Riddled with Viruses.

[Mackem1983]

Hi folks,

My computer seems to be riddled with viruses and spyware, try as i might im unable to get rid of them. Ive used many different programs to no or limited succsess, any help that you friendly folk could provide would be greatly apprieciated.

I have gone through the hijackthis process and popped the log file in the computer hope program page, but to be honest what it found didnt make a whole lot of sense to me. I have enclosed the logfile as it may be of some diagnostic help?

[Saving space, attachment deleted by admin]

[PPowerHouseK]

What exactly are you experiencing? Slowness, browser hijacks, pop-ups, all 3?

[Mackem1983]

All 3 im afraid. I can hardly use google anymore which gives me great problems with my job.

[SuperDave]

Hello Mackem1983 and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, I will need the SuperAntiSpyware, MBAM and HJT logs. Please post any logs that you can generate.

[Mackem1983]

Hi SD.

Hopefully i have completed the steps correctly. Please find attached.

Many thanks for your help.

[Saving space, attachment deleted by admin]

[SuperDave]

Thanks, Mackem. I noticed that you have a P2P (uTorrent) program on your computer. While the program itself may be safe, the files you download are a major cause of a lot of infections. Therefore, I strongly recommend that it be uninstalled

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - http://dl.uc.sina.com/cab/downloader.cab

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

[Mackem1983]

Hi SD,

I did the steps reccomended, however i made a mistake and didnt copy the este log. Is there somewhere i could find it without having to do the scan again. Everything seems to be working quite well at the moment, so signs are good. On a side note and sorry to be cheeky, but could i ask how i go about setting what programs start on load up and also when i load my comp it always asks me to press f1 as it cant find a diskette, is there a way to change this?

Many thanks.

[SuperDave]

Hello Mackem1983. You didn't happen to notice if the ESET scan reported some findings or nothing at all? There is another scan I want to run but that particular tool is off-line. If it's all ok with you, I would like to wait until it comes back on-line and we'll run that scan. I have this tool for starup but I've never used it before. You can select which programs that you want to start.

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

As for the f1 at boot, you can change that in the BIOS. You can learn all about it here.

[Mackem1983]

Cheers SD,

Im happy to wait and so far everything seems ok, do yuo have an incling into what and where was infected? I think alot of the system restore was but i was unable to access that  and if it was that what part of the steps were directly helping that issue. The scan revealed only one infected file of which has been removed, im unawre of what the file did as i know i had the majority if not all of the problems before i had this file.

[SuperDave]

I won't know the extent of the infections  until I run another scan when the tool is back on-line. Plus, we lost the ESET log which may have had some infections also. What was the indication that you had a lot of infections?

[Mackem1983]

Well i was trying to eradicate all the problems for a good month or so, ive become adept to fixing my computer as since i was little i have been constantly braking them. Every time I would get rid of something a new problem would be detected by the various scan I was doing, one of the trojans remaind constant througout though and try as i might i didnt get close to touching it.

[SuperDave]

Hello Mackem1983. ComboFix is back on-line. You can run this scan.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

ComboFix

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Mackem1983]

Please find enclosed SD. Thank you for your continued support.

[Saving space, attachment deleted by admin]

[Mackem1983]

Hi SD, Im beginning to get quite a few blue error screens. I have enclosed a log of the last one, unsure as to weather any virus's are the cause.

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Mackem1983. Ok let's try this:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
pxfzdgdb;

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze