Tried your first post, and "ALL" anti-virus/Spyware/Malware downloads/inst fail

[cpnkirk59]

I have a three year old HP Pavillion dv1000, that had an up to date McAfee (AOL free version - kind of strapped for money) and a couple of days old Spybot update, Windows XP.

I had a msg of two trojans on my McAfee Anti-virus the other day. Earlier, I'd received two e-mails from a friend whose e-mails I trust (but???); one was a highlighted link and the other had a link I had to cut and paste to my browser. The one I pasted took me to a website that wouldn't fully load. A few hours later is when I got the trojan msg from McAfee.

Roughly twenty-four hours later, I ran my MCafee, followed by Spybot. Spybot failed to load; so, I deleted it and went to download it again; but, I couldn't find a link that would work. I started suspecting my McAfee was bad; so, I tried to got to the McAfee website; but, it kept timing out and not allowing me to access the website.  Additionall, system restore wouldn't execute past the requested restore date and I ran Registry Mechanic.

I ran a search for any files modified in the past week and another for "*.exe" modified in the past week. I found "sysvxd.exe". It showed "0" bytes, opened it with wordpad, had one line of code that appeared innocuous, and tried to delete it (Task manager didn't indicate it being used directly and Window couldn't "delete" it as it was being used. I downloaded the DOS boot disk from this website and deleted it in DOS (please don't give me a hard time on deleting stuff I know nothing about - I was pretty desperate before finding this forum).

Since then, I've been trying your steps on malware removal; but, can't get any anti-virus/malware programs to work properly. When I try to download them, I can't directly go to their website, as I get re-directed or timeout with IE; so, I cut and paste links to sites like CNET to get the download. Either they don't install (Superantispyware and Malwarebytes) or they won't launch after install (Twister Anti-Trojan). I also tried "Add/Remove" programs; but, saw nothing malicious.

I managed to download Avast Antivirus in Safe mode, installed it, selected "Boot Scan", and re-booted. It found two trojans and Quaranteened during boot; but, I couldn't get it to update online (popup said no access to server ). I ran it twice and it found  no virus's.

I then tried step 2 to (CC cleaner); which worked fine; but, after downloading SuperAntiSpyware from step 3 couldn't get it to  install (did get a log from Window program failed to execute report; but, I couldn't highlight it, to save to my notepad).

During one re-boot, I got two "yellow" shields (updates from Microsoft). One was the service pack 3 update and the other was Microsoft Malware Removal Tool. I started downloading the Malware Removal tool and then canceled it, as I'd never heard of it. After researching and finding out it was legit, I tried the Windows Malware Removal tool and Live Care/Protection Center. I can't get it to download the Malware Removal tool directly now (apparently it comes out as an update directly every 28 days - not sure if I can wait that long to get my laptop back), ran the online virus scan three time (no virus's), and then installed the "Live Care" virus protection (ran it twice and found no virus's).

Last night, I did get AVG to download (removed Live Care anti-virus) and install, couldn't get it to update and ran it without (updating). It found no virus's.

I've removed all anti-virus protections, did a Torrent (tried all the free trials, as I try to pay for all soft ware I use) download on full versions of SuperAntiSpyware, Malwarebytes and AVG on a separate computer (did Norton virus and Spybot scans on the files after downloading and extracting them) and copied them to a CD. I tried to install these in both  Safe and Normal modes; but had similar problems (Malwarebytes wan't install, and AVG says Administrator has prevented its install and SuperAntiSpyware won't even install from the disk or from the desktop to load after pasting the files to the desktop).

I have no log files, as I didn't save the only one from Avast (I did get some log files from SuperAntiSpyware; but, couldn't copy them to notepad as mentioned above).

I finally installed AVG (with some problems) in Safe Mode. Attached are the logs for the install and "C:\" drive scan.

I tried Avast again, couldn't get it to update. Downloaded updates on a different computer and uploaded them by cd to the infected computer. Four Trojans found, one on Nod32 file on my desktop that I tried to install. No log.

Finally backdoored and re-named SAS, MBAM, and Hijack This. Attached are those logs.

Will upload log when it finishes.
Any other help or ideas?

[Saving space - attachment deleted by admin]

[CBMatt]

It's certainly a messy little process you've got going on there.  Heh.  But at least you managed to get us some logs, which is what matters.  Your MBAM scan found a nasty infection (probably what's causing most of your problems), but it wasn't removed.  Try scanning with MBAM again and this time, instruct it to remove the infections.  When you do this, post the new log.  Also, follow these instructions below...

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/168491182/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
 
Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

[cpnkirk59]

Thanks for all the help by the way. Ran MMAB and SDFix. Still some Avast files left on computer the first time I ran SDFix (...mon.dll); so, it would ask me to shut down the file or ignore. I kept clicking on the shutdown tab on SDFix; but, it kept popping up, till I clicked on ignore. Deleted what Avast files I could find without running a search, and ran SDFix a second time. Attached are the three logs.

Appreciate all the help and patience! Don't have the money to go and pay someone to recover my laptop; and I like learning the little bit I have during this process.

RP

[Saving space - attachment deleted by admin]

[CBMatt]

For getting rid of any additional Avast files, you can try this tool:
http://www.avast.com/eng/avast-uninstall-utility.html

By looking at these logs, it looks like the brunt of your infection should be gone now.  Please post a new HijackThis log and I will see if there is any other junk that needs to be removed.

How is your computer running so far?  Is there any improvement?

[cpnkirk59]

Seems to be normal. Just got your reply and haven'thad a chance to run Hijack This. Will attach it to this post later. Thanks again!

RP

[cpnkirk59]

Hopefully, the last Hijacker log! Thanks again.

RP

[Saving space - attachment deleted by admin]

[CBMatt]

Not the last log, unfortunately, but it shouldn't be much longer.  You've managed to catch another infection, so we're going to have to hit this with a stronger attack...

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - blank (file missing)
O4 - HKLM\..\Run: [Windows Corporation] service.exe

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and Download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts (should be straightforward) and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here, along with a new HijackThis log.  Note: Don't click on the window while it's running; this may cause stalls.

There are a couple of files that we need to remove, but I'm hoping to remove them with ComboFix to help avoid confusion.

[cpnkirk59]

Done and attached. When downloading ComboFix (I was typing in ComboFix into the Google toolbar, rather than use the link on your post, due to the problems I was encountering before), Firefox started doing wierd things. The previous page arrow wouldn't highlight when selecting a new page or link. When I just rebooted from ComboFix (it never prompted me for a shutdown; but, all desktop icons and windows task bars remained clear after ComboFix finished) shutdown; Firefox launched and had some problems, but seems to be working fine now. Windows loading is taking longer now than before, partially due to SuperAntiSpyware launching; but, I can't tell what else is slowing it down as Task manager doesn't show anything else loading. Was it possibly due to being the first re-boot?

RP

[Saving space - attachment deleted by admin]

[CBMatt]

Not sure what to make of the Firefox and booting issue.  Could be related to the infection or it could just be a coincidence.  Either way, let's hope it subsides after these steps...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\WebEx

File::
C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\service.exe
C:\WINDOWS\system\service.exe
C:\WINDOWS\system32\service.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply along with a new HJT log.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[cpnkirk59]

Done!? Still had the problem with Windows loading and Firefox launching when I went to run these two programs and do the ComboFix. I did run all my anti-virus/malware/spyware last night prior to doing the first run of ComboFix. My McAfee found PrcViewer (SDFix A0143876.exe), RemAdm-ProLaunch!171 (ComboFix PSExec.cfexe, CF16980.exe), and EICAR test file (Av-Test CF17571.exe). I don't have the logs for those, as I didn't save the one McAfee produced when it found the PrcViewer and none were produced for the other two entries. McAfee did call the EICAR test file a Virus and the other two "PUPs".

Back to you. I will do another re-boot and see how it loads now.

RP

[Saving space - attachment deleted by admin]

[cpnkirk59]

Ran a old "copy" or Registry Mechanic and it found 344 items to fix (most were related to Nero, which I recently removed and the rest related to WebEx that you had me remove in the last ComboFix. Trying another re-boot.

[CBMatt]

There's no need to worry about those.  The first file is part of a System Restore backup.  In it's current state, it is harmless, but we will remove it in a minute.  The second file is just a false positive (it's part of ComboFix); McAfee sometimes gets confused by other scanning tools.  The EICAR isn't actually a virus.  It's a file that only resembles an infection; we use it to test anti-virus programs to make sure they are detecting properly.  Feel free to remove EICAR.

With that said, your computer looks clean to me.  You don't need ComboFix, so we'll uninstall it.  Just go to Start > Run and type in combofix /u (note the space) and click OK.  ComboFix will now uninstall itself.

You'll now want to clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here.



Let me know if you have any problems with these steps.  How are things running now?

[cpnkirk59]

Ran good after the last ComboFix reboot. Thanks again for all the help! I haven't done the other steps; but, I won't have any problems with them. Have a good Holiday!

RP

[CBMatt]

Thanks, you too.  I'm glad to hear that things are running smoothly now.  Good luck!

[Computer Hope Admin]

Now that you're all fixed you may also want to consider updating Windows to SP3 as well.