Resolved: Virus keeps returning, Help

Status
Not open for further replies.
necee99

necee99

Posts: 156   +1
Please help me! I have a Dell Diminsions 3000. OS- Windows XP home. I first was experiencing the BSOD where I could not get into windows at all, with the error- check to be sure you have adequete disk space.
check with your hardware vendor for any BIOS updates.
***STOP: 0x0000007E (0xC0000005, 0x8050FD91, 0xF896E50C, 0xF896E208) then I did a re-install with the windows cd. I used the repair funtion instead of the fresh install function. now I am able to get into windows.
I have install McAfee antivirus. I ran full scans like 4 times, found new trojans each time. I continue to show different virus and trojans that appear. I supposedly delete them through mcafee. why do they keep returning? Because I had the virus initially is my system now more suceptable to viruses? Are they in my internet conncection? What should I do. I followed 8 step process. they showed up with infections even after my mcafee scan and removale. here are my logs.

View attachment mbam-log-2010-02-20 (13-13-57).txt

View attachment hijackthis.log

View attachment SUPERAntiSpyware Scan Log - 02-20-2010 - 13-56-18.log
 
The malware isn't being fully removed. So it isn't coming back-it's still on the system.

You should change all of your passwords and monitor any online financial transactions. The malware you had/have steals passwords.

Please do not use the System Restore feature. There is malware in the restore points. when the system is clean, I will have you remove the old restore points and set a new, clean one.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Microsoft Windows Recovery Console, Please allow.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
Then Run Eset NOD32 Online AntiVirus Scanner HERE

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Follow with rescan of HijackThis.

Please include the following in your next reply:
Combofix report
Eset log
New HijackThis log.

Important! Please do not run any other cleaning programs unless I instruct you to. Don't install, uninstall or update any programs while we are cleaning.
 
The Eset log shows an entry that has been quarantined in Combofix. It is no longer active in your system and will be removed when I have you uninstall Combofix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\Kmeyuca.bin
c:\windows\Sfavo.dat

Folder::
C:\93987ae98a1f807d9a02d8da

Registry::

Driver::

FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to next reply.
 
Okay. Please rescan with Hijackthis and give me a new log.

Can you uninstall your firewall, then reinstall it. That should reset the ports.
 
Yes. I'd like to run Combofix again after you reset the firewall as below to make sure the ports are closed. All you have to do is delete the current .Combofix log on the desktop, then run again.

Just the McAfee firewall. It needs to be reconfigured and that's the easiest way. You might be able to stop the Service, then restart:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  • Click on Start> Run> type in services,msc
  • Double click on MPFService> Change Startup type to Disabled> Stop the Service.
  • Exit Services

Reboot the computer back into Normal Mode>> repeat what you did above, but change the Service back to Automatic Startup Type> Start the Service.

Then delete current Combofix report- not the program, but the log it made, and run Combofix again.
(By the way, I'll have you remove all the cleaning tools when we finish)
 
Yes, and I replied. One of the mysteries of cyberspace as it appears to have gotten lost.

The open ports are still on the log. It's possible that they aren't making any difference. I suggested you uncheck all of the HP processes on Startup. HP Digital Imaging puts an excess number of entries on Startup. Then they all run. Using the printer or imaging is just a matter of doing a File> Print or Control Panel> Printer.

I think the following is what is opening the ports"
c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe
and I suggested you include it in stopping startups:

Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck all of the HP and digital Imaging processes: you may see some or all or others of these:
hpqtra08.exe
hpqste08.exe
hposid01.exe
hpqkygrp.exehpqcopy2.exe
hpfcCopy.exe
hpoews01.exe
hpiscnapp.exe
SmartWebPrintExe.exe
> Apply> OK.

Reboot the computer. Note: you will get a nag message that can be ignored after checking 'don't show this message again.' Stay in Selective Startup.

PLease run this onine scan and see if it picks up anything else:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please rescan with HJT and attach new log and Kaspersky report. If you're still having the recurring malware, I'll have you run a Rootkit program.
 
You're almost done unless you're having another problem:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZWVURGEC

:Services

:Reg

:Files 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then empty the Java cache: Control Panel> Java> Update section> Settings> Delete the files> Apply> OK

RunTemp File Cleaner:
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin
Let me know what, if any problems still remain.
 
I can't guarantee that any malware is 'gone for good.' But hopefully the entries were found and removed. Remember, your first problem was the Stop Error: 0x0000007E, telling you to "check to be sure you have adequate disk space" and "check with your hardware vendor for any BIOS updates." Your system is older than my desktop.It is possible that your hard drive is full or that Dell has a BIOS update, so consider those.

Then when you ran AV scans, you found different viruses and Trojans. I don't know that these 2 problems were connected, but the fact that you kept getting different malware infections suggests your system might not be well protected and/or what you have isn't working well. I'm going to have you remove the cleaning tools. Then I'm going to give you suggestions for better protection:

Remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time.
  • Go to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
------------------------------------------------------------------
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security
  • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

"So how did I get infected in the first place?"
To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:http://www.spywareinfoforum.co/index.php?showtopic=60955[/b]

If I can be of further assistance, please let me know. .
 
You're welcome! A clean system is always a good way to start out the day, and yours appears to be in good shape.:)

Suggestion:
You have many unnecessary processes running in the background. Most likely, you have them set on the Startup menu to start on boot. But they don't need to. There are using the system resources. Instead, take them off of startup-then when you need them, either access through All/Programs or for print, use File> Print.

HP Digital Imaging> all can be unchecked>
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

Java Update: C:\Program Files\Common Files\Java\Java Update\jusched.exe.
Then go to control Panel> Java> Update tab> Uncheck 'check automaticlly for updates'> answer Yes when asked to confirm> Apply> OK
Music Match Jukebox: C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
CyberLink: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
Dell Support: C:\Program Files\Dell Support\DSAgnt.exe

To take off of Startup:
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck all processes you don't want to start on boot> then click on Apply> OK.

NOTE: The first time you reboot after making the changes, you get a nag message which you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Don't forget to remove the cleaning tools as in Post #15.
 
got it. and i have removed the cleaning tools. thanks so much for all your help. should i remove hijack this, superanitspyware, and malwarebytes?
 
You're welcome. Yes, go ahead and remove the cleaning tools again:

Remove all of the tools we used and the files and folders they created
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Let me know if you need help in the future.
I'm going to close the thread now
 
Status
Not open for further replies.

Similar threads

AGenericFool
Help - Valid Windows 10 Licenses deactivate after two days?!
Replies
1
Views
302
Nelson28
N
I
Solved Possible infection?
2
Replies
38
Views
7K
Broni
Broni
S
At loss: Kernel virus or something else
2
Replies
30
Views
8K
Soup Stand
S

Latest posts

Back