Have tried the 8 step virus/malware removal process

[jns2010]

Hi there, I have just completed the 8step guide to malware/spyware/virus removal steps. The avira antivirus program picks up this particular trojan every few seconds (TR/Crypt.XPACK.Gen which is under C:\Windows\system32\hrum247.txt). I have located it and deleted it, even emptied the recycle bin, yet it still manages to come back - very annoying! Attached are the logs as requested on the 8 step guide. Can someone please help me. I have repeated steps 2, 4,5 three times and I have attached the last logs of each step. I still have no access to the Command Panel not that I expected it to magically appear. Hope to hear from anyone soon! Thank you

 

[Bobbye]

Part of the problem could be that you are running two antivirus programs:
Symantec/Norton
Avira
I also note the McAfee Mail scanner- if this left from a McAfee suite?
This can cause a conflict that can make you more vulnerable. It can also slow you down.

Please remove one of them. If you choose to remove Norton, use Norton Removal Tool
If you choose to remove Avira: (Best done in Safe Mode)

• Start> Settings> Control Panel> Add or Remove Programs
• Wait for the list of installed programs to load, then click the name of the Avira program.
• Click Remove next to the program's name .
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

To remove the AppInit entry O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum247.txt, run this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
  If Combo fix asks to install the Recovery Console, allow it.
  If the program requests to update, allow it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Rewcan with HijackThis when through and include the new log with Combofix report and Eset log with your nexct reply.

 

[jns2010]

Hi there thank u for ur response. the mcafee was installed when the comp was first purchased but has expired, also I did not know there was norton on here, only norton ghost?which also has expired. anyway, I have uninstalled the avira program, so the only icon I can see on the desktop next to the clock would be the superantispyware (would that be the anti-virus program that I enable?). I have followed ur instructions and attached are the logs you require. I dont know if the C:\WINDOWS\system32\hrum247.txt has been deleted as the avira program has been uninstalled. but im sure u will tell me by assessing the logs. Is there anyway that I can reinstall the control panel? also do I need to uninstall or delete the combofix and any other programs (superantispyware, ccleaner, malwarebytes and hijackthis) after the problem is fixed please. Anyways, thank u once again for taking the time to help me with my problem. Look forward to ur next reply. Cheers

 

[Bobbye]

Well, I'll try again- I replied to this about 30 min ago:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\WINDOWS\bdaecsc.exe	
  C:\WINDOWS\xlavra2.exe	
  C:\WINDOWS\system32\appendc.exe	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Once more please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running.
  2. ComboFix may reset a number of Internet Explorer's settings.,
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

Repeat the Eset online scan. Leave new log.

Let see if any progress has been made. I think the Control Panel will return when we get rid of the malware- but you're still getting it and I'm not sure of the source.

 

[jns2010]

Hi there, thank u again for ur help. attached are logs u require. hope it helps

 

[jns2010]

hi there, ive got my control panel back! thank you thank you thank you! i would like to thank you for taking the time out to help me with my computer problem. just one last thing to bug you about, how to uninstall the downloaded programs that helped in taking care of the malware that infected my comp, i know how to uninstall combofix, but apart from using the control panel to remove these programs, is there any other specific way of removing them please. I have purchased the mcafee antivirus program but i havent loaded it in yet, would like your expert opinion one last time. Thank you

 

[Bobbye]

Not yet! One more thing to do:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\lbvtpsni.sys
c:\windows\system32\oriieke4ba91d29.sys

Driver::
ngfa
Urwg57
oriieke4ba91d29

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

If this is clear, I'll give you the instructions to remove the cleaning tools.

 

[jns2010]

ive actually uninstalled the combofix (sorry i jumped ahead of myself). Am i able to download it again n do the above?

 

[jns2010]

Ok so ive downloaded it n followed ur instructions. log is attched. hope to hear frm u soon

 

[Bobbye]

Okay. You're good to go. Problems should be resolved now.

Remove all of the tools we used and the files and folders they created
Go ahead and run the Combofix Uninstall again as above.

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can of more help.

 

[jns2010]

awww thanx my friend, uve been awesome! will definitely give u a buzz if ever i come across any probs with my pc. thank you, hope u have a nice day.:approve:

 

[Bobbye]

You're welcome! Glad to help.