28 replies to this topic

[RatHat]

Looks better now, how is the machine running?

Lets do this as a double check:

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on cureit.exe to start the program.
• Click Start
• Click OK to the RAM scan
• When the RAM Scan has completed, choose the Complete scan
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• Agree to any prompts to Move files
• Click the Select all button at the bottom
• Click the Cure button, and Delete incurable in the pop out menu
• Allow it to cure or delete all files, then click on the File menu, then Save report list
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

[tekniqd]

Process.exe;C:\Documents and Settings\All Users\Documents\Files\2008\Unknown\SmitfraudFix;Tool.Prockill;Moved.; restart.exe;C:\Documents and Settings\All Users\Documents\Files\2008\Unknown\SmitfraudFix;Tool.ShutDown.14;Moved.; ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\HP_Administrator\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\HP_Administrator\Desktop;Container contains infected objects;Moved.; xampp-win32-1.5.1-installer.exe\data175;C:\Documents and Settings\HP_Administrator\Desktop\downloads\xampp-win32-1.5.1-installer.exe;Program.PrcView.3725;; xampp-win32-1.5.1-installer.exe;C:\Documents and Settings\HP_Administrator\Desktop\downloads;Archive contains infected objects;Moved.; Process.exe;C:\Documents and Settings\HP_Administrator\SmitfraudFix;Tool.Prockill;Moved.; restart.exe;C:\Documents and Settings\HP_Administrator\SmitfraudFix;Tool.ShutDown.14;Moved.; KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.; Process.exe;C:\Program Files\Opera\SmitfraudFix;Tool.Prockill;Moved.; restart.exe;C:\Program Files\Opera\SmitfraudFix;Tool.ShutDown.14;Moved.; Process.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Tool.Prockill;Moved.; userinit.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.27336;Incurable.Moved.; A0203442.exe\l2mfix/Process.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1096\A0203442.exe;Tool.Prockill;; A0203442.exe\l2mfix/restart.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1096\A0203442.exe;Tool.ShutDown.14;; A0203442.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1096;Archive contains infected objects;Moved.; A0203510.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1098;Tool.Prockill;Moved.; A0203521.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1098;Trojan.DownLoad.27336;Incurable.Moved.; A0203541.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1098;Probably BATCH.Virus;Moved.; A0203573.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1098;Program.PsExec.170;Moved.; A0203792.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1100;Probably BATCH.Virus;Moved.; A0203809.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1100;Program.PsExec.170;Moved.; A0204783.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1101;Probably BATCH.Virus;Moved.; A0204802.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1101;Program.PsExec.170;Moved.; A0206173.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102\A0206173.exe/data002;Probably BATCH.Virus;; A0206173.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102\A0206173.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102;Archive contains infected objects;; A0206173.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102;Container contains infected objects;Moved.; A0206174.exe\data175;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102\A0206174.exe;Program.PrcView.3725;; A0206174.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1102;Archive contains infected objects;Moved.; firstopt.js;D:\I386\Apps\APP21479;Probably SCRIPT.Virus;Moved.;

[Tomk]

tekniqd,

It's my understanding that RatHat is tied up at work. So rather than having to wait for him, let's see if I can help get you back to your life.

Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.

Please delete Rooter from your Desktop and also deleter this folder: C:\Rooter$

Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

• Click the Pt. Restauration button and press OK to the prompts.
• Click the Corbeille button and press OK to the prompt.
• Click the Fichiers temp button and press OK to the prompt.
• Click the Recherche button and let it run ( it may look like it freezes but let it continue )
• Once it is done click the Suppression button and let it remove anything it finds.
• Close the program

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

[tekniqd]

I am running cleaner 2 and the Suppression button is not active this is after following the steps you explained... also though the system may be clean I still do not have access to IE internet I can via Firefox aswell as Opera... I really dont care for IE and Use Firefox majority of the time .. but updates aswell as installations use IE and not default so I can not update programs ect. Gawd I hate Microsoft for being so stuck UP I had this problem with all browsers.. after unistalling Firefox aswell as Opera it cleared the problems i had with them .. though IE I have updated but still have trouble.. (I cant seem to uninstall IE)

[Tomk]

tekniqd,

You can't really uninstall Internet Explorer. It's pretty much built into windows. Lets try this:

We need to repair some of windows' internal registration settings

• Please download Dial-A-Fix from one of the following mirrors:
  
  • Primary Mirror
  • Secondary Mirror
• Extract the zip file to your desktop.
• Double click Dial-a-Fix.exe to start the program.
• Press the green double checkmark box (Looks like this: )
• UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section.
• Press the GO button in the bottom of the window.
• Exit/Close Dial-A-Fix

[tekniqd]

should I reboot after this is run ... I ran it and no change on IE connectivity.

[RatHat]

Hi, Just got back in. OK reboot and let me know if you get IE back.

[tekniqd]

rebooted fired up IE and still nothing Firefox connects right up

[RatHat]

Download avz4.zip from here

• Save it to your desktop and unzip it to your desktop to a folder named avz4
• Close all windows then double click on AVZ.exe
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Click File then Custom scripts
• Copy & paste the contents of the following codebox in the box in the program

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ExecuteRepair(2);
ExecuteRepair(3);
ExecuteRepair(4);
ExecuteRepair(8);
ExecuteSysClean;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Restart your PC if it doesn't do it automatically, and Let me know if you can use Internet Explorer

[tekniqd]

Still nothing ... I have run the xp diagnostic and this is what I get on report HTTP, HTTPS, FTP Diagnostic HTTP, HTTPS, FTP connectivity info HTTPS: Successfully connected to www.microsoft.com. info FTP (Passive): Successfully connected to ftp.microsoft.com. warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established warn HTTP: Error 12029 connecting to www.hotmail.com: A connection with the server could not be established error Could not make an HTTP connection. info Redirecting user to support call I have looked over firewall and nothing is blocking FTP HTTP or HTTPS least from looking at it

[RatHat]

First of all, try disabling your firewall, and see if that allows IE to connect.

If it still doesn't connect, re-enable the firewall, then go into your internet options settings in the control panel, Connection Tab, Lan Settings and make sure "use Proxy server" is UNTICKED.

Let me know if you can get IE to connect now.

[tekniqd]

OMG FINALLY that did it ... I dont know why it was going via proxy Thank you

[RatHat]

OK! Looks like you should be good to go then. Make sure you follow Tomk's advice in post 18, and also delete the files and folders created by AVZ, along with any remaining tools and logs. I'll keep this open for a couple of days, so if you have any more problems, post me a reply here. All the best, RatHat

[RatHat]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.