Spent a week on the malware removal guide

You geeks are tough! Among other things I had several years of MS updates to do. Most malware is in my mailbase. Can it be cleaned?

Some advised scans did not complete:

Bitdefender indicated seemingly thousands of the same thing in mailbase, then finally hung on something innocent looking in the second and last hard drive. I ** could not get a report from it,** but i did pause it several times as it ran. It said it deleted all problems in old mail but the file never shrinks does it?

I guess I'll run it again to see what happens. I deleted some stuff on drive F.



Pandascan slowed waaay down on the mailbase. the first couple times I thought it had stopped. Third time, I finally noticed that it did a new file every few minutes. After clicking stop (it would have taken months to run at that speed based on bitdefender) and waiting a long time it put up a prompr that allowed me to get the incomplete report.

Spybot worked nicely.

CounterSpy: found some problems. It ran itself again last night after Kaspersky finished, found no problems.

Kaspersky (alternate scan due to problems with the others) ran fine.
Oops! The report file is too large:

Kaspersky_scan_report.txt:
Your file of 982.5 KB bytes exceeds the forum's limit of 250.0 KB for this filetype.

If there is a way to clean the mail base then I think everything can be done properly.

 

Here are the other attachments. When I boot up and check for email there is a very suspicious loong delay during which nothing happens. Afterward things happen normally. As far as I know, the viruses indicated in old email did not do anything. Evidently they could not escape from Netscape. Spyware is my big concern.

 

"Now attach new logs for:

* GetRunKey
* ShowNew - please download the current version first!
* HJT
* SuperAntispyware log
"

Ok, here are the first two.

And Thanks!!!

 

The next two logs:

 

Thanks again. I don't think I forgot steps yesterday but I'm glad to run things again anyway.

regedit: done

Superantispyware today found no problems.

HiJackThis did indeed have the items you mention. I got rid of the urlSearchHook noname.

The HKCU...blank.htm won't go a way after several tries.
Bestbuy also won't go away.

Other notes
yesterday I was going to run Bitdefender again - decided to take them up on the download version (trial) that does not require connection to run. It ran and found no problems, not even the Worm.Evilbot-B found a little later by SuperAntiSpyware. Worm.Evilbot-B is a new name to me.

I could not get back on the net yesterday until I uninstalled Bitdefender. Then I ran CCleaner for good measure.

By the way I chose my user name here because my first choice had been taken. I'm not actually a basket ball player .

What now?

Thanks!

Pete

 

Whew! Long story short, I think I'm back to square one.

Hijack in safe mode seemed to get rid of the checked items but they are back now. I can't get online in safe mode, and trying that as Admin was really strange. I've had more reboots, hangups, getting on and off line, reboots,,,,,
than you can imagine.

Got Avenger downloaded and unzipped despite the fact that you wanted my to delete winzip earlier. tried to run it -- figured out to modify script to include the first line

Files to delete:

then it ran, but said the file could not be found. Then HJK said everything was back. I boldly tried Avenger with this:

Registry values to replace with dummy:
HKCU\Software\Microsoft\Internet Explorer\Main,Local Page | C:\WINDOWS\SYSTEM\plank.htm

but is said that was not a valid script. Well anyway I'll attach the logs.
Sheesh, now I can't find the Avenger log from the second run when it said it couldn't find the file. Oh well, that was the message.
What next?

 

Ok, things are looking up. Got Hoster, got a new unzipper to unzip it, ran it no problem, then back to Hijack.

These guys
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

were all still there despite various other things I had tried. For instance this am I used a CCleaner option to get rid of
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
to see if that would help HJT. It didn't.

SO I ran HJT after Hoster. Only the R3 - URLSearchHook: (no name) went away. Unfortunately I didn't keep every HJT log but I thought it came back after a shut down and restart. However than I ran Spybot, which found one seemingly unimpressive commercial item which I quarantined.

I wanted to make a Hijack log to show that the url no name came back after a restart, but it wouldn't come back anymore Yay!

I still have blank.htm and bestbuy. If they are related maybe they won't hurt me. Do you know if they are part of the same thing?


Looking at this
"Now go to immunise section of spybot and check what options you have ticked."

I realized you didn't ask me to run Spybot. I was not sure what you were asking, but this innocent little question turned out to be a big deal. I guess I clicked on immunize to see what would come up. It started a long process and finally informed me that I am now permanently immunized against 18758 bad things. Thanks!

 

Drat! hit the wrong thing. Here's the HJT log:

 

Ok, did that, also found No C:\Windows\System\blank.htm but a bunch of old blank.htm files from years 1998 through 2001. Deleted them.

About the directories and such deleted - they come back. Contents mainly repetitive ini files like this:

/History
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}


C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1KB6RO1

[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}


===
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\MB2XYF07
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}


C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\STKYN23M
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}



====
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXJX2NNB
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}

===
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}

=====

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}


that last one has an extra line.
What's with the IE5 business? Is that a useful clue?


Using safe mode, system restore off, Hijack got rid of all three bad items (url searchHook noname was back; (It seems to come back in 24 hours) but after rebooting in normal mode,
** blank.htm and bestbuy were back. **
by the way last night I tried deleting them from the registry by hand. Windows said Unable to comply.

 

Hi Tim,

Thanks, it went as well as the others ... AFT Cleaner may not get quite as much as CCleaner but both are good, yet some "deleted" files don't go away.
Deletion test log attached.

I found that booting in safe mode I could use both cleaners and then delete other files by hand; evidently they weren't protected in that situation. Then HJT worked well, disposing of blank.htm, Url searchHandle noname and best buy. Rebooting in normal mode (but with System Restore still off) blank.htm and best buy were right back and the nameless url is doubtless just being shy again.

This morning I used CCLeaner options to get rid of some other stuff including several Active X keys; Don't miss them; I think I'll get rid of them all. As far as I know I only need Active X when I use the MS browser every few years to download MS updates.

What can my current problems, that Hijack can't get rid of, do to me? I don't know of any harm done yet, but on the other hand anything tougher than you are could do anything it wants. My main concern is that I need to make critical online purchases. Soon.
???

Pete

 

Thanks, I did that. I put it on the desktop, but please tell me, is that really important? I must confess I didn't put Avenger on my desktop. But still, it couldn't have removed a file that wasn't there. I guess I could run it from the desktop to see if there's any difference.

Log attached.

 

Ok, tried that. Files avenger*.* and the two from Silentrunner do not appear to be hidden. However I see that changing the status to hidden only causes files on the desktop to gray out, not disappear.

 

Darn, almost forgot to post reply --
per email message I temporarily disabled my anti Spyware programs and then tried to get rid of unwanted items in the HJT log.
First I tried CCleaner. As before three 'temporary internet files" come back after being erased when I close cleaner then open it and analyze again.

However, Hijack removed all three items!
Blank.htm, best buy and url searchHook noname.
But ...
Upon re-enableing Webroot anti spy pgm, best buy and blank.htm came back, just as before in safe mode then back to regular mode.

What conclusions do you draw?

I then changed my firewall from Sygate to Outpost. Outpost seems to run a tighter operation.

 

Thanks! This was already a good day and now it's even better. Per last email I uninstalled Webroot Spy Sweeper.

Then HijackThis worked and got rid of the three suspects. Well I thought, urlsearchHook noname always plays hide & seek. He'll be back tomorrow. But what's time to a computer? I set the date ahead and rebooted and ran Hijack again. The url stayed gone! Thanks mucho.

I have a slight problem reinstalling Spy Sweeper. It wants a bid key that I don't have any more. I may be able to find it in the morning.

Meanwhile, CCleaner still can't get rid of these three files:

Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\desktop.ini 67 bytes
C:\Documents and Settings\User\Local Settings\History\History.IE5\desktop.ini 145 bytes
------------------------------------------------------------------------------------------

They come back when I close CCleaner, as before. I just got CCleaner a few days ago and I'm sure I didn't tell it to put back these files.

What could it mean?

Pete

 

Whew! Thanks for that information. Now I can stop trying to get rid of them.

Meanwhile:
Trying some rootkit removers today, one of them being Trojan Remover, I ran into:
C:\WINDOWS\system32\drivers\sbapifs.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBAPIFS\"ImagePath"

This is just one of the items the program questioned, but this one is special: Trojan Remover can't remove it.

And
url searchHook noname is back. It was back early this morning, and seems to return more quickly now.

Can anything be done about these two items? Is there a need to get rid of them?

and Windows Installer has become hyperactive. It keeps installing Total Access Core Applications, part of Earthlink I've had for a long time. I must have done something to cause this.

Thanks,

Pete

 

Thanks! I did all that. The other day I just disabled CounterSpy by temporarily renaming the main exe to axe. This time I used CCleaner to uninstall it. CCleaner does this very well. My new HJT log is leaner and better than ever; total size 5120 bytes, and no url searchHook noname. (Yesterday I eliminated some other things from it based on what other people were told to fix).

One last easy question: is there a reason to not use the free CounterSpy?

Thanks again. I appreciate all the help from Major Geeks.

 

Disaster!

I should have written hours earlier but it's so bad I don't know what to say.

I ran HJT again early in the afternoon. I noticed that the url with no name was back. then I noticed that the log had increased in size too much for just one extra item. I found a couple of extra buttons that I had removed yeaterday, then I noticed a 17:

O17 - HKLM\System\CCS\Services\Tcpip\..\{52F7E777-AEAF-44D0-B5FB-9CD355D14EEA}: NameServer = 207.69.188.185 207.69.188.186

I hadn't had a 17 before so I clicked for more information. 17 implies a hijack!!

more bad news kept comming.

By and by I noticed that my new Outpost firewall had essentially disappeared. It had been disabled and infected.

Before all this I had downloaded a Defrag program from Major Geeks: JkDefrag-3.14.zip
It ran straight out with no options and outwardly appeared to do fine. Afterward I soon noticed that MS explored search wasn't working properly. I found a searchoption to index files. I thought that might be needed; it turns out that MS does it slowly; I;ll have to let it run overnight and see if search works in the morning.

Luckily Trojan Remover keeps working. Some details from its log:

Where do they go?

Well first on a reboot TR spotted a file called 3.tmp called by memsweep2 (?)
alleged trojan or hijack and cleared it out.

Well the second round of bad news was:
After I tried to uninstall Outpost and had to reboot, TR running at startup said the remains of Outpost were trojan:

C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL
HKLM\SYSTEM\CurrentControlSet\Services\HTMLFILT.DLL\

C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL
HKLM\SYSTEM\CurrentControlSet\Services\POP3FILT.DLL\

...
My Sygate firewall is back in action in place of Outpost which was conquered.
url searchHook noname comes back with every reboot. Hijack 17 comes back with every dial up to the net, as does url nameless if I have alreaded Fixed it HJT.

What can I do?

 

Sygate log file attached:

 

Thanks to Webroot Software. They graciously helped me get my Spy Sweeper back in operation.

I was glad to see your new message in the morning.
<quote>
Paranoia can be a bad thing!
</quote>

Good point. I still tried to get rid of the url with no name. It's well embedded in the registry. I tried putting XXX in front of his value: XXXCFBFAE00-17A6-11D0-99CB-00C04FD64497 a couple places but the url is still winning. I guess I'll have to call him Duke.

It seems that the # 017 in my HJT log is only there when I'm logged onto the net. That would explain why I never noticed a 17 before.

I also reinstalled Superantispyware. Various tests do not reveal a problem since the Duke of Url and # 17 are OK.

Thanks very much for helping and explaining.