[CompCav]

Looks like it removed several baddies.

Lets do the FSS tool now in post #29

[Advertisements]

I am happy to report that my computer is booting normally. also I tried to connect to kaspersky's site and it connected! I was thinking the virus may have been blocking that site...as well as combofix. at this point i have not downloaded farbar. please advise. thanks again!

[gary55]

I am happy to report that my computer is booting normally. also I tried to connect to kaspersky's site and it connected! I was thinking the virus may have been blocking that site...as well as combofix. at this point i have not downloaded farbar. please advise. thanks again!

[CompCav]

Since you had a little fit on internet let's do Farbar it is a quick scan

[gary55]

I ran the farbar pgm. here is the results:
Thank you!

Farbar Service Scanner Version: 17-05-2012
Ran by Gary (administrator) on 19-05-2012 at 17:50:17
Running from "C:\Documents and Settings\Gary\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

[CompCav]

I will have a fix for this tomorrow. It will take me time to prepare the fix and verify it before posting.

Please be patient and hold on we are nearing the end of the cleaning process and now doing some minor repairs.


Thanks,

CompCav

[gary55]

Thanks! I'll check back tomorrow (Sun.)

[CompCav]

You have three key services that have been disabled.


We need to go in and set them to start properly and start each of them.


Click Start >> Run >> type services.msc >> click OK


Now in the list the first one to look for is Automatic Updates.

Right click on Automatic updates.
Click on Properties.

In the window that comes up you will see:

Startup type: (Select Automatic)

Service status is Stopped so click the Start button and Service status: display Started
Click OK to close.

Now in the list look for Background Intelligent Transfer Service.

Right click on Background Intelligent Transfer Service.
Click on Properties.

In the window that comes up you will see:

Startup type: (Select Automatic)

Service status is Stopped so click the Start button and Service status: display Started
Click OK to close.


Now in the list look for Background Intelligent Security Center.

Right click on Security Center.
Click on Properties.

In the window that comes up you will see:

Startup type: (Select Automatic)

Service status is Stopped so click the Start button and Service status: display Started
Click OK to close.

Click the X in the upper right hand corner to close Services.



Just post back when you have set these properly, if any do not set correctly also let me know which did not and what they said when you tried to start them.

[gary55]

I successfully enabled all 3 services!

thank you...

Edited by gary55, 20 May 2012 - 11:39 AM.

[CompCav]

Fantastic!


Now a few more tools to further check your computer:







Step 1.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application. Please do not accept the trial right now. We just want to run it on demand.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Step 2.

Run ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow Add-On/Active X to install.
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Step 3.

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Step 4.

Please post:


mbam log
eset log
security check log

Please give me an update on how your computer is doing!

[gary55]

MBAM results. Will be posting other two scans soon. Thank you...

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.20.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Gary :: GARY-0587134ADE [administrator]

5/21/2012 5:19:44 AM
mbam-log-2012-05-21 (05-19-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240180
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6764C5ED-CEE4-42AE-8F31-23F02A3A661F} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F99BD4F5-D402-4C21-A8BC-510830B6BE37} (Trojan.Banker) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh (Trojan.Banker) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\tst (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 10
C:\Documents and Settings\Gary\My Documents\Downloads\getskype-full-56.exe (PUP.BundleInstaller.OI) -> No action taken.
C:\Documents and Settings\Matt\My Documents\Downloads\AresSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\My Documents\Downloads\XvidSetup(2).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\My Documents\Downloads\XvidSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\My Documents\Downloads\Mp3ConverterSetup(2).exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\My Documents\Downloads\Mp3ConverterSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcroIEHelpe.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmldm\[email protected] (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmldm\FromJava01CD0A2623FA0B0E_00002464_autoexec.bat (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmldm\[email protected] (Stolen.Data) -> Quarantined and deleted successfully.

(end)

[gary55]

i don't think this is the right report for ESET. but I can run it again later if needed.
Will run last instruction later tonight after work...
Thanks again.



C:\Documents and Settings\Gary\My Documents\Downloads\DriverPerformer_V15.exe probably a variant of Win32/TrojanDownloader.Whizelown.I trojan cleaned by deleting - quarantined
C:\Documents and Settings\Gary\My Documents\Downloads\getskype-full-56.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\18.05.2012_22.05.17\tdlfs0000\tsk0004.dta Win32/Olmarik.ADZ trojan cleaned by deleting - quarantined

[CompCav]

That is it! Please run and post the last one:

Step 3 Security Check

[gary55]

i ran the security check. Here is the results:

Thank you...

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Java™ 6 Update 29
Adobe Flash Player 11.2.202.235
Adobe Reader X (10.1.3)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

[CompCav]

Step 1.

Clear the Java Cache by following the instructions here


Step 2.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Step 3.

Now we need to update Internet explorer to 8.0

Plase go to windows update:

Click Start >> Windows Update click Check for updates >> Check for updates

Select and install any updates a few at a time, including IE 8.0, (You may need to install IE 7.0 first) that you have that are critical, important, and recommended. Even if you do not use Internet Explorer it is an integral part for Windows and needs to be kept current for security purposes.

You may have to reboot several times but this is an important step in maintaining your security.


Once this is complete make sure you setup automatic updates using instructions found here



Then come back and give me an update on your computer

[gary55]

i did the java work and internet explorer downloads/updates. all is working very well on my computer! thank you for all your expert help. not only to remove the viruses but also updating other programs to keep my computer safer.