Virus, I tried it all, it's still there

Status
Not open for further replies.

princevulpine

Posts: 26   +0
I followed your instructions on removing the "bad stuff" and I still have a bug.
I'm working with XP home ed, SP2. I know the actual site where I contracted the virus and everything. At first it changed my clock to miltitary time, and put virus alert! where the AM/PM should be. I get tons of pop-ups and my pravacy settings are turned down repeatedly.
So, I ran through your instructions on this forum (ALL OF THEM), and parts are fixed. I still get pop-ups, althoug not as frequent. And, yes I use a pop-up blocker, but it gets around it. And everytime I actuallly click and open the IE, it resets my privacy setting to allow all cookies. It stays set where I have it, even after I close IE, but only when I open a new IE window does it reset the settings, even if I have another IE window open.
I'm totally lost, please HELP.

I have a HJT log, but I can't post it because there are a few links in it...
 
IE doesn't have great protection I would recommend you get Firefox and use that as your browser for one thing. Have yo run any of the freeware programs sugguested here to clean up the system?
 
Yup...

Yeah, I followed the 16 step process outlined on the "how to remove viruses, trojans, etc..." post. I used every free program it listed. Name a few that you think might be helpful, and I've either tried it, or I will.
 
PC Tools has 3 freeware ones...

PC Tools Anti-Virus
PC Tools Threatfire (extra layer of anti-virus/spyware)
PC Tools Firewall (but that's if you need one)

RegProt - protects the registry also monitor and remove those set to run on your system. Press Yes to keep No to delete (free)

You might get to the point to just delete the partition and install a fresh copy of XP.. When you do install Spyware Blaster then those I've mentioned above with Firefox to start of with an arsenal before get on the internet. Also for added protection run a web browser in a Sandbox, so if anything tries to get through it can't as it's block in a box, where you can terminate and destroy anything in their. The only problem with that now that you have something going on and you need to try to remove it first. If not start from scratch. If you start from scratch with the OS install everything make the system right and start to get into the habit of backing up the system or creating image of your C drive. So next time when it gets out of control you can say recover!
 
attach your logs please, by clicking post reply(not quick reply) then click the paperclip icon -> navigate to the log and select upload

1) Hijackthis log
2) C:\combofix.txt
3) MBAM or SAS log
 
if you followed the guide can you post your logs

hijackthis
combofix
superantispyware or malwarebytes
 
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7BA89D6E-AEFF-4FB9-BEB3-67409C0BB9B3} - C:\WINDOWS\system32\efcYSmMC.dll
O2 - BHO: {7bfb65c4-5480-4339-be34-ececad1928eb} - {be8291da-cece-43eb-9334-08454c56bfb7} - C:\WINDOWS\system32\ckzmjs.dll

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\efcYSmMC.dll
C:\WINDOWS\system32\ckzmjs.dll

After that, Reboot, and post a new HijackThis log here in a reply
 
One more thing you have both Symantec & Zone Alarm installed as a firewall you only need to have

one. Also you do not have an anti-virus installed did you try to remove norton? Download Norton

Removal from below to your desktop and run it to remove anything left from Symantec then

download Avira from my Sig it is the one all the way to the right in olive color



Norton Removal

Avira Free AntiVirus

one more thing download Malwarebytes' Anti-Malware from my sig it is the blue color text make sure to install and update it then run a full system scan in safe mode.

Also download vundofix from the link below

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

VundoFix

Malwarebytes' Anti-Malware

then post a fresh hijackthis log and your Malwarebytes' Anti-Malware log
 
One of these apps should find it and say remove on next boot. Try spybot , either way it will pop up with that too...
 
tweakboy said:
One of these apps should find it and say remove on next boot. Try spybot , either way it will pop up with that too...

If you would of stop to read the thread you would of saw that he followed the malware removal guide which means he has ran spybot and all of the basic removal so that is why we are working on removing it from hijackthis and other tools
 
I followed your instructions...

I printed out and carefully followed all your instructions, both posts...

I think it's gone, Mbam, may have taken care ot it...
Attached are the HJT and MBAM, do the look clear?

Thank you so much for all your help... You Rock!
 
Just to be sure do this then daniel can continue helping you

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\mgcrsvbe.dll
C:\WINDOWS\system32\ckzmjs.dll
C:\WINDOWS\system32\efcYSmMC.dll
C:\WINDOWS\system32\CMmSYcfe.ini
C:\WINDOWS\system32\pmnnNfCv.dll

Folder::

Driver::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BA89D6E-AEFF-4FB9-BEB3-67409C0BB9B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be8291da-cece-43eb-9334-08454c56bfb7}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), attach Combofix.txt
 
looks like your combofix is clean but lets wait for blind dragon to check your combofix first.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
 
ok one last thing to do lets clean up all of the tools

Uninstall ComboFix

  • Click Start then Run
  • Now Type Combofix /u in the runbox
  • Make sure there's a space between Combofix & /u
  • Then hit Enter

The above procedure will Delete the following:
  • ComboFix & it's associated files & folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide system/hidden files, if required.
  • Set a new, clean Restore Point.

------------------------------------------------------------------

OTCleanit! by Oldtimer

  • Download OTCleanIt
  • Click the CleanUp! button.
    (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot
 
Status
Not open for further replies.
Back