Many viruses

[frannip]

My father's computer contracted the downloader.zlob virus which opened up a pandora's box of viruses. His McAfee was disabled somewhere along the line of things, and I'm sure I don't need to elaborate on the size of the problems thereafter. I'm attempted to clean his machine. I removed McAfee and instead installed AVG both anti-virus and anti-spyware. There were over 20K spyware files included one critical. Got that cleaned. So far we're up to 7 viruses and still scanning. In the meantime I ran hijack this even though the virus scan is not finished.

There's a program that keeps attempting to run called adxixcr.exe which looks like a dummy security message to me that the machine is infected with abebot. from another post I read here today, my efforts may not work on getting that out.

Can you please take a look at this hijack this log and advise on a solution ?? Don't be scared by the mess you find! Thanks so much!

 

[LookinAround]

You're best to follow the steps as presented here Viruses/Spyware/Malware, preliminary removal instructions

It'll also cleanup as much as possible before having to start/go through the hijackthis process.

 

[kritius]

DELDOMAINS

Download Deldomains.

• Save it to your desktop.
• Right-click DelDomains.inf and select: Install (no need to restart)
• You may not see any noticeable changes or prompts; this is normal.

Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below (if still present)
  
  R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  R3 - URLSearchHook: (no name) - ~BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
  O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
  O3 - Toolbar: stfngdvw - {76C0CCAD-BC10-4E84-B15C-BE1E12C6C6E0} - C:\WINDOWS\stfngdvw.dll (file missing)
  O4 - HKLM\..\Run: [Optimum Online net guide] "C:\Program Files\Optimum Online\Netsurf.exe" -trayicon
  O4 - HKCU\..\Run: [hfrzxyqq] C:\WINDOWS\system32\adkxixcr.exe
  O4 - HKLM\..\Policies\Explorer\Run: [KavoU8HtsQ] C:\Documents and Settings\All Users\Application Data\gzgrylab\irsrovmt.exe
  O4 - HKCU\..\Policies\Explorer\Run: [KavoU8HtsQ] C:\Documents and Settings\All Users\Application Data\gzgrylab\irsrovmt.exe
  O4 - Global Startup: Digital Line Detect.lnk = ?
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O15 - Trusted Zone: http://www.archiviosex.net
  O15 - Trusted Zone: www.giochi-online.ws
  O15 - Trusted Zone: http://www.happyfile.net
  O15 - Trusted Zone: www.happyfile.net
  O15 - Trusted Zone: www.nodialup.name
  O15 - Trusted Zone: *.nodialup.name
  O15 - Trusted Zone: http://www.otherchance.com
  O15 - Trusted Zone: www.otherchance.com
  O15 - Trusted Zone: www.whatsnew.name
  O15 - Trusted Zone: *.whatsnew.name
  O15 - Trusted Zone: *.www.nodialup.name
  O15 - Trusted Zone: *.www.whatsnew.name
  O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://194.244.16.123/g_bin/eng/solitaire_2_0_0_26.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
  O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://194.244.16.123/g_bin/eng/poker_2_0_0_45.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
  O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://194.244.16.123/g_bin/eng/billard8_2_0_0_30.cab
  O21 - SSODL: fkdnrwsv - {2E1C268B-D9D5-429A-A3B1-3BCB7F1DBC62} - C:\WINDOWS\fkdnrwsv.dll
  O21 - SSODL: sxfnewqb - {DBC4E518-9F22-4F37-BD2C-47B1FACD8EC3} - C:\WINDOWS\sxfnewqb.dll
  O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
  
  
• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete Files and Folders

• Right Click on the start button and chose explore
• Show all hidden files and folders, see how HERE
• Navigate to the following files and folders and delete them(if still present)

C:\WINDOWS\system32\adkxixcr.exe<---------This File
C:\Documents and Settings\All Users\Application Data\gzgrylab<---------This Folder
C:\Program Files\Optimum Online<---------This Folder
C:\WINDOWS\privacy_danger<---------This Folder

• Empty the recycle bin.

If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

This thread is for the use of frannip only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pimpmypc]

ouch zlob is a hard one to remove but avg anti malware detects it i no and windows defender does too. You should run trend micro free scan, bitdefender, and nod32. also get rid of mcafee and get avast. zlob goes right through mcafee i had that zlob its a pain. did u get spydawn wit the trojan too?

 

[kritius]

The instructions I post will be fine for now.

 

[pimpmypc]

mine r too i no how hard the zlob trojan is to remove it comes wit spydawn witch is very hard to get rid of. try winpatrol too to disable spydawn. if u hav it

 

[frannip]

still problems

Although I'm not done running the malware scan I thought I would add that a problem that existed for a few months (as I'm told) is still a problem now after all this cleaning.

There are soooo many pop-up type windows that come up advertising spyware removal and such. I'd chalk it up to a pop-up control issue except that I've set the security levels to HIGH to close up those holes. there are WAY too many and all coming up around the same category ... security.

Any thoughts?

 

[pimpmypc]

adware or spyware will make popups

 

[pimpmypc]

http://www.download.com/Spyware-Doctor-Starter-Edition/3000-8022_4-10704508.html?tag=lst-1 try spyware doctor starter edition which has very high detection and removes stuff for me in this version. let me know what it finds. make sure you update it and go to settings and scan for rootkits then run a full scan.

 

[frannip]

I did a spyware scan already that came up with over 20,000 files. Didn't change anything.

Is it really possible that spyware of this type is hitting the machine as quickly as its being wiped off?

FYI ... total viruses found ended up being 141 !! All cleaned successfully.

 

[pimpmypc]

wat did spyware doctor find?

 

[frannip]

I can't list all 20,000 of them. The worst one was dropper.agent.cwp.

 

[pimpmypc]

dropper is a trojan i believe. Did you remove all the infections?

 

[frannip]

yes it is. It was quarantined. Maybe the malwarebytes will fix the rest. I'll post again when that is done. Right now there are many infections so we'll see.

 

[frannip]

No good ...

Malwarebytes found 29 more trojans, many could not be cleaned an had to be quarantined. The issue with these "pop-up" type windows surrounding security issues is still a problem.

I've attachd the malwarebytes log. My next step is attempt the hijack clean in safe mode as requested. We'll see what that brings.

 

[kritius]

Post a fresh HJT for me first.

I need to check something.

 

[frannip]

I found some of the "trusted sites" that we removed via HJT keep reappearing. I added them to the restricted list on internet options security so hopefully the sites related to them won't continue to pop-up. During typing these 3 lines I've already gotten 2 windows warning of a security issue and to "scan now" ....

 

[kritius]

Hosts File Corrupted

Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.

• Double click on HostsXpert.exe to launch the program.
• Click on Restore MS Hosts File to restore your Hosts file to its default condition.
• Click on Make ReadOnly to secure it against further infection.
• Exit the program.

Visit the Website for more information.

[*]Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool.

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.

 

[frannip]

Nothing is working. These security messages are constant, the pop-ups are constant. Unless you have other suggestions, my next step is to wipe out the machine completely and re-install everything. This time though, I'll set up spyware blaster, malwarebytes, etc while the machine is clean.

Your thoughts?

Either way I'm calling it a night on this. Been working on it for HOURS. I'll follow through with any other suggestions tomorrow.

Thanks for all your help!!

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.happyfile.net
O15 - Trusted Zone: http://www.otherchance.com
O20 - Winlogon Notify: pmnnMefc - pmnnMefc.dll (file missing)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

AVG Anti-Spyware - 1st Part

Please download the trial version of AVG Anti-Spyware here and install it.
When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.
• It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

• Click the Shield icon at the top and under Resident shield is... click active. This should now
  change to inactive.
• Click the Update icon and untick the automatic update option.
• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.

Close all open windows.
Do not run a scan yet.

AVG Anti-Spyware - 2nd Part

Start AVG Anti-Spyware

• Click on Scanner on the toolbar.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Tray Icon and select Exit.
• Now attach the report back to this topic.

This thread is for the use of frannip only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[frannip]

I have not gotten to this latest suggestion as its my father's computer and not mine (I'll get there later today).

Meanwhile I thought I would add that his IE (can't stand it myself) I beleive has been compromised. Common sites that work under firefox on his machine (like mail.yahoo.com for example) come up as NOT FOUND under IE 7.

I thought maybe that would help with ideas of what it could be. Would uninstalling and reinstalling IE 7 work ??

Give me a few hours before trying your suggestion.

 

[kritius]

While your at his,

Please download ATF cleaner
Make sure that all browser windows are closed.

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

[frannip]

still not working. Ran tool1 tool2 tool3 as well they found nothing. ATF cleaner cleaned all. As soon as I opened the browser got bombarded with security popups (about 4 at once).

nothing is working still.

any more suggestions?

 

[frannip]

OK so in some research I thought maybe my dad has some trojan.fakealert type infection. I downloaded spydoctor and ran it ... so many serious infections detected. Unfortunately for me my father's PC is set up in Italian and spydoctor installed in Italian, so it's a little harder for me as I'm not up on the technical computer lingo in Italian but I'm doing my best. I will save a log (if I can figure out how) and attach here when done.

 

[pimpmypc]

make sure its pc tools spyware doctor