Hi everyone!

After searching online to find an appropriate tech forum Web site, I am so happy to have found "What the Tech." This seems awesmoe! I just got what seems to be a pretty malicious virus on my Dell laptop yesterday, and would love help on getting it removed.

I am not very computer-saavy... I don't know how to post the logs which highlight coding of the potential problem. So I'll just share what I think happened on my computer and what's going on with it now.

I know exactly where I got the virus, but am embarrassed to share the site, and I don't know if I'm allowed to say it on here, which should give insight into where I was anyway. I am never listening to frat boys' advice on "hysterical" videos again.

Now, my desktop was replaced with a red background that says, "your privacy is compromised," or something to that effect, and a variety of spyware and malware removal programs continually pop up on my computer. The most prominent one is "Vista Antivirus 2008," but others, like "Privacy Protector," pop up almost every 15 seconds. I can't even utilize Internet effectively (am on a different computer now). I also noticed that I can't access my Control Panel, and it said the administrator (which I thought was me?) disabled that functionality.

There are also five documents that continually appear on my computer - they look like Internet Explorer files. I've tried deleting them, then emptying the recycling bin, but they keep coming back, so I'm assuming they're already pretty ingrained in the coding.

Again, I really don't know much about computers, so specific Layman's terms are much appreciate. Thanks in advance for any help you can give.

Hello TheRogueStar

Welcome to the Whatthetech Malware Removal Forum

Download Trendmicros Hijackthis to your desktop.

• Double click it to install
• Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Hi Ken545! Thanks so much for the prompt response! I'm going away on a trip tonite, but will try this as soon as I return Monday. I will let you know what happens. Enjoy your weekend, and thanks again!

Hi Ken545!

I've been trying to download from the link you sent, but whenever I do so, it gets redirected to: Malicious Link Removed

Any thoughts? I appreciate any advice you can give!

Also, it seems like the virus is slowly DEvolving, perhaps. the background on my computer is now back to normal.

Thanks much,
Jessica

Hi,

I am away my self with limited internet access until Monday night but I will check in here when I can. It looks like the malware has altered you hosts files. Do a few things, you need to be able to access another known good Computer and download these programs, copy them to a CD or a Flash drive, then you can transfer them to this computer and run them.

1.

This will reset your HOSTS FILE back to Microsofts default settings. After you run it you should be able to get to the links I posted

Download the HostsXpert 4.2.0.0. - Hosts File Manager.

• Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

2.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply along with a New Hijackthis log.

3.

Download Trendmicros Hijackthis to your desktop.

• Double click it to install
• Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Post the Malwarebytes log and then run HJT and post the log please

Hope you're doing something fun this weekend, Ken!

I transferred all those programs to a CD, but I when I inserted into my laptop, nothing happened. (It worked and ran, but then the usual "open disc" box didn't appear). I then checked "My Computer" and realized I can't access anything I normally can on my computer - the only items present were My Documents. I don' t know how I can open up the disc, or if I'll even be able to.

Thank you!

Can you try downloading HJT from the link in my signature on the bottom of this post? Can you download HostsXpert or Malwarebytes from the infected computer?

I uploaded HJT for you , its a zip file so you will have to unzip it. Then follow the instructions to install it and post the log

Hi,

Are you making any progress ? I am attaching HostsXpert also, this is what I would do. Unzip HostsXpert to your desktop and run in via my previous instructions, this should prevent you from being redirected by bringing your hosts file back to the Microsoft default. Then if your not redirected, download and run Malwarebytes, then unzip and run Hijackthis. Post the log from Mawarebytes and then the Hijackthis log.

Ken

Hello! Hope you enjoyed your weekend away!

I am not making any progress. Something about this virus refuses to let me go to tech sites or other antivirus sites outside of the ones that keep popping up, or that it keeps redirecting me to. While I can search Google and other random sites, I can't get to any "tech-y" ones.

I've been e-mailing myself the links you've been sending, and trying to open up or download from there, but I always get redirected or a pop-up makes me stop. So I've been unable to open or download anything you've sent!

Any other ideas?

Thank you for your continued help!

Hello,

Lets try this. Boot to Safemode with Network Support. This may take a few tries to get the timing right so don't give up. After you boot to safemode, access this site and try to download HJT and post the log.

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode



If you can try running Malwarebytes. I am going to give you a few other programs to run, try downloading them in Safemode, one should work.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

• Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
• Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
• You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
• The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
• A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt





Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Hi Ken!

So... it seems like the steps you had me do in Safemode really helped clean my computer up! It seems like those annoying pop-ups are gone, finally. YAY! Thanks so much for all your help!

Some of my Administrative settings seem to be a bit funky still though. For example, my clock shown on the toolbar on the bottom of my computer is in military time and says "SAFETY ALERT" or something like that. I can at least get into my Control Panel now, but it looks like my clock settings are where I'd want them to be.

Below please find the text file you asked me to include, which appeared after the SmitfraudFix action. (I'm not sure this is relevant, but I had to do it twice before a text file popped up). I don't know what a HijackThis log is though, sorry. And also, I was unable to download Deckard's System Scanner to my desktop.

Thank you!

SmitFraudFix v2.337

Scan done at 23:16:56.03, Sun 08/17/2008
Run from C:\Documents and Settings\Administrator.JESSICAELKER.000\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\nfavxwdbxpw.dll deleted.
C:\WINDOWS\fdkowvbp.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\Program Files\PCHealthCenter\ Deleted
C:\Program Files\VAV\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8B48C28B-C75A-4860-BDA0-D59877587AAA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8B48C28B-C75A-4860-BDA0-D59877587AAA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8B48C28B-C75A-4860-BDA0-D59877587AAA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Hi,

I would like to see the Deckard report along with a new HJT log please.

Absolutely, but what is the Deckard report (or where can I get it), and how do I do anHJT log? Sorry, I'm not the most computer saavy. Thank you!

Lets bypass Deckard for the time being but I need to see a Hijackthis log to see if there is anything else we have to go after.

Download Trendmicros Hijackthis to your desktop.

• Double click it to install
• Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.