TechSpot

Virus, I tried it all, it's still there

By princevulpine
Jul 11, 2008
  1. I followed your instructions on removing the "bad stuff" and I still have a bug.
    I'm working with XP home ed, SP2. I know the actual site where I contracted the virus and everything. At first it changed my clock to miltitary time, and put virus alert! where the AM/PM should be. I get tons of pop-ups and my pravacy settings are turned down repeatedly.
    So, I ran through your instructions on this forum (ALL OF THEM), and parts are fixed. I still get pop-ups, althoug not as frequent. And, yes I use a pop-up blocker, but it gets around it. And everytime I actuallly click and open the IE, it resets my privacy setting to allow all cookies. It stays set where I have it, even after I close IE, but only when I open a new IE window does it reset the settings, even if I have another IE window open.
    I'm totally lost, please HELP.

    I have a HJT log, but I can't post it because there are a few links in it...
     
  2. tipstir

    tipstir TS Ambassador Posts: 2,392   +107

    IE doesn't have great protection I would recommend you get Firefox and use that as your browser for one thing. Have yo run any of the freeware programs sugguested here to clean up the system?
     
  3. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    Yup...

    Yeah, I followed the 16 step process outlined on the "how to remove viruses, trojans, etc..." post. I used every free program it listed. Name a few that you think might be helpful, and I've either tried it, or I will.
     
  4. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    oh yeah,

    the preliminary removal instructions post, i mean... that the one I followed.
     
  5. tipstir

    tipstir TS Ambassador Posts: 2,392   +107

    PC Tools has 3 freeware ones...

    PC Tools Anti-Virus
    PC Tools Threatfire (extra layer of anti-virus/spyware)
    PC Tools Firewall (but that's if you need one)

    RegProt - protects the registry also monitor and remove those set to run on your system. Press Yes to keep No to delete (free)

    You might get to the point to just delete the partition and install a fresh copy of XP.. When you do install Spyware Blaster then those I've mentioned above with Firefox to start of with an arsenal before get on the internet. Also for added protection run a web browser in a Sandbox, so if anything tries to get through it can't as it's block in a box, where you can terminate and destroy anything in their. The only problem with that now that you have something going on and you need to try to remove it first. If not start from scratch. If you start from scratch with the OS install everything make the system right and start to get into the habit of backing up the system or creating image of your C drive. So next time when it gets out of control you can say recover!
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    attach your logs please, by clicking post reply(not quick reply) then click the paperclip icon -> navigate to the log and select upload

    1) Hijackthis log
    2) C:\combofix.txt
    3) MBAM or SAS log
     
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    if you followed the guide can you post your logs

    hijackthis
    combofix
    superantispyware or malwarebytes
     
  8. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    attached are my logs...
    maybe we can start a fire???
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    daniel this looks like a good one for you, I will keep an eye on the thread and cut in if needed
     
  10. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    ok will do
     
  11. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7BA89D6E-AEFF-4FB9-BEB3-67409C0BB9B3} - C:\WINDOWS\system32\efcYSmMC.dll
    O2 - BHO: {7bfb65c4-5480-4339-be34-ececad1928eb} - {be8291da-cece-43eb-9334-08454c56bfb7} - C:\WINDOWS\system32\ckzmjs.dll

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\system32\efcYSmMC.dll
    C:\WINDOWS\system32\ckzmjs.dll

    After that, Reboot, and post a new HijackThis log here in a reply
     
  12. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    thank you

    Monday morning I will try that... It's my work computer. So have a great week-end and thanks again.
     
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    One more thing you have both Symantec & Zone Alarm installed as a firewall you only need to have

    one. Also you do not have an anti-virus installed did you try to remove norton? Download Norton

    Removal from below to your desktop and run it to remove anything left from Symantec then

    download Avira from my Sig it is the one all the way to the right in olive color



    Norton Removal

    Avira Free AntiVirus

    one more thing download Malwarebytes' Anti-Malware from my sig it is the blue color text make sure to install and update it then run a full system scan in safe mode.

    Also download vundofix from the link below

    Double-click VundoFix.exe to run it.
    When VundoFix opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.

    When completed, it will prompt that it will reboot your computer, click OK.

    VundoFix

    Malwarebytes' Anti-Malware

    then post a fresh hijackthis log and your Malwarebytes' Anti-Malware log
     
  14. tweakboy

    tweakboy TS Guru Posts: 467

    One of these apps should find it and say remove on next boot. Try spybot , either way it will pop up with that too...
     
  15. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    If you would of stop to read the thread you would of saw that he followed the malware removal guide which means he has ran spybot and all of the basic removal so that is why we are working on removing it from hijackthis and other tools
     
  16. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    I followed your instructions...

    I printed out and carefully followed all your instructions, both posts...

    I think it's gone, Mbam, may have taken care ot it...
    Attached are the HJT and MBAM, do the look clear?

    Thank you so much for all your help... You Rock!
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Just to be sure do this then daniel can continue helping you

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), attach Combofix.txt
     
  18. HostV

    HostV TS Rookie

    I had the same issue and I have to say that i do not have better thing that reinstall
     
  19. princevulpine

    princevulpine TS Rookie Topic Starter Posts: 27

    HJT Log file, per request...

    Is it dead yet?
     
  20. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    looks like your combofix is clean but lets wait for blind dragon to check your combofix first.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Now we need to create a new System Restore point.

    Click Start Menu > Run > type (or copy and paste)

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

    Next goto Start Menu > Run > type

    cleanmgr

    Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

    To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yep - you can proceed
     
  22. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    ok one last thing to do lets clean up all of the tools

    Uninstall ComboFix

    • Click Start then Run
    • Now Type Combofix /u in the runbox
    • Make sure there's a space between Combofix & /u
    • Then hit Enter

    The above procedure will Delete the following:
    • ComboFix & it's associated files & folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide system/hidden files, if required.
    • Set a new, clean Restore Point.

    ------------------------------------------------------------------

    OTCleanit! by Oldtimer

    • Download OTCleanIt
    • Click the CleanUp! button.
      (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...