Nasty virus

[SuperDave]

Hello Karen, I see we still have a few leftovers to clear out but, hopefully,  we're nearing the end. Please do this:

Click Start Control Panel and select Add/Remove Programs select the following programs and uninstalled them.

J2SE Runtime Environment 5.0 Update 6
Mirar
SearchAssist
URL Assistant
Viewpoint Media Player
WildTangent Web Driver

Double-click on OTM.exe on your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
%windir%\found.000

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

Once this is done I will get you to run another on-line scan from another on-line scanner. Please let me know when the above work is done.

[kviez]

SD,

I could not remove URL assistant or Mirar.  I used Add/Remove programs to uninstall the others you listed.  I did not go any further with your instructions as I did not know if they should be followed in sequence. 

Please let me know how to proceed.

Thanks again,

Karen

[SuperDave]

Hello Karen. Try this to remove those  two programs.

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.

•Click Delete this entry

Then, finish doing the other things I asked for in the previous thread.

[kviez]

SD,

I have finished with your latest set of instructions.  I will post the OTM log below.  I have a couple of questions.

When I tried to uninstall Mirar the first time I downloaded a file from their website that was supposed to help.  When it did not work I went looking for it with Windows Exlporer I found something curious and am not sure what to make of it and wonder where it came from.  Under local disc (C:), then WINDOWS there were a lot of folders that look like this "$NtuninstallkB8......$.  There were 6 digits between the 8 and the last $.  Is this something that I should be worried about.  Also, there is a new icon on my desktop "catchme.log" I am pretty sure this showed up after I ran combofix for the first time.  Should I get rid of it?

Thanks again.  Here is the log.  I will await your instructions.

Karen

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Folder C:\WINDOWSC:\WINDOWS\found.000 not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: James Robinson
->Temp folder emptied: 82230050 bytes
->Temporary Internet Files folder emptied: 6063106 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 44533858 bytes
->Apple Safari cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 85892541 bytes
 
Total Files Cleaned = 208.77 mb
 
 
OTM by OldTimer - Version 3.0.0.6 log created on 09272009_130504

Files moved on Reboot...

Registry entries deleted on Reboot...

[harry 48]

kviez , superdave is of now for the night , 

"$NtuninstallkB8......$. , do not touch these

catchme.log , i think this has to do with something he told you to download , it may be

removed when he is finished helping you

[kviez]

Thank you, Harry.

[SuperDave]

Hello Karen, Sorry for the delay. I was off playing a bit of ice hockey. The files that you see in C:\Windows are, if my memory serves me correctly, files that have something to do with System Restore. I could be wrong. I know they are not malicious. Catchme must have been a program that you download which is designed to search for rootkits etc.. Check in your Add/Remove programs to see if it's there and uninstall it. Or, it could be installed on your desktop. In that case delete the program and the log.
I have one more on-line scan for you to run.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[kviez]

SD,

Don’t ever worry about the delay – I really appreciate your help and I understand that you have a life outside of my problems.  Hope you had a good time playing hockey. 

I have attached the ESET log that you requested.

I am having a couple of other problems.  First, I have the yellow shield icon on my bottom tool bar that I need to install updated for window.  When I click it the message is “automatic updates – How do you want to install.”  I then click on express and it starts and I get another message that updates are being installed.  The icon will not go away and I have the option to install again.  Also, there is a red shield, with an “x” in the lower tool bar with a message that My anti-virus is turned off and my computer is at risk.  I use AVG 8.5 free and when I open it Resident shield is only partially functional.  I have uninstalled AVG and reinstalled and the problem remains.  I uninstalled AVG a second time and am wondering if I should download another anti-virus program.

Thanks again.

Karen






[attachment deleted by admin]

[harry 48]

do not want to *censored* into you helping kviez superdave

i had the same problem with avg for months , thats why i deleted it and got avira antivir personnal

[SuperDave]

Hello Karen. I'm assuming you have automatic updates turn on. I also have it turned on and for some strange reason I get that very same thing. I'm assuming that is because my computer is not always left on when it is time for the updater to run. Try this: Go to start, control panel, Add/Remove. Make sure that the "Show updates" box is checked and look at the latest date of your updates. Perhaps there's something stopping them from loading. I seen some updates in your Uninstall list but I can't see the dates. Please let me know the date of the latest one.
As for the $NtuninstallkB8......$ These are Service Pack uninstallers. Most Windows Updates have their own uninstaller. They can be removed safely but then if an update starts making the computer crash or something you are stuck with having to reinstall. Best to always keep them.

As Harry said, AVG was once very good but lately some people have problems with it. Why not try another AV? I, myself, am very satisfied with Avast.

Download one of the free Anti-Virus programs listed below.

•Avast! Home Edition

•AVG Free Edition

•AntiVir Personal

It appears that the latest scan has cleaned up all the bugs on your computer. As soon as we get these other little problems cleared up, I'll be back with another set of instructions.

[kviez]

SD,

Great, sounds like we are almost there.  I can't thank you and Evilfantacy enough for all of your help.

My most recent updates took place on 9/11/09.  I have a "Security update for Windows Media Player" and "Windows XP Media Center Edition 2005 KB973768". 

The update that will not seem to install is "Windows Malicious Software Removal Tool - 2009 (KB890830).

I am downloading Avast! Home Edition right now.

Karen

[evilfantasy]

Try Dial-a-fix.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Can you update now?

[kviez]

Evilfantacy,

I followed your instructions. but I still can not update.  The yellow shield shows up and I click install, I get a message box indicating the updates are being installed, the yellow shield disappears for about 1 minute and then returns with the same update. 

I am sure this is a silly question, but I will ask anyway.  When the virus was deep in my system all of the icons on my desktop became highlighted.  Is there a way for me to undo the highlight?

Oh, Avast home edition seems to be running fine.  Thanks for the help!

Karen

[evilfantasy]

Right click on your desktop and select properties. You can adjust the desktop settings there.

----------

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[kviez]

Thank you, EF.  My desktop is back to normal.

Here is the information that was generated from Security Check. 

 Results of screen317's Security Check version 0.99.0 
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Antivirus     
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 CCleaner (remove only)   
 Java(TM) 6 Update 14 
 Out of date Java installed!
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Alwil Software Avast4 aswUpdSv.exe
 Alwil Software Avast4 ashServ.exe
 Alwil Software Avast4 ashDisp.exe
 Alwil Software Avast4 ashMaiSv.exe
 Alwil Software Avast4 ashWebSv.exe
``````````````````````````````
DNS Vulnerability Check:
 Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````