Logs attached, need next step for malware fix

[lindyoppa]

Did the best I could on my own, but stuck!

Smitfraud and Virtumonde seemed to be the main culprits, and they were hard to get out,  Malware bytes finally showed a clean scan in Safe Mode.

However, when i try to restart in normal mode, my desktop is just blue (all the icons are there though) but I cannot click anywhere or do anything, including cntrl-alt-delete.

So I'm stuck.

First, the facts:
XP home, SP3
HP Pavilion, Intel Celeron, 1.70GHz, 1GB RAM
I use Avast! anti-virus, the free version.
Prior to this problem, I had Spybot S&D, Adaware2008 & Vundofix.

I googled this problem and read some other stuff and ran Smitfraudfix, Malaware, Spywareblaster, CCleaner before I came to this site.

Then I I followed all the steps on the sticky here, EXCEPT the following:
--I can't install the new the Sun Java. It gives that bogus "administrator access" error.
--Same with the SUPERAntivirus software. I even downloaded the suggested link from superantivirus.com, suggested for when that error message appears, but it still happens just the same.

I looked these up, and apparently it is a common problem but I think the next step in fixing them is attaching the HJT log here...

WHen I ran Malwarebytes, the first time it showed LOTS of really ugly things and I just got rid of all of them. (attached, "FIRST")
The second time, only 3 were found (attached "SECOND")
The third time, all clear (attached, "LAST")

I really hope I didn't screw up any registry stuff though--before I landed on this site, I read somewhere to do the CCleaner and chose the one that was akin to "remove all the bad things you found" but I did this without creating a backup registry.  Doh. Maybe.

THANKS!!!!!!!!!!!!!!

[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
  
• Also if this is found and you disable it.
• Now reboot.

.
Try going into Normal mode now. If not then use Safe Mode to run HijackThis.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O2 - BHO: (no name) - {5AAABBC4-A5B8-4BBC-92E7-64A0EDBF8476} - (no file)
• O2 - BHO: (no name) - {B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - (no file)
• BHO: (no name) - {F23D9E6C-69E5-4D47-8DAA-F942D83A84CD} - C:\WINDOWS\system32\jkkKbARJ.dll (file missing)
• O4 - HKLM\..\Run: [brastk] brastk.exe
• O4 - HKLM\..\Run: [Qrawuv] rundll32.exe \"C:\WINDOWS\oporijeg.dll\",e
• O4 - HKLM\..\Run: [2db55a04] rundll32.exe \"C:\WINDOWS\system32\lowxetbq.dll\",b
• O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User \'SYSTEM\')
• O20 - AppInit_DLLs: zzpsku.dll
• O20 - Winlogon Notify: yaywvtUN - yaywvtUN.dll (file missing)
• O20 - Winlogon Notify: __c00328F9 - C:\WINDOWS\

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"brastk"=-
"Qrawuv"=-
"2db55a04"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

Restart the computer again trying Normal mode first.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[lindyoppa]

THanks! I seemed to be able to do everything in the instructions, EXCEPT, during Combofix, I was not prompted at all about the Recovery Console items, even though I am running XP.  Everything worked in Normal Mode too, HOORAY!!

ALSO: I went back an installed the latest SunJava and the SUPERAntiSPyware like it said in the original instructions, and this time it let me do everything!!!

I see the light at the end of the tunnel, thanks to you...

ATTACHED ARE THE LATEST HJT AND COMBOFIX LOGS.

[attachment deleted by admin]

[evilfantasy]

Good job!

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.
• Delete Nortonremoval tool from your Desktop.

.
----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
-------\Legacy_TDSSSERV.SYS
-------\Service_seneka
-------\Service_TDSSserv.sys

File::
c:\windows\system32\OLD27.tmp
c:\windows\system32\OLD28.tmp
c:\windows\system32\bgl.exe
c:\windows\system32\k9261108.exe
c:\windows\[u]0[/u]00001_.tmp
c:\windows\Tasks\mvlxxnjd.job
c:\windows\system32\rundll32.exe
C:\WINDOWS\ALCMTR.EXE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad445336-5ba1-11dd-bb75-00173104f808}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[lindyoppa]

Ok, I did the drag n drop thing, and it rebooted automatically, but I can't find the combofix.ext log!! None showed up, and the only combofix.txt log I can find is an old one I did yesterday...

ALSO, when I ran the Norton Remover thing, the Windows Security Alert red-X sheild appeared at the bottom and now it says firewalls are now disabled/unsecure, and when I click it, it says that it cannot be found (rundll32.exe).  Maybe that was an evil file anyway, designed to dupe me!?

Please advise. Should I do the drag-n-drop[ thing again?

thanks!

[evilfantasy]

You may need to reinstall avast but do this first.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad445336-5ba1-11dd-bb75-00173104f808}]

:files
c:\windows\system32\OLD27.tmp
c:\windows\system32\OLD28.tmp
c:\windows\system32\bgl.exe
c:\windows\system32\k9261108.exe
c:\windows\[u]0[/u]00001_.tmp
c:\windows\Tasks\mvlxxnjd.job
c:\windows\system32\rundll32.exe
C:\WINDOWS\ALCMTR.EXE

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[lindyoppa]

ok, here the results are pasted below, but I should tell you that it got stuck when it was rebooting itself, and I needed to hold the power button down and restart myself.  Also, IE seems to want to open by itself on reboot (never did before, besides I usually use Opera), but it had an error. It usually sends the error report fine, but this time it said some error on sending the error report, and got stuck.

Anyway, here is the OTMoveIt log:
 

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad445336-5ba1-11dd-bb75-00173104f808}\\ not found.
========== FILES ==========
File/Folder c:\windows\system32\OLD27.tmp not found.
File/Folder c:\windows\system32\OLD28.tmp not found.
File/Folder c:\windows\system32\bgl.exe not found.
File/Folder c:\windows\system32\k9261108.exe not found.
File/Folder c:\windows\0[]00001_.tmp not found.
File/Folder c:\windows\Tasks\mvlxxnjd.job not found.
File/Folder c:\windows\system32\rundll32.exe not found.
File/Folder C:\WINDOWS\ALCMTR.EXE not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF35C2.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_628.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_804.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d00.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12302008_144445

Files moved on Reboot...
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log moved successfully.
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF35C2.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\WINDOWS\temp\_avast4_\Webshlock.txt moved successfully.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_628.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_804.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_d00.dat moved successfully.

[evilfantasy]

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

----------

If there still seems to be problems then run Dial-a-fix.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Is the problem fixed?

[lindyoppa]

Ok I ran both of those things. I guess the problem now that I see is that the Red-X sheild keeps appearing, and it says that there is no firewall. When I click it, it still says that rundll32.exe could not be found...

And, I never did get the combofix log that you asked for...Is that a problem? The little script that I dragged over combofix is no longer on my desktop--it disappeared by itself.

thanks!

[evilfantasy]

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[lindyoppa]

Log and Info files from RSIT attached.

[attachment deleted by admin]

[evilfantasy]

Uninstall avast! antivirus and then install a new copy. That should fix that. http://filehippo.com/download_avast_antivirus/

Then run this. You have to use IE.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[lindyoppa]

ok small crisis.
On the first step of uninstalling AVAST, I got stuck.
I went to control panel, add/remove programs, and it gave me this error:
(which is the same for the security red-X that I stated above):

Cannot find C:\WINDOWS\system32\rundll32.exe

uh oh.

[evilfantasy]

Do you have your XP CD?

   1. Put the Windows XP CD ROM disk in the CD ROM drive.
   2. Click Start, and then click Run.
   3. Type expand C:\i386\rundll32.ex_ c:\windows\system32\rundll32.exe in the Open box.
   4. Restart the computer.

----------

If not then use ComboFix.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

FCopy::
C:\i386\rundll32.exe | c:\windows\system32\rundll32.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[lindyoppa]

OK here it is, attached.


[attachment deleted by admin]