Virus from Hades Please please help :-(

[Andrea0769]

First let me just start by saying thank you!! Thank you for all you do to help fellow computer users in our darkest hour of need!!! :-)

I read and followed all evilfantsy's wonderfully long and thorough list of must do firsts... It seems to have made a difference at first, but this stupid virus just keeps coming back. :-( It has taken over my wallpaper with a red screen with a warning that my privacy is in danger and keeps trying to get me to download more wonderful things to protect my computer, it also seems to be engaging and turning off my wireless adapter. Sigh.. I have spent about 14 hours working on this so far, will attach logs as instructed. I have also run Zone alarm, and a new version of CA security suite to no avail.

Any assistance you can provide will be very much appreciated. I would really like to avoid formatting my hard drive if at all possible.

Thanks again for your time and efforts!!!

Logs to follow:


[recovering space - attachment deleted by admin]

[Spoiler]

I hate to say this but I would reload the machine at this point. You say you spent 14 hours on this. You could have rebuilt the whole machine many times over by now.

I am sure someone here can help you but I would copy my data off the machine and than wipe it clean.

Thats just me. Again I am sure someone here can help you.

[neljan]

I hate to say this but I would reload the machine at this point. You say you spent 14 hours on this. You could have rebuilt the whole machine many times over by now.

I am sure someone here can help you but I would copy my data off the machine and than wipe it clean.

Thats just me. Again I am sure someone here can help you.

Yes, I'm sure they will.

The reason you haven't had a response from one of the malware specialists thus far Andrea is probably due to time difference, please give it a little longer before you consider resorting to a total reinstallation.

I can see some problems, but it's best to wait for one of the specialists who will be along shortly...

[evilfantasy]

Thanks Spoiler, that was very helpful information.

Thanks neljan, time difference can make things harder but we will get it worked out with a little patience.

Hi Andrea0769 welcome to Computer Hope.

Open Hijackthis and select Do a system scan only then place a check mark next to:

R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialS etup1.0.0.15.cab
O21 - SSODL: btrklfr - {0F87A531-94E0-4851-9656-FFDBEB6AE948} - (no file)
O21 - SSODL: apdqnxp - {E174E9BB-D286-43E7-BB51-4EB67EC9603F} - C:\WINDOWS\apdqnxp.dll

Now close all windows except for Hijackthis and click Fix checked.

----------

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop.
A folder named SmitfraudFix will be created on your Desktop.

You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode

• Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.

• Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

• Select option #2 - Clean by typing 2 and press Enter.

• The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish.
• This process can take some time depending on your computer, so please be patient.

• When it is complete, it will close automatically and you should continue with next step.

• You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.

• The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file.
  
• Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Suggested Step:

• To restore Trusted and Restricted site zone, select 3 and hit Enter.

• You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.

• Now reboot into normal mode and post this new rapport.txt in the next post.

• WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

.
----------

Next post please add
Smitfraudfix log
Also a NEW Hijackthis log

[Andrea0769]

Sigh... Thanks I feel like there is light at the end of the tunnel :-)

I followed your latest instructions and upon reboot I could not get Internet Explorer.. grrrr. Soooooo I downloaded it from another computer and reinstalled it, so far so good on that one.

Here are the new logs...

[recovering space - attachment deleted by admin]

[evilfantasy]

Looking better but still work to do.

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See Viewpoint to Plunge Into Adware

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

If you have trouble removing Viewpoint, I suggest that you use ViewpointKiller

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop.
Run ViewpointKiller, and select File > Do All Killings
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
O24 - Desktop Component 1: (no name) - http://privacy.securepccleaner.com/MTY4ODE=/2/5993/ed=2/desctop/

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Run CCleaner

----------

Do you know what this is? O23 - Service: RasMan - Unknown owner - c:\clXb.exe

----------

Scan Suspicious File(s)

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

• Virustotal
  
• Jotti's malware scan
  
• VirSCAN.org

Copy the file path in the code box below.

Code: [Select]

C:\WINDOWS\system32\mdmcls32.exe

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
  
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

.
If you don't know what c:\clXb.exe is then run it through the file scanner also.

----------

Next post
Suspicious file scan results
NEW Hijackthis log

[Andrea0769]

Ok... I will attach both logs.. I have had to reinstall IE again and am fighting for control of my wireless adapter :-(




[recovering space - attachment deleted by admin]

[orlandgalistejr]

i dont think so but i want also to resolve how do viruses get lost.

[evilfantasy]

orlandgalistejr you will need to start a new thread please.

----------

Have Hijackthis fix this entry R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)

How is the computer now?

[Andrea0769]

I will run hijack this again and let you know. It is better, but everytime I reboot I have to reinstall IE AND reset my wireless adapter.  :-(

Also, When IE does finally come up it seems set on go.microsoft.com/FWlink/?LinkId=74005 even though I have yahoo.com listed as my chosen home page....

[Andrea0769]

On a side note, I have to reinstall IE because it just wont connect. I am definitely connected as I Can get and send email, and when I run IE diagnostic it says it cant find anything wrong... but it still cannot find the server.... Most frustrating

[evilfantasy]

Sorry it has taken me a while to respond, been busy.............

Try Dial a fix

Please download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labled Restrictive Policies
• On the main window, check the box in section 4, labled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

Let me know if IE behaves properly.

If that doesn't work try this method.

Open Dial-a-fix and click the hammer icon. Select Flush DNS and click Go
When complete, select Repair Permissions and click Go
When complete, select Repair/reinstall IE and click Go

If at any time you are prompted for the XP cd, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change