Bio hazard virus logs for review.

[eterwey]

I had the biohazard screen virus on my computer.  I followed all the steps to remove it as instructed, except the first one of installing the antivirus software, (everytime I tried it told me the file was corrupted).  The logs of everything should be attached to this post(I hope)!  Thanks for all your help and patience, it is greatly appreciated!!

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

I locked the other topic and we will work from this one.

You have Norton installed, why are you trying to download a new antivirus?

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[eterwey]

Here are the two logs you requested (I think), there are windows popping up all the time now for MS security center and such, is this normal and should I just keep closing them?

Also the Norton Antivirus that I have is from 2003, should I download a more recent antivirus program, or is what I have going to work?

Thanks for all your help!

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Yes you will want to update the antivirus, but don't do it until you are malware free.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\Program Files\MSA
C:\Program Files\PCHealthCenter
C:\Program Files\kaqumad
C:\Documents and Settings\All Users\Application Data\kzyjehex

File::
C:\WINDOWS\system32\phc33qj0et1e.bmp
C:\WINDOWS\system32\lphc33qj0et1e.exe
C:\WINDOWS\system32\blphc33qj0et1e.scr
C:\WINDOWS\system32\pqhuvqxi.exe
C:\WINDOWS\system32\VIE4.exe
C:\WINDOWS\system32\VIE5.exe
C:\WINDOWS\system32\VIE3.exe
C:\WINDOWS\system32\VIE17.exe
C:\WINDOWS\system32\VIE19.exe
C:\WINDOWS\system32\VIE1A.exe
C:\WINDOWS\system32\bczmjsjo.exe
C:\WINDOWS\system32\VIE8.exe
C:\winlo.exe
C:\WINDOWS\system32\2.ico
C:\WINDOWS\system32\MSA.cpl
C:\WINDOWS\system32\1.ico
C:\WINDOWS\system32\jkxcbafw.exe
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\sbcpgrir.exe
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\xktabeve.exe
C:\WINDOWS\system32\wdxb.dll
C:\Program Files\kaqumad\dscuiwin.dll
C:\WINDOWS\system32\VIEF.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ActProcWeb"=-
"chkdbadm"=-
"\VIE5.exe"=-
"\VIE3.exe"=-
"\VIE8.exe"=-
"ComChk"=-
"\VIE17.exe"=-
"\VIE19.exe"=-
"\VIE1A.exe"=-
"\VIE4.exe"=-
"winset"=-
"\VIEF.exe"=-
"\VIE13.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
"\VIE5.exe"=-
"\VIE3.exe"=-
"\VIE8.exe"=-
"lphc33qj0et1e"=-
"\VIE17.exe"=-
"\VIE19.exe"=-
"\VIE1A.exe"=-
"\VIE4.exe"=-
"\VIEF.exe"=-
"\VIE13.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"WE0Sw06TVc"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[eterwey]

I'm not 100% sure this is going to be the correct log, as my computer froze up with a bunch of pop ups.  If I need to do something else, or run something again, just let me know.

Again I can't thank you enough for taking the time to help me!

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

You really need to run these instructions and post the log ASAP. The malware has regenerated and added more rouge files.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\x

File::
C:\WINDOWS\system32\YUR2.exe
C:\WINDOWS\system32\YUR7.exe
C:\WINDOWS\system32\YUR4.exe
C:\WINDOWS\system32\gzorudqn.exe
C:\WINDOWS\system32\uhglwtmd.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DscSet"=-
"\YUR2.exe"=-
"\YUR4.exe"=-
"\YUR7.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\YUR2.exe"=-
"\YUR4.exe"=-
"\YUR7.exe"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[eterwey]

I apologize, I'll work on it tonight until you let me know it's ok to shut down for the evening.  When I do shut down, should I turn my computer off completely and unhook the modem, or doesn't that matter?

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

We should be OK after this next scan, but we will have to see.

Do you know what this is? C:\x

[eterwey]

No, I'm sorry I don't. 

[evilfantasy]

Pretty sure it is a rouge folder that needs to go. ComboFix couldn't delete it so we will use another tool.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Folders to delete:
C:\x

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

.
----------

Also, now run a new HijackThis scan and post the log. Let me know how the PC is doing as well.

[eterwey]

Here are the logs, it seems that the pop ups have stopped and that it is running ok for now.

Do I need to save the old logs for anything, I just have them on my desktop but I didn't know if I should delete them or not?

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

We will do some cleanup now. If any logs are left over then they can be deleted.

Did you add this to the Desktop yourself? If so it's OK.
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\eric\My Documents\limehead2.gif

These are final steps. If you have any questions then just ask.

----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Now run CCleaner.

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[eterwey]

I'm working on all the updates right now.  If I have any other questions before I get everything done, should I ask you here, or post a new thread on the forum?

Again, I can't say thank you enough for all of your help and patience, I really do appreciate it!

[evilfantasy]

Go ahead and ask here.

No problem on the help....it's why we're here.

[eterwey]

I did forget to ask about all of the antispyware and antimalware programs that I downloaded, do I delete those now, or do they need to stay on my computer?

Also, the antivirus software that I have is from 2003 and may be outdated, should I download something new or leave it as is?

[evilfantasy]

Keep SAS and MBAM. Run them every other week or so, or when you think you should. Be sure to always update them first.

Yes you should get rid of Norton and install some free solutions. I will leave a list of good free antivirus and firewalls.

Before you install them uninstall Norton.

To completely remove Norton/Symantec go to add remove programs and uninstall anything with Norton, Symantec or Live Update in the name.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.

----------

Remember to only install one antivirus!
 
1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus
5) PC Tools AntiVirus Free Edition

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

[eterwey]

There's also something new happening that I've discovered.  Everytime I try to close out a web page by left clicking on the red X box, it kicks me off the internet and that pop up for an error message comes up that asks if I want an error report sent.  Not sure what's going on there.

[evilfantasy]

Try this.

Reset settings for Internet Explorer 6

Reset Explorer Settings IE 6

[eterwey]

Ok, I tried restoring the internet settings, but it's still doing the same thing.  It brought me to the new internet explorer 8 Beta download, but when I tried to download that, it just kicks me out again. 

[evilfantasy]

Repair IE6

Note: Both methods listed require that the Microsoft Windows XP CD-ROM be available.

Method 1: Microsoft Internet Explorer 6.x Repair for Windows XP

• From the Start menu, select Run.
  
• In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
  
• Select the OK button.
  
• Follow the prompts throughout the System File Checker process.
  
• Reboot the computer when System File Checker completes.
  

[eterwey]

Here's the deal, I don't have the Microsoft windows xp CD-ROM.  A friend of mine a while ago built this computer,  he built a newer one for himself, and gave this one to me.  Any other suggestions?

[evilfantasy]

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
• Check the box in section 2, Fix Windows Installer.
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labeled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Any changes?

[eterwey]

That seems to have fixed it.  Here are the two error boxes that did pop up.

An error has ocurred during registration of the file: C:\WINDOWS\system32\shdocvw.dll(version6.00.2900.3395).  The next dialog will contain an error code and possible suggestions.


Error-2147319780 was encountered while trying to register C:\WINDOWS\system32\shdocvw.dll.  The error text is : Error accessing the OLE registry.  Dail-a-fix currently has no suggestions for thes error code.  Please email dial-a-fix @DjLizard.net with a copy of the log pane and any details you can provide about this error.

Those were the only two that popped up.

Thanks again for your help!

[evilfantasy]

That shouldn't be a problem.

I would visit MS Updates again to make sure none are available. http://windowsupdate.microsoft.com/

[eterwey]

I was going through the steps to uninstall NortonAntiVirus.  Finished that and was trying to install AvastAntiVirus free home addition.  Computer froze up.  Restarted to reboot.  Now the computer is frozen and I have no desktop, just a solid blue screen.  Can still move mouse, but nothing is happening.  Don't know what to do please help.  Replying from a work computer now.

[Carbon Dudeoxide]

First thing I would try is, at the blue desktop screen, hit CTRL + ALT + Delete and start a new process called explorer.exe

Otherwise, you might want to look here:
http://www.computerhope.com/forum/index.php/topic,16027.0.html

[eterwey]

I get nothing when I try CTRL+ALT+DEL and I nothing when I right click.  There is nothing to right click on.  And we don't have the Windows disk.  Is there anything we can do?

[Carbon Dudeoxide]

Can you try Safe Mode