Badly infected xp pro machine

[breezy]

Infected with lots of stuff:

I ran SpyBot, and it stopped several times and gave me this message and a yellow triangle with exclamation mark: 'There were problems in the include file C:\Program Files\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi See 'Includes errors.log' for details.' There was only one button to click and it said 'OK' and Spybot wouldn't continue on until I clicked OK. It did this 4 times. On of the files was named Malware.sbi - the next one was MalwareC.sbi - then trojans.sbi and trojansC.sbi. But when it finished running, it threw up the message: "Congratulations! No immediate threats were found." But when everything was closed down, there was a new file on my desktop entitled, 'delself.bat'

Well, I updated my Avast AV this morning - ran it- and, yes, I have a ton of malware! What showed up are the following:

> trojan - Win32: Newdotnet [trj]
> repeated
> adware - Win32: Agent-AWB [adw]
> virus/worm - Win32: Lightly-E [Cryp]
> repeated
> trojan - Win32:Agent-QNI [trj]
> virus - Win32: Lightly-E [cryp]
> trojan - Win32: Newdotnet [trj]
> repeated
> repeated
> adware - Win32:Agent-AWB
> adware - Win32:Adware-gen [adw]

When Avast finally quit, it listed what it had done, and it only seemed able to put one item in the chest.
It read: [embedded_R#25aa8] infection: Win32:Newdotnet [trj] file was
successfully moved to chest. But then the next line said:

[embedded_l#08138] infection: Win32:Newdotnet [trj] error occurred during
moving file to chest. The system cannot find the file specified.

So I am suspecious that the malware was actually removed. Then there was a long list of others that read the same way. I am assuming the 'repeated' ones were NOT removed either. I looked in Sytstem32 and could not find braviax.exe ... As I was told it usually hangs out with that 'delself.bat' file.

> What I would like to do: Run the steps in your 8 step program and post the logs here. Am I in the right place to do this? Thanks! This is my first post.

 

[anshuman]

First of all download a more known anti virus software like norton or kaspersky.
if you see that the same viruses are on your computer thenit might be a problem because sometimes these other anti virus soft
wares do the exact opposite of what they're supposed to do, anyways if these viruses keep coming back then
you are better off formatting your hard drive because viruses like these leave traces and
it's hard to get rid of them
that's what i had to do when my laptop got infected,
and if you decide to do this, you might have a hard time finding all the drivers once xp is installed
again, so good luck!

 

[mopar man]

Ok, anshuman, Norton is absolutely not recommended in any case. AVAST! is a well known Anti-Virus, being used in Techspots 8-Step Viruses/Spyware/Malware Preliminary Removal Instructions.

You asked if you are in the right place, and you are actually not. This is the Introductions section, meant for you to... well, introduce yourself!

This isn't unusual, and a mod will move your topic for you, most likely.

HERE is the link to the area you should have posted in, for future reference.

Now, as for your problem, I suggest doing as you said you wanted and following those steps very carefully. The people on here are very educated on this matter and will be able to help you.

Oh, and by the way, Welcome to Techspot!

If you have any problems that you may feel better to get 1 on 1 help with, feel free to PM me!

 

[mflynn]

Hi Brezzy

Follow mopar man's advice and do the 8 Steps no short cuts or skipping steps.

But DO NOT uninstall or install a Virus scanner (or any other program) until you are clean.

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike

 

[breezy]

Thank you to Kimsland for moving me to the right forum. And thank you to the other replies. I will be working on the logs and submit them shortly. Do i click on the 'manage attachments' button on this reply page? thanks. brez

 

[kimsland]

Yes

The "Attachments" button looks like this -->

(found in the reply Window)

 

[Bobbye]

Glad you made it over Breezy. I'll try to help you as much as I can. Go through the steps, even though they might seems a bit overwhelming at first. We can't do much til we see the logs.

Here's some help on attaching the logs:
https://www.techspot.com/vb/topic19133.html

 

[cjthavinit]

i had the same prblem with avast the anti virus i used was a squared combined with avg free im now using avg full version ive not had a problem in two years hope this helps

but u must uninstall the a squared b4 getting avg because of a conflict this is y a squared will not get rid of all of the threats but avg will get rid of the rest i found out the only way to get rid of the threats was to use an anti-virus that operates in boot up

 

[Bobbye]

I suggest you 'newbies' give this person a change to run the programs and post the logs before you start giving advice!

 

[Blind Dragon]

Let me know if you need me Bobbye

 

[breezy]

Hello - well, im back. have 3 logs to post. hope i do it right! thanks for all the concern. breezy ps Wow! I think that uploading thing went alright. thanks again.

 

[mflynn]

Great Job Breezy

Do this to begin finishing up.

D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
----------------------------------------------------------------------------------------------------------------------------------------------------

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html

Reboot then the below.
----------------------------------------------------------------------------------------------------------------------------------------------------
Run CCleaner both Temps and Registry run twice or more until clean.

----------------------------------------------------------------------------------------------------------------------------------------------------
Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, attach contents back to here.

Update Spybot and run including Immunization.

Then give us a status of how things are working and what is left.

Mike

 

[Bobbye]

Breezy, the Mbam log is clean! That's a surprise!

SAS shows Tracking Cookies. Open the program and check to remove. Click on lower left image here to see where to check for removal:
http://superantispyware.en.softonic.com/images

Reset Cookies:

Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

You have 2 online scanners running in the background. You can stop then and uninstall:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

But there is no malware showing. I want Blind Dragon to take you through ComboFix and any other program he thinks might ferret out any unseen malware. You can go ahead and run the program:

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
(screen shots to help)

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach the log when through. Blind Dragon will check it for you.
BD, I'm concerned about the clean logs with the amount of malware that was present. Please assist with any other programs you think are needed. Thanks.

EDIT: Mike, I'd like BD to finish this one up.

 

[mflynn]

Sure no problem.

Mike

 

[Blind Dragon]

No problem - the only other thing I want to see:

Navigate to C:\Program Files\TrendMicro\HijackThis

Right click on HijackThis.exe and select rename

rename it to breezy.exe

Attach a new hijackthis scanned like this with the combofix log

 

[breezy]

Sorry, but I do not want to download any more malware removal programs. Since running the last 3, I have had some more glitches show up. Cannot copy and paste addresses in home page bar, cannot use links in email - gives me 'page cannot be displayed' window-cannot save graphics from my emails. I had an awful time getting back to my post so I could post this! I am on dialup and when I go to disconnect, it shows I am disconnected, but when you pick up the phone, the modem is still online. I sincerely appreciate all your help, but since my logs seemed clean, I think I will just do a 'restore' now. If problems show up again, then I will do a 'recovery.' Frankly, ComboFix scares the bejeebers out of me, and from what I read on it, I just don't think it will cooperate well on a dialup machine. I have less than 3 G personal files and have them all backed up, so it seems a lot simplier to just do a 'Recovery.' thank you for everything.

 

[Bobbye]

I think I will just do a 'restore' now.

If you do a System Restore now, you will undo everything that has been done- including the finding and removing of the malware the antivirus program found. Since you don't know when the malware got on the system, you cannot know when to restore to.

Well, I updated my Avast AV this morning - ran it- and, yes, I have a ton of malware! What showed up are the following:
> trojan - Win32: Newdotnet [trj]
> adware - Win32: Agent-AWB [adw]
> virus/worm - Win32: Lightly-E [Cryp]
> trojan - Win32:Agent-QNI [trj]
> virus - Win32: Lightly-E [cryp]
> trojan - Win32: Newdotnet [trj]
> adware - Win32:Agent-AWB
> adware - Win32:Adware-gen [adw]

When Avast finally quit, it listed what it had done, and it only seemed able to put one item in the chest.
It read: [embedded_R#25aa8] infection: Win32:Newdotnet [trj] file was
successfully moved to chest. But then the next line said:

[embedded_l#08138] infection: Win32:Newdotnet [trj] error occurred during
moving file to chest. The system cannot find the file specified.

Malware gets into the restore points. Because they are protected files, the cleaning programs don't remove it from there. When a cleaning is completed, the old restore points are dropped and a new clean one is set.

However, if you don't want to continue, you may want to run one more short program to remove the cleaning tools:
Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) Click the CleanUp! button.
It will go through the list and remove all of the tools it finds and then delete itself (requiring a reboot