Computer infected trojan and more help

[Dimmy7]

I have been infected with a virus I followed the steps given by you guys in a another post, the one about removing malware by downloading all the avg, adaware,cc cleaner, combo fix and panda root kit. So I will attach my results. First the panda rootkit was clean nothing in there I ll attach the rest. Thanks in advance.

 

[Rik]

Hi Dimmy7 and welcome to TechSpot.:wave:

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, , and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
We also need to know the result of Panda Antirootkit.


This thread is for the use of Dimmy7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dimmy7]

attachments

The rootkit was clean no report to show

 

[howard_hopkinso]

Hello and welcome to Techspot.

rik has requested that I step in and help with your problem. That`s because he is still in training and is a little unsure about some things.

Your system is a complete mess and very badly infected with a variety of malware.

This is going to take quite a lot of work in order to clean your system. Please follow all instructions exactly.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Pgnceeii
WinAble
PartyGaming
PartyPoker
Bodogpoker
sdsxcnul

Close control panel.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\plite731.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\winshow.exe
C:\Program Files\sdsxcnul\ctutcfsv.dll
C:\WINDOWS\system32\kwinslds.exe
C:\Documents and Settings\All Users\Application Data\zgbqvydo.dll
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\ddcyvvw.dll
C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\xlavba6.exe
C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\frexup3.exe
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\tsitra77.exe
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\Smlt\mA5Q.vbs
C:\WINDOWS\system32\795BC5177A.sys
Folder::
C:\Program Files\Pgnceeii
C:\Program Files\sdsxcnul
C:\Program Files\WinAble
C:\Program Files\Bodog Poker
C:\Program Files\PartyGaming
C:\VundoFix Backups
C:\Qoobox
C:\WINDOWS\system32\fkmdvbtn
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FAAC24A-ED89-4F49-9A97-C127A709FD18}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A654FAC6-E4F3-4D49-B5C7-0EA2D42E3D9C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A730DE28-CEA1-4C98-B986-B33874CDB3B4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
"{73-38-80-0A-ZN}"=-
"winshow"=-
"crspwbsx"=-
"ExploreUpdSched"=-
"zgbqvydo"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAble"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyvvw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of Dimmy7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dimmy7]

Howard,

I do not have an icon for combo fix or any folder for it what should I Do.
Thanks in advance

I figured out I had to save that file to the desktop so I ran combpfix with the info you wrote for me. Here are the new logs from combo fix and HJT

 

[howard_hopkinso]

Sorry for the delay in getting back to you, but I`ve been dealing with some very serious computer issues of my own.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

ProfileWatcher

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

profilewatcher.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7FAAC24A-ED89-4F49-9A97-C127A709FD18} - (no file)

O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) - http://esisprod.milwaukee.k12.wi.us/jinitiator/jinit.exe

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\ProfileWatcher
C:\Qoobox

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard

This thread is for the use of Dimmy7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dimmy7]

Howard,
Everything seems to be ok except I can not change my desktop background. It is stuck on the blue screen and I can not select any of my photos. Let me know what you think. Also why are some of my folders grayed out, I can still click on them but they are grayed out.
Thanks

 

[howard_hopkinso]

Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Right click your desktop and select properties/desktop/customize desktop/web Untick any webpages that may be present and click ok/apply/ok.

Hopefully, you`ll now be able to set your desktop background.

As regards your folder problem. Open my computer and click tools/folder options/view and make sure the Hide protected operating system files is ticked. Also, make sure the Do not show hidden files and folders button is selected. Click apply/ok.

Let me know if that helps.

Regards Howard

This thread is for the use of Dimmy7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.