Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Leif Needs help with Removing Viruses! [RESOLVED]


  • This topic is locked This topic is locked

#31
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

The only different thing is that at start up, the task bar isn't there. it's just an empty dark blue line with no start button, no roaming programs and no clock. When I plug in my WI-FI dongle, turn on my browser, and access this page, it loads up.

hmmm....again, looks like damage done by the malware.

looks like a couple of infections sneaked back on which were cleaned off, but we need to clear one registry entry. just want to run one more scan to ensure a certain type of rootkit is gone, and we will fix your file associations. and then, i think we will be done........on cleaning the malware.......i hope.

====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036B735-2574-4CCC-93E7-80B84A3C1FB0}
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 2====
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
====STEP 3====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
if that does not work then Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button"



In your next reply could i see:
1. the OTMoveIT log
2. the Dr CureIT log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements


#32
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OTMoveIT Log:

Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax\\ deleted successfully.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036B735-2574-4CCC-93E7-80B84A3C1FB0} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036B735-2574-4CCC-93E7-80B84A3C1FB0}\\ not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_lQtNFoFKjxT7lJl0Cpe2 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_WgZXLUPEkTQXyjRR7GFg scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_WgZXLUPEkTQXyjRR7GFg-journal scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_180759

Files moved on Reboot...
File C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_lQtNFoFKjxT7lJl0Cpe2 not found!
File C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_WgZXLUPEkTQXyjRR7GFg not found!
File C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_WgZXLUPEkTQXyjRR7GFg-journal not found!


DrWeb CureIt scan Log:

Process.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Austin\Desktop\SmitfraudFix;Tool.ShutDown.11;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0017099.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2;Trojan.Starter.384;Cured.;
A0021181.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0021181.exe;Tool.Prockill;;
A0021181.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3;Archive contains infected objects;Moved.;
A0022195.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0022195.exe;Tool.Prockill;;
A0022195.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3;Archive contains infected objects;Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:16, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {1036B735-2574-4CCC-93E7-80B84A3C1FB0} - C:\WINDOWS\system32\cnvfa.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 2532 bytes


Also, there has been a new file that poped up, I saw it this morning when powering up my computer, and a new start up task. The file: delself.bat, and bravianx. It's gone now! But I don't want to click it, too afraid it might hurt or mess-up something! ^_^

EDIT: Doing an online search, I found bravianx was a malware program, and it generated a false virus warning in a red circle in the task bar. delself.bat still remains, and I'm not going to do anything to it, unsure what it is.

Thanks Again! Be Blessed! ^_^

- Little preacher man.

Edited by Leifgreen, 22 July 2008 - 06:29 PM.

  • 0

#33
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Also, there has been a new file that poped up, I saw it this morning when powering up my computer, and a new start up task. The file: delself.bat, and bravianx. It's gone now! But I don't want to click it, too afraid it might hurt or mess-up something!

is that still happening? the SDFix that you ran took out the program.....so, is it still happening after you ran that?

also, could you do a search and tell me if the delself.bat file is still on your machine?

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {1036B735-2574-4CCC-93E7-80B84A3C1FB0} - C:\WINDOWS\system32\cnvfa.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

andrewuk
  • 0

#34
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
All Right, I did what you said, and the delself.bat file is located on my desktop.
Would you like the HijackTHis Log? Thanks again for your help! ^_^ Be Blessed! ^_^

- Little preacher man.
  • 0

#35
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
just delete the delself.bat file and post a new hijackthis log.

andrewuk
  • 0

#36
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here you go! ^_^

HijackThis Scan Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:57, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 2489 bytes


- Little preacher man.
  • 0

#37
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi

congratulations, your logs are clean and another fix is in the can :)

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

once you have done the steps below, then post your software issues (the taskbar etc) in the Geeks to Go! » Operating Systems » Windows XP™, 2000, 2003, NT part of this forum, where they will be able to resolve it much faster then i could. say your machine has been cleaned of malware.

also, just more often than you might, could you update and run a complete scan of your antivirus and malwarebytes programs. just in case infections are getting back on.

====STEP 1====
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


====STEP 2====
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405



====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#38
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks for all your help! GOD Bless you, andrewuk! But, I have a question...

Is it okey to completely remove all Anti-Malware programs and install SUPERAnti-Spyware instead? I really like that one, and it's the most powerful one I've found, that's both light and powerful.

Also, the task bar still is empty until minits after start up. SUPERAnti-Spyware still wont let me install it. Do you know what's wrong with this? Thanks, again! ^_^

EDIT: Maybe because there's other Anti-Spyware programs installed it wont allow installation access to another one? ^_^

- Little preacher man.

Edited by Leifgreen, 23 July 2008 - 11:25 AM.

  • 0

#39
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Also, the task bar still is empty until minits after start up. SUPERAnti-Spyware still wont let me install it. Do you know what's wrong with this?

no, i dont know what is wrong though i am certain it is not malware related. my best guess is that the infections caused some damage on their way through. hence, why i directed you to post this problem at another part of this forum.....see the quote below

once you have done the steps below, then post your software issues (the taskbar etc) in the Geeks to Go! » Operating Systems » Windows XP™, 2000, 2003, NT part of this forum, where they will be able to resolve it much faster then i could. say your machine has been cleaned of malware.


Is it okey to completely remove all Anti-Malware programs and install SUPERAnti-Spyware instead?

it is ok, but i would keep malwarebytes on your machine and run it frequently until you are able to Install SUPERanti-spyware.

andrewuk
  • 0

#40
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks You SO much! I have one more question.

Is it okey for me to surf the web now, or is there another protection program I should install? (Malwarebyte's seem to be protecting the system, thanks for that! ^_^)

Also, should I turn on my Windows Fire-wall? It's been off this whole time... Sorry I didn't tell you that.

Thanks for everything! ^_^ And I apologize for any annoyance or trouble I caused! ^_^

- Little preacher man.
  • 0

Advertisements


#41
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Is it okey for me to surf the web now, or is there another protection program I should install? (Malwarebyte's seem to be protecting the system,

make sure you install: Spybot Search & Destroy; AdAware; SpywareBlaster; SpywareGuard; and IE-SpyAd. and make sure your antivirus program that we installed is active and updated.

but be aware that malwarebytes, Spybot Search & Destroy and AdAware dont protect your system in the background. they merely scan your system to search for and delete malware when you run those programs.

Also, should I turn on my Windows Fire-wall? It's been off this whole time... Sorry I didn't tell you that.

yes. normally i would instruct you to install a different firewall, but until you get your machine in a better state in the other part of the forum we will stick with the windows firewall.

andrewuk
  • 0

#42
Leifgreen

Leifgreen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thank you for all your help. I'll be sure to remember all of it. Thank you so much.
I apologize for any troubles or annoyance.

You may close the forum now! FIZZA! ^_^
Problem's RESOLVED!

GOD Bless you all eternally! Have A Blessed eating, sleeping, waking, going to work, walking around and life forever more! Have a Blessed day!

- Little preacher man.
  • 0

#43
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP