bigtime virus/trojon/downloader problem

[evilfantasy]

Some stubborn ones to get rid of.

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Registry values to delete:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

• Add the Avenger log in your next post.

.
----------

Your Java is out of date.
Older versions of Java have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version(s) of Java components and update.
 
Step 1 - Get the new version

• Go to the Sun Java Download Page
  
• On the Sun Java page scroll to the 5th download. Java Runtime Environment (JRE) 6 Update 6
  
• Click the button and choose the options.
  • Platform Windows
    
  • Language English
  • Next place a check mark in the box to agree to the License Agreement.
• "I agree to the Java SE Runtime Environment 6 License Agreement"
  
• Click Continue
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
  
• Follow the prompts to complete the installation.

Step 2 - Remove old version(s)

• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel > Add/Remove programs and remove all older versions of Java.
  
• Do not remove Java 6 Update 6
  
  • Uninstall all of these.
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 2
  • J2SE Runtime Environment 5.0 Update 4
  • J2SE Runtime Environment 5.0 Update 7
  • J2SE Runtime Environment 5.0 Update 8
  • J2SE Runtime Environment 5.0 Update 9
  • Java 2 Runtime Environment, SE v1.4.2_03
  • Java 2 Runtime Environment, SE v1.4.2_05
  • Java 2 Runtime Environment, SE v1.4.2_06
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each old Java version.
• Restart your computer once all Java components are removed.

Step 3 - Remove old folder(s)

• Double click My Computer on the desktop, Locate this folder: C:\Program Files\Java
  
• Open the Java folder and delete any subfolders except the jre1.6.0_06 folder which was just created by the newest Java installation.

.
----------

Also uninstall Viewpoint Media Player

See Viewpoint to Plunge Into Adware

----------

Next post add
Avenger log

Hopefully the boot times will start to improve.

Let me know how everything is now.

[Richter915]

Boot time was a little improved but I think a scan is running every time I boot up. In the task manager it's called DoScan? After doing the avenger, on the reboot several pop up errors with the title of "no disk" kept appearing which was very odd. Here's the log...

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun May 25 01:12:33 2008

01:12:10: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd"
Skipping line.  (Registry value deletion mode) 
01:12:12: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd"
Skipping line.  (Registry value deletion mode) 
01:12:13: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi"
Skipping line.  (Registry value deletion mode) 
01:12:21: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd"
Skipping line.  (Registry value deletion mode) 
01:12:22: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0"
Skipping line.  (Registry value deletion mode) 
01:12:24: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA"
Skipping line.  (Registry value deletion mode) 
01:12:25: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate"
Skipping line.  (Registry value deletion mode) 


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished!  Terminate.


[recovering space - attachment deleted by admin]

[evilfantasy]

Look here for information on the DoScan.

For some reason the reg values aren't going away with any of the tools used....yet!

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- C:\WINDOWS\system32\ScsiAcc.exe
- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.133.248.230:80 <<--Unless you did this yourself
- O2 - BHO: (no name) - SOFTWARE - (no file)
- O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
- O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
- O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAcc.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download OTMoveIt2 by OldTimer

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code: [Select]
  C:\WINDOWS\system32\ScsiAcc.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
  
• Click the red Moveit! button.

• Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Next post add
OTMoveIt log

 

[Richter915]

Here's the log:

C:\WINDOWS\system32\ScsiAcc.exe moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plyrihnpsoi\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdpdd\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates0\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate  >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintelupdate \\ not found.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05252008_131353

[evilfantasy]

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.

How is everything now?