8 steps, so far so good. Now what?

[Davek500]

Hello,

I got this machine for free with the viruses in it. The symtoms at that time:

Safewebnavigate2008 had taken over I. Explorer.
"VIRUS ALERT!" in task bar next to clock.
"Windows Virus Alert" and balloon pop-ups all over the place.
Missing Start menu items; All Programs, My Computer, Control Panel, Log Off icon, etc.

There were more symtoms, too many to write down.

I have done the 8 steps and most of these problems are gone ("VIRUS ALERT!" is still by the clock) as far as I can tell, and I have gained control over this machine.

CCleaner deleted or fixed all the old and broken registry stuff, Malwarebyte and SuperAntiSpyware did their thing and both show no infections now. Not so with Avast and Hijackthis.

Now what? I have attached the three logs requested in the 8 steps thread, along with another describing the end result of the Avast scan.

Thanks,
Davek

 

[Bobbye]

Oh my goodness! How long have you been having the problems? You have/had a lot of infected files!
Don't try to use System Restore- the restore points are infected. I'll have you remove them at the end.

Please reopen HijackThis to 'do system scan only.' Check each of the following if present: Optional removal is in green:

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: (no name) - {874AE4BD-B9D0-410D-ABE3-CAA3F2DBD219} - (no file)
O4 - HKLM\..\Run: [BayMgr] DockApp.exe>> See Option 1
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present>> See Note 1
O20 - Winlogon Notify: khfgwvlb - khfGwVLB.dll (file missing)
O21 - SSODL: JavaRom - {6f363bac-a241-47a7-ba33-cbf15664c2f9} - (no file)
O22 - SharedTaskScheduler: ablator - {fce1c203-ff2b-4ec1-9983-e2900d29bbd8} - (no file)

Option 1:Hot-swappable drive management on laptops allowing you to change drives without closing down Windows. Only required if you frequently swap bay devices

Note 1. There is a restriction on the browser. If you are aware of this and/or set it yourself, leave this entry. If you did not, it's from the malware so check for removal.

Close all Windows except HJT and click on "Fix Checked"

If you do not have a recovery Console installed, the following program will give you a change to install it>> say Yes:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then rescan with HJT.
Attach Combofix report, Eset log and new HJT log with next reply.

Please stay away for the Fun Web Products and any of their 'fun' stuff!

 

[Davek500]

Hi,

OK, well my partner got this machine and messed it up who knows how, and now he gave it to me. It's a TransPort GX3, and I think worth saving. I guess he just put it in a closet and forgot about it till I needed it. I've had it about 3 weeks now.

I've done what you suggested. The Hijackthis scan turned up only the 1st and 3rd on the list, and I deleted them. I've attached the logs for it and Combofix.

I ran Combofix 2x, because the first time I didn't have a good inet connection and wanted to make sure the recovery console got downloaded. I don't know what happened to the first log, but I can't find it now. It had about a hundred icon things that were automatically deleted by the program. I think it was written over the second time. I believe they were leftovers from old programs.

At this point I am unsuccessful getting ESET to run. It goes to a skyblue screen after I hit the start button, but the next page fails to open. I'm pretty sure nothing on my machine is in the way, but I'll try it a few more times...nope, not loading.

 

[Bobbye]

Dave, please run this in place of the Eset scanner:

Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please attach log to next reply. I'll go over it and the HijackThis log then.