SuperAntiSpy found over 80 problems and fixed them, then Alvira found some that sounded similar, then Malwarebytes removed about 120 more...how do I attach the log files? the paper clip above nor the attach files below is active for me to select?

Run MalwareBytes again while in <Safe Mode>.

Then run HiJackThis and send us that log.

Dad, after 46 posts here, you should have learned how to attach a log:

Go to the Reply Box and click on Go to Advanced
Start your message

• Scroll down until you see a button Manage Attachments.
• Click on that and a popup-window opens.
• Click on the Browse button, find the HijackThis.log file, or whatever file you`re trying to attach on your PC and doubleclick on it.
• Now click on the Upload button in the popup.
• When done, click on the Close this window button.
• Finish your message-text, then click on Submit Message.

Please Note: you can attach more than one file to a post by repeating the above steps.

The above quotebox also applies to posting other log files as well.

Safe Mode has nothing to do with it. Run the programs as instructed HERE.
Attach the 3 logs.

All of a sudden, the internet started opening up windows with that same fake Security Site, ....now I am unable to start in safe mode, AND, it wont let me open/run Avira, I cant run Maleware program, and cant run SuperAntiSpy....I can open the internet, but I am afraid it is spreading throughout my computer. I am sending this message from my other sons laptop. I can run Hijack this, but unable to make changes....What can I do?

Maybe its the version of I.E. 6.0 or ?? but on my other computers running XP or later, there is a box to check and attach files...but no manage attachements here on this version....only a description of the types of files that can be attached...

Ran Combo-Fix and have a log.....

Ran Kaspersky and have a report

Ran Hijack this and have a log file....

How can I relay them to you for review??

Thank you!!

Click on Go Advanced on the bottom right of the message box

• Scroll down below the message box until you see the section called Additional Options
• First section is titled Miscellaneous Options
  [o]Automatically parse links in text
  [o]Disable smilies in text
• Below that is section titled Attach Files showing the following list of valid file extensions>
  [o]Valid file extensions: bmp dmp doc gif jpe jpeg jpg log pdf png psd txt zip
  [o] Box named Manage Attachments is below that line.
• Click on Manage Attachments
• Browse to location of each log in your system and attach. do same for each log.

You have first got to click on Go Advance before these options become available to you. I went through the entire User Control Panel and didn't see any setting available to change this section.

If you still can't see it, I'll have a moderator check.

After running ComboFix, and it made its fixes, I was then able to run SuperAntiSpy and then Malewarebytes....logs attached (all ziped). I was not able to attach files from that older desktop, so I emailed them to myself and now able to attach from the laptop that runs a newer operating system and newer version of I.E.

While sending this to you, I am running Avira and it also is still finding virus/trojans....

I dont keep the infected computer tied to the internet now (only for short durations) so that it wont re-install the viruss that I have been able to kill thus far...but there must be some underlying problem that keeps releasing the same ones over again...

Thanks for your help

Attached Files

attachments_2009_11_12.zip (10.7 KB, 3 views)

Have you run MalwareBytes and Avira or Avast in SAFE MODE?

That should have been what you picked up on raybay.

Father, unless you handle the following, there is no point in attempting a cleaning:

You have multiple antivirus programs running.

Symantec-SNDMon.exe>> Part of Symantec's LiveUpate (eg, Norton).
AVG v7: support for this version ended a long time ago.
Avira- version unknown
You should decide which you want to keep and remove the others because:

• Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
• Multiple antivirus programs can also slow down the system.[/b]

You are way behind in Windows Update. Current SP for Windows XP is #3
You have Platform: Windows XP SP1 (WinNT 5.01.2600)

You have also run an old version of HijackThis, v1.9.9. Current version is v2.0.2, the link given in the virus and malware cleaning steps. Additional malware may be found in the current version.

You did not disable TeaTimer before scanning. Temporarily disabling Real Time Protection is found in Step 3 of the removal thread.

P2P or 'file sharing: P2P Warning:
I see that you are running LimeWire, a P2P program
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

The AdAware antimalware program you are running is v7- that is out of date. That means you won't get current updates.

Kaspersky has found the following malware:
not-a-virus:FraudTool.Win32.AVPlus.d>>>> also known as avplus2009.com This was found in the backup files.
Packed.Win32.Krap.ai>>>> this is a harmful backdoor Trojan that uses stealth techniques to remain undetected on an infected computer or network.

You should not have run Combofix without a helper telling you to do so and guiding you through it.

You've had a DNS Charger infection which will require a router resetting.

So "are you clear"- sorry, not even close

Do you want to reformat/reinstall or do all the updating, then attempt cleaning?

Edit to add: you also have a significan number of Vundo entries remaining.

Thank you for your reply.

This is one of my sons computers....he told me that he had an updated version of windows service pack for his computer that was not compatible or gave him problems, so he reverted back to an older version that worked for him...

I removed the older redundant versions of AVG...had a succesful evening of running maleware removal (see log attached) updated the version of HJT to the current version (again this is an older computer of my sons)...ran Avira and all gave me no virus found....

Please take a look at the newly attached log files and let me know if the progress made was significant (or atleast enough to keep him safe for the time being, until we can affoard to buy him a new laptop for college)

paul


p.s... he asked me not to remove the limewire program until he gets home for the weekend...I told him of the problems and he aggrees to do so....

Attached Files

	mbam-log-2009-11-13 (09-48-03).txt (835 Bytes, 2 views)
	hijackthis.log (5.9 KB, 3 views)

We'll see what we can do. Do you know if he's using a legitimate copy of the operating system. If he's not, that would account for a lot.

As for the updates, some users had problem with SP3 and you can put any SP on a system that not clean and ready. But he needs to get at least SP2 and the updates since.

You need to update Java to v6u17 and remove the earlier version as it is a vulnerability.
Update here: http://www.java.com/en/download/manual.jsp

Remove the remaining Norton/Symantec files using Norton Removal Tool.

Please scan with Kaspersky again- need to know if the worms wiggled out:
Open
Kaspersky Online Scanner in Internet Explorer

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

So give me another log for Kaspersky. We'll go from there.

The operating system is legitimate (came with the hardware at purchase from manufacturor).

I updated Java as instructed and removed the old version.

I uninstalled Norton remnants with the website and instructions provided.

Kaspersky file attached...

Attached Files

Kaspersky111409.txt (1.3 KB, 2 views)

Your son is paying a price for LimeWire:

C:\Documents and Settings\Joseph\My Documents\PaulsMusic4\10 Billy Joel - Leave A Tender Moment.wma' Infected: Trojan-Downloader.WMA.Wimad.u

C:\Documents and Settings\Joseph\My Documents\PaulsMusic4\Murray Head - One Night in Bankok.wma Infected: Trojan-Downloader.WMA.Wimad.u

From Microsoft:
Trying to patch his system isn't worth the effort if he continues with the music sharing. And you ran Avira and it came up clean! Update it and run it again. If it still misses these infections, you need to get rid of it and put something else on the system.

One is quarantined and you can delete it:
C:\Qoobox\Quarantine\C\Program Files\Common Files\ECURIT~1\wοwexec.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ic


Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

See this for guidance in 'Deleting the Harmful Files"

For this Packed.Win32.Krap.ai

In Windows Explorer: Click on Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> UNCHECK 'hide protected system files'> Apply> OK.

Step 1 : Use Windows Task Manager to Remove Packed.Win32.Krap.ai Processes
Remove the "Packed.Win32.Krap.ai" processes files:
Backup Registry before doing Step 2:
Step 2 : Use Registry Editor to Remove Packed.Win32.Krap.ai Registry Values
Locate and delete "Packed.Win32.Krap.ag" registry entries:
Step 3 : Detect and Delete Other Packed.Win32.Krap.ai Files
Remove the "Packed.Win32.Krap.ai" processes files:
Use Add/Remove Programs to uninstall the program beginning with 'ECRUIT'

Then use Windows Explorer to delete the program folder which begins with the letters 'ECRUIT.'

Go back and hide the files and folders.
Empty the Recycle Bin

Let me know how it goes.

Good-evening,

I removed the Quarantined object from the past and followed your instructions...there was no process running under Task Manager as you had described in the 4 file codes....

Also, in Regedit, I could not find any of the 3 items you listed hunder Hkey-Current_User\Software....

There were no programs to remove beginning with "ECRUIT"

I updated Avira, re-ran and it did not find any virus...also re-ran Malewarebytes and SuperAntiSpy and found no problems at all...

However, when I re-ran Kaspersky...found what is listed below...

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 16, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 16, 2009 22:18:59
Records in database: 3226322
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 88704
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:02:25


File name / Threat / Threats count
C:\WINDOWS\SYSTEM32\ruvaluno.exe Infected: Packed.Win32.Krap.ai 1

Selected area has been scanned.


What else can we try?? Or what am I doing wrong? Booted in Safe Mode, I checked show hidden files and folders as well as unchecked hide protected system files...as directed.

Thanks again for your assistance.

Logged in on sons computer so I am unable to attach text files (must be a function of the old operating system) sorry for the long paste below of the Hijact this logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:30 PM, on 11/16/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - http://www.clickloan.com/CAB/GenClic...nClickLoan.cab
O16 - DPF: {56BCB794-783A-48F1-A4C2-110F32371830} (ContClickLoan Control) - https://www.clickloan.com/CAB/ContCl...tClickLoan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClic...tClickLoan.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} - http://daplus8.wadsworth.com/bca/stu...ent/msxml3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6792 bytes

Dad, you loading this file on startup:

O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

The description of this program from it's home site is that it It's possible that it's removing files that we need to see. I'd like you to remove it from Startup for now:

Click on Start> Run> type in msconfig> enter Selective Startup> Startup tab> find the process and UNCHECK it> Apply> OK.

Now Reboot. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

It al so appears that he has a Dell Machine, but some HP either software or hardware. Additionally, he has BCMSMMSG.exe> Related to Pinnacle_Systems Inc. USB Tip USB hardware. So it appears the flash drive is connected.

My point is- I don't know where the weak spot it. I'd like you to run Combofix again: First>> do a right click> delete on the Combofix exe file on your desktop, then run the programs again:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Then attach the report to next reply.

Re-ran combo fix per your reccomendation...
It found and repaired an infected windows\system32\qmgr.dll

Do you want me to run Kaspersky again to verify?

Thanks again

Attached Files

combofix.txt (18.8 KB, 2 views)

Yes. But you need to do two things first:

1. Click on Start> Run> type in services.msc> double click on Background Intelligent Transfer Service (BITS)> set Startup type to Manual if it is set to Automatic> Stop the Service> Reboot.

2. Update Kaspersky before scan:
To update the database manually:

• Click the Refresh button in the Kaspersky Online Scanner 7.0 window.
• Kaspersky Online Scanner 7.0 checks for the program and database updates and downloads and installs them.
• Run the scan

Attach the log.

unfortunately, it did not work, after re-running Kaspersky, it found the same single infection as before, Packed.Win32.Krap.ai...


ugg, any new suggestions?

thanks.

Is it still showing here:

C:\WINDOWS\SYSTEM32\ruvaluno.exe Infected:

If you look at the Combofix report, you can see that he has entries from 2002,2003, 2004 still on the system. One set is a 'try and buy' multiple times.

I know you're trying to clean this up until he gets a new system-but-the system needs to be wiped and reinstalled.

I'm going to ask someone else to check this and see if he thinks there is a 'cure.'