Completed the 8 steps

[ndoyle]

Hi

My sister got her computer infected through clicking on a link in msn. It had disabled AVG (which was outdated anyways) and the internet. I am posting this from my laptop from which I downloaded all of the antivirus programs and transferred them using a flash drive. I dont have the first AVG log but it had found 2 trojans and a bunch of adware. I will post the AVG log that I do have which was run in safe mode. I have run each program multiple times and they have been comping back clean except that I still cannot access the internet. I have uploaded the "dirty" logs.

Look forward to you're help and thanks in advance

 

[ChrisDown]

You have Antivirus 2009 installed on that system -- that is a notorious rogue antivirus, ie it is malware disguised as an antivirus.

Would you please run another HJT scan and tick the following entry, then click 'fix'.

O4 - HKCU\..\Run: [04888337933982142718224191072295] C:\Program Files\Antivirus 2009\av2009.exe

After this, I'd suggest running ComboFix.

Could you please download ComboFix from here, rename it to a few random letters (to stop malware noticing it), and then run it? The log that ComboFix produces should give more of an idea of what is going on, and ComboFix may even be able to remove more of the offending malware (if it is still there).

Please do not click on the ComboFix window itself -- the program has been known to stall on occasions if you do this.

After you're done, please upload the log. Thanks.

 

[ndoyle]

Alright I did what you asked and have posted the combofix log.

Do you think that I should remove the antivirus, the computer is not connected to the internet.

And thanks for the help by the way, I am in no hurry to get this fixed so feel free to take your time. Thank you once again and I hope you can help.

 

[ChrisDown]

Well that is just it -- the 'antivirus' (Antivirus 2009) is not an antivirus.

I had a look through that log, seems ok. It is, however, 4 in the morning, so I will get some sleep and tomorrow morning will take another look.

 

[ndoyle]

Ok i removed the fake antivirus but now when I try to open Internet explorer it just makes a shortcut for internet explorer so I am removing internet explorer (I had just reinstalled it).

Thanks for all the help so far

 

[ChrisDown]

Hi -- would you please create a fresh HJT log and upload it? Thanks.

 

[ndoyle]

One HJT log coming up

 

[Bobbye]

Lt's get back on track.

I have run each program multiple times and they have been comping back clean except that I still cannot access the internet. I have uploaded the "dirty" logs.

Then post the clean logs!


The first thing you need to do is get an antivirus program on the system. You'll find recommendations and links in Step 1. Since AVG is outdated, I suggest Avira or Avast. Once the program has been installed, Please run a full system scan, save the log and include it in your next post.

Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKCU\..\Run: [04888337933982142718224191072295] C:\Program Files\Antivirus 2009\av2009.exe


Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Start> Run> type in msconfig> enter> Selective startup> Startup tab> UNCHECK any entry for Antivirus 2009> Apply> OK

Control Panel> Add/Remove Programs> UNINSTALL any enry for Antivirus 2009

Right click on Start> Explore> Programs> right click on Antivirus 2009> Delete

Empty the Recycle Bin

Boot back into Normal Mode: NOTE: ignore the nag message and close it after checking 'don't show this message again.' Stay in Selectivee Startup.

Now try the internet. you had a redirect on search and homepage.

Post the 'clean' logs> 1. Malwarebytes and 2. Superantispyware
Rescan with 3. HijackThis and attach new log.
Attach new 4. antivirus log

(Note on Malwarebytes: if you ran it in Safe Mode, please update and run in Normal Mode)





You will find a good description of Antivirus 2009 here:
http://www.bleepingcomputer.com/virus-removal/uninstall-antivirus-2009

 

[ndoyle]

ok I'll do that, though it will take a while because the computer is really slow, probably about a day to do it all

thanks again

 

[Bobbye]

Once you get rid f the malware, it should speed up. You can delete all the 'dirty logs' You can also uncheck everything on Startup EXCEPT the antivirus, firewall, touch pad if on laptop. We will also have you remove the cleaning tools and old restore points when clean.

 

[ndoyle]

Ok sorry that took longer than I thought, the slowness is due to the small amount of memory left on the machine, the avast log that I posted is not the actual log but it is the only thing that showed up after the scan finished, it couldn't be scanned

hope this stuff helps

 

[Bobbye]

SBUbackup is a Selective BackUp System and is a download. This is showing quarantined by Superantispyware and date of backup is 06-24-2009. Delete it.

AVG wasn't completely uninstalled. Please download AVG HERE
[*] Double-click on the downloaded file to run it
[*] AVG will present you with three options to choose from. Choose the Uninstall option to completely uninstall AVG

To uninstall ComboFix.exe:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Please reopen HijackThis to 'do system scan only'. Check each of the following entries if present. NOTE: Don't click on 'Fix Checked' until you have completed the list:

R3 - URLSearchHook: (no name) - BFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
(Default Microsoft Internet Explorer Search Hook, normally not displayed in Hijackthis since it's whitelisted)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
((AVG Security Toolbar)

Close all Windows except HijackThis and clik on "Fix Checked."

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

From a non-infected computer Download SDFix and save it to your Memory stick

Please then boot your infected computer in Safe Mode by doing the following :

• Start your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Transfer SDFix.exe from you memory stick to the desktop on you infected computer

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC. Let it restart into normal mode.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach the Report.txt to your next reply.

Attach all logs and report to you next reply. For curiosity, how much RAM are we working with here?

 

[ndoyle]

ok I did everything except the online scanners because i messed up my internet explorer somehow, I confirmed suspicions that i had before about when opening the internet just created a shortcut

I right clicked the internet explorer icon and the only options were

create shortcut
rename
delete
properties

I am not sure what I did to mess up internet explorer, I have uninstalled and reinstalled it a few times but nothing has helped.

I have attached the SDFix log

thanks again

 

[ndoyle]

Oh yeah there is 768 MB of ram

 

[ndoyle]

although it is not the RAM that I think is slowing the computer (but you know more than I do) there is only 4 GB free in the 28 GB harddrive and I have no idea what is taking up all the space. I have removed a bunch of unnecessary programs on the add/remove programs list and the none of the rest on the list were over 1 GB in size.

The computer has XP on it

I realize that this may not be a virus problem anymore and more of a 'what did you do to you're computer problem'

To be more precise as to what the problem is:

* I could not use either firefox or internet explorer
* Other programs cannot connect to the internet in order to update such as MBAM, Avast, Superantispywear, yahoo messenger (I don't think it is completely uninstalled) etc
* I can still connect to the internet wirelessly from my laptop

hope that this may help, I realize that I might not be in the right forum anymore

Thanks for all the help

 

[Bobbye]

It appears that you are giving your sister help through Remote Assistance- is that correct? If so, it might be a problem with the firewall setting:
Add these Exceptions to the Windows Firewall configuration (Start, Control Panel, Windows Firewall, Exceptions)
http://support.microsoft.com/kb/555179

You can determine if it's a firewall problem by disabling the firewall on BOTH computers.
I don't see a third party firewall, so it would be the Windows Firewall,accessible in the Security Center.

Disable the firewall. Let me know if that allows the connection.

I'm not sure what all you've done with IE, but you can also launch IE this way:
Right click on Start> Explore> Programs> Internet Explorer> double-click on iexplore.exe on the right screen.

If that works okay, go back to same place and create a "new" shortcut from that exe file:
Rigth click on the file> Create a shortcut. Then delete any other shortcuts you have for IE.

Your hard drive holds programs that are installed as well as the OS. Once you launch the program, it is using RAM. The 4 GB free in the 28 GB represents only a very small amount of the hard drive free> it's best to maintain as close to 80% free as possible.

But the lack of hard drive 'space' isn't going to slow you down like RAM-it would be evident only when the HD is needed such as installing new programs or any function that requires a specific amount of hard drive to be free- like System Restore.

The inability of security programs to update can be either caused by no connection, incorrectly configured network and/or malware.

It would be helpful if you clarified whether you and your sister have set up a network using the wireless router. If so, you have established that the router works because you can connect but it would indicate either the firewall may be blocking her connection.

 

[ndoyle]

'I'm not sure what all you've done with IE, but you can also launch IE this way:
Right click on Start> Explore> Programs> Internet Explorer> double-click on iexplore.exe on the right screen'

this allowed me to open internet explorer, but I still cannot access the internet even after I turned off the firewall.

 

[ndoyle]

Also I have been helping her by transferring files to and from my laptop via USB drives

Her computer connects to the modem through a cable which goes to the wireless router and then to the modem while mine is wireless

 

[Bobbye]

Please UPDATE Malwarebytes and run new scan. Be sure to check the line for removal of the malware

Attach the log with next reply. by the way, if you want to add something, use the Edit feature instead of making another reply. As long as there isn't a reply from someone else, you can edit your reply.

If Antivirus 2009 was the culprit, malwarebuyes should have picked it up. But the biggest 'offender' there was MyWebSearch. Let's make sure that's cleared out:

Right click on Start> Deplore> Programs> look for MyWebSearch and/or FunWeb> right click> delete on folder if found.

Check Add/Remove Programs and uninstall anything for either of these programs.

I can't find a profile in your logs for the Antivirus 2009 infection. We'll see what Mbam shows this time.

Have you tried to boot into Safe mode and access using Safe Mode with Networking? That's not good to keep running as the security programs don't run, but if the internet connection can be made this way, it gives us more information.

Please open HijackThis to 'do system scan only'.
Check the following if present:
R3 - URLSearchHook: (no name) - BFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Close all windows except HijackThis and click on 'Fix Checked'