Trying to follow preliminary 15 steps - having a bit of a problem

[GingerTheDog]

Hello nice site you have here
I am trying to do the preliminary 15 steps before posting my problem, I got to step 10 downloaded and followed instructions for tool 1 and now I cannot seem to download anything else. I click on the link and they come up like they are supposed to and when I click save file, nothing happens. I did get Panda AntiRootkit to load by opening it with compress disk instead of clicking save file, the other downloads didn't have that option as they aren't zips.
The rootkit program said there were no rootkits found.

Should I continue on without executing tools 2 & 3 in step 10 and Combofix in step 12?
I had spybot s&d, Avast, ZoneAlarm, ccleaner & HJT installed already so just had to update them.
Thank you for your help, I really do need it!

Edit: Okay miraculously the links are working now! so I'm continuing on with the steps, will post findings when through, probably tomorrow morning.

 

[N3051M]

use another pc to download them if you have to, then transfer via a usb drive/cd etc. Post all relevant log files as attachments after running the tools and apps.

two of the tool links leads you to a website where you can download them, the third is a link to the actual file itself (if i remember correctly). If you still have problems, just skip to the next step and mention what you skipped in your next post.

 

[GingerTheDog]

okay, finally got all the scans and things done! I followed all 15 steps, the only one I couldn't do was step 3, the online virus scan wouldn't continue, I even left it go for a few hours and it never went so I skipped it.

The symptoms I was having were:

• There was a security toolbar7.1 in IE7 browser

• There was a yellow flashing triangle in my system tray with various bogus and misspelled warnings and alerts.

• I was recieving a large amount of endless popups for some bogus antivirus program (bestseller among others) - the popups would come weather I was using IE or not (I prefer Firefox)

• Computer was running extremely slow at almost 100% cpu with no programs actively being used

• There were also 2 shortcut icons on my desktop for some bogus security programs

So far since rebooting after step 15 I haven't had any more of these problems so maybe I'm clean!

The Panda Scan said no rootkits were found.
When I ran Avast in safe mode (step13) There were no infections found, the results page that came up had one thing on it and it said :

• C:\SystemVolumeInformation\... \[UPX] - unable to scan - The file is a decompression bomb.

I have no idea if this is good or bad.

Here are my HJT, ComboFix and AVG Anti-spyware logs.
I hope I haven't forgotten anything.
Thank you !

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is still badly infected.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Win32 USB2 Driver (Microsoft Config)

Close the services window.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\Documents and Settings\Owner\setup.exe
C:\Program Files\SpyFlushregTemp.reg
C:\WINDOWS\System32\svchosting.exe

Folder::
C:\WINDOWS\wt\updater
C:\qoobox
C:\vundofix backups
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Win32 USB2 Driver"=-
"Micro Update"=-
"Microsoft Restore"=-
"Microsoft IT Update"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GingerTheDog]

Thank you for the help. I will do this right now and post back asap.

 

[howard_hopkinso]

Ok, no problem mate.

Regards Howard

This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GingerTheDog]

Well that was fairly quick Here's the COmbofix log and fresh HJT log.
Also, Thank you for the Welcome!

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PowerReg Scheduler V3.exe
PowerReg Scheduler

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: *.ebaystatic.com

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXIn staller_2-0-0.cab

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22RTE.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

PowerReg Scheduler V3.exe
PowerReg Scheduler<Search your system for these files and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GingerTheDog]

I'm on it

 

[GingerTheDog]

The
PowerReg Scheduler V3.exe
PowerReg Scheduler
weren't in task manager in safe mode

I did delete 4 instances of them that search found.

I know that I put a check next to
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

but I see that it's there again now. I'm not sure if I should try it again so I will wait for instructions to do so.

Here is the fresh log.

 

[howard_hopkinso]

Have HJT fix the following from normal mode.

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Startup: AutoTBar.exe

Reboot your system and see if they`re still there. they`re not nasty, more of an annoyance really.

Other that that, your HJT log is clean as a whistle.

Regards Howard

This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GingerTheDog]

That did the trick, I also searched it and deleted files. It's gone

So my computer is really clean now? Wow Thank you so much that was pretty pain-free.

Hopefully this will not happen again anytime soon, I will have to run my virus and spyware programs more often I suppose.

I really appreciate the quick and thorough advice you offer. I tried to receive help on a few other forums with no replies, before I found this one. You and your fellow Techs are truly wonderful.

Thanks

 

[howard_hopkinso]

That`s good news and you should be good to go.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of GingerTheDog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.