a.  This may result in website access passwords being stole from IE, FF, Outlook, etc.  Click yes to scan and remove threats."

I've had to switch off my internet because of all the popups.  I am also unable to turn off, hibernate, restart, etc. the laptop from the start menu and must hold the power button down to turn it off.  Every link on Google redirects elsewhere.

I've followed the steps in the Malware removal guide and have made sure everything is up to date.  I run Avira and installed AdAware once I began having issues initially, about two weeks ago.  Both have been detecting, but neither seemed to do much good.  Running XP, SP2 on there. 

My logs are attached.  After SUPER, my desktop returned to normal and Internet Security 2010 ceased running.  Malwarebytes would not install on the computer for some reason.  Install seemed successful, but when trying to open, I got an error saying it was unable to execute the file.

Thank you in advance for any help

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Jsto and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Go to Program Files and click on  MalwareBytes-AntiMalware. Right-click on MBAM.exe and re-name it to something else like Jessica.exe and see if it will run then. Post the log if you get it run.

-----------------------------------------------------------------

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

----------------------------------------------------------------------

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\DOCUME~1\Jessica\LOCALS~1\Temp\clclean.0001
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

--------------------------------------------------------------------------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

---------------------------------------------------------------------------------

You have the incorrect version of HJT. Uninstall the one you have and go below to get the correct version. Run it again and post the log.

HijackThis

Download and rename HijackThis.exe (HJT)

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.

•Close HijackThis and rename it.

•Go to C:\Program Files\Trend Micro\HijackThis.exe

•Right click on HijackThis.exe and select Rename.

•Type in sniper.exe and press Enter.

•Right-click on sniper.exe and select Send To > Desktop (create shortcut)
.
* From the desktop open HijackThis.
* If using Windows Vista, Right-click and Run As Administrator.
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in notepad.
•Copy and Paste the entire contents of the log in your post.
.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
.
Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

[Jsto]

Thank you!

For MBAM, the issue is that there is no mbam.exe.  It's why the program won't run and I can't find it anywhere.  I uninstalled and reinstalled, same issue.  I redownloaded the program and tried again with the same result - it's very bizarre.

My laptop is connecting to the internet, but the internet is not responding.  Firefox is completely blank and IE returns an error.  I don't understand what is causing this - my internet connection is fine, working perfecting on both desktop computers.  I'm going to keep trying, but as of right now, I cannot run Jotti's scan.

I followed all the other steps, here is my new HJT log.  I will continue to try both MBAM and getting my internet back into working order so I can run Jotti's scan.  If I can work it out, I will upload a new log.  Thanks again for the help, I really appreciate it!

[Saving space, attachment deleted by admin]

[SuperDave]

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

* Please download LSPFix
* Run the LSPFix.exe that you have just finished downloading.
* Check the I know what I'm doing box.
* In the Keep box you should see one or more instances of rsvp32_2.dll
* Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
* If the rsvp32_2.dll file only appears on the right side then just click fix checked and close the program.
* When you are done click Finish>>

---------------------------------------------------------------------------------------

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Click Start, Search, select All Files and Folders. Copy and paste

Code: [Select]

c:\windows\system32\helper32.dll
c:\windows\system32\jorapuwa.dll and click search. Delete these files.
You will have to do each file separately
--------------------------------------------------------------------------------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [nifeyewog] Rundll32.exe "c:\windows\system32\hahezalu.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\jorapuwa.dll c:\windows\system32\befuvanu.dll nutarezu.dll c:\windows\system32\rajuguke.dll c:\windows\system32\rapugumo.dll c:\windows\system32\hahezalu.dll
O21 - SSODL: zegobahis - {fad60d8d-74bf-4aa2-93ec-578c49ef4183} - c:\windows\system32\befuvanu.dll (file missing)
O21 - SSODL: vipemadab - {92c188d8-e058-48bc-bdf5-c90fbb9bb956} - c:\windows\system32\befuvanu.dll (file missing)
O21 - SSODL: gavofoyed - {74ba5381-bc5e-41d0-bf70-c506ad611745} - c:\windows\system32\rajuguke.dll (file missing)
O21 - SSODL: tuvejemel - {40e2e30e-a01a-43d2-aa97-d1d058d5f64b} - c:\windows\system32\rapugumo.dll (file missing)
O21 - SSODL: bivelemeb - {54f262d4-8e96-4a5e-88fc-4e05fc1f15b2} - c:\windows\system32\hahezalu.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {fad60d8d-74bf-4aa2-93ec-578c49ef4183} - c:\windows\system32\befuvanu.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {92c188d8-e058-48bc-bdf5-c90fbb9bb956} - c:\windows\system32\befuvanu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {74ba5381-bc5e-41d0-bf70-c506ad611745} - c:\windows\system32\rajuguke.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {40e2e30e-a01a-43d2-aa97-d1d058d5f64b} - c:\windows\system32\rapugumo.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {54f262d4-8e96-4a5e-88fc-4e05fc1f15b2} - c:\windows\system32\hahezalu.dll (file missing)


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

---------------------------------------------------------------------------------------

[SuperDave]

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Jsto]

Sorry it's taken so long to reply.  I was busy with school and work and then got a large snow storm that knocked the power out for a few days.

On LSPfix, there is no rsvp32_2.dll.  I do have rsvpsp.dll, but I'm hesitant to do anything since it's not the exact name you listed.  Also afraid to move on unless I need the first step before doing anything else.

In the Keep box I have:
mswsock.dll, winrnr.dll, mdnsNSP.dll, and rsvpsp.dll. 

In the Remove box I have:
helper32.dll

[SuperDave]

Just skip over that part and do the rest of the fix. We'll get it fixed later.

[SuperDave]

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

* Please download LSPFix
* Run the LSPFix.exe that you have just finished downloading.
* Check the I know what I'm doing box.
* In the Keep box you should see one or more instances of helper32.dll
* Select every instance of helper32.dll and move each one to the Remove box by clicking the >> button.
* If the helper32.dll file only appears on the right side then just click fix checked and close the program.
* When you are done click Finish>>

[Jsto]

Thanks again for all the help, here are my logs.

The only issue I still have (to my knowledge) is the inability to shut off/hibernate from the start menu.

[Saving space, attachment deleted by admin]

[mario21lv]

this type of infection deletes the mbam.exe as soon as its installed. the way around this is to install malwarebytes in a clean computer. go to program files and just copy the mbam.exe to a flash drive. on the infected computer assuming malwarebytes was installed, transfer the mbam.exe by flash drive to the appropriate program file directory. now u should be able to run malwarebytes in safemode.

[Jsto]

Thanks!  Finally got Mbam to run, here is the log.

I want to apologize again for taking a little while to respond and thank you for all the help.



[Saving space, attachment deleted by admin]

[SuperDave]

Hello Jessica. It's good to hear from you again.

Download & run this tool SafeBootKeyRepair-CF

It will only take a short moment for it to finish running.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.
====================================

Delete your current version of ComboFix and download a new one.

Your version of ComboFix is too old. Please follow the instructions below.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Jsto]

Here are my logs.

Just one comment, hopefully I didn't screw up.  Even after using the new links, when I started combofix, it told me there was an update available to I said yes and let it update.  Should I have left it alone? 

Also, ComboFix rebooted my computer a couple times and the anti-virus programs restarted - I'm hoping that didn't affect the outcome. 

Thanks!

[Saving space, attachment deleted by admin]

[SuperDave]

Should I have left it alone?

No. That's good. Everything should be updated before running. Can you now get into safe mode?
The logs look good. Let's try one more scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Jsto]

I have a new screen coming up upon booting that's asking what OS I want to use - Windows XP media center or some recover console.  Normal?

Also, I can now get into safe mode.  Are you wanting me to run that scan in safe mode?  I'm just going to proceed in regular mode for now until you say differently.