After days of reading and cleaning I'm still infected

I have been cleaning for 2 days now. Reading the forums and running HJT to figure out what to fix. I give up. Can some expert please tell me what I've missed? I've been using a variety of tools - Free AVG anti-virus, Trend-micro's housecall, adaware SE + vx2 plugin, dllcompare, killbox, spybot s&d, Spyware blaster, sfc.exe /scannow, renaming hijackthis, microsoft's registry cleaner on top of HJT 1.99. I've learned way more than I ever wanted to but apparently not enough to fully clean this machine. By the way- when I ran lspfix it "ate" my wireless networking icon (+ who knows what else) in my control panel and now the 2 monitor icon no longer shows up in the system tray. I'm using a linksys utility that came with my wireless card now. sfc.exe does not repair this.

 

LSP-Fix should only be used when a malware expert request it or you feel comfortable enough to use it. However it still should only be used when something malicious gets into the LSP Chain.

What problems are you having?

 

I used lspfix because I found 010 internet unreachable because of LSP provider.... in the HJT log. IE could not find the internet and I was without any way to access the net. It seemed to fix the problem. I ran it in safemode and rebooted and was back on - with some strange things - like my wireless networking icon was gone from the control panel.

I was not experiencing problems. I just got suspicious when the cpu was running in high gear at strange times. I started running tools and found a bunch of spyware. Most of it has been cleaned but something is doing (i think) somthing like what vx2 does where you can't clean it. I found things that were capturing my passwords - that's got to get fixed because I log in to my bank accounts and paypal from this machine!

I was on bleeping computer's HJT logs and analysis forum for 2 days following their FAQ directions to the letter and then exploring and trying different fixes when the basics failed. (They never replied to my post so an expert has never looked at my logs.)

 

Okay, let's start by running the online scans in the below thread.

READ & RUN ME FIRST Before Asking for Support

Make sure you run step 6 then attach your logs with a fresh HJT log and we will go from there.

 

OK I have now completed all of the required steps and I'm uploading the appropriate logs:

1) BitDefender
2) GetRunKey
3) ShowNew
4) Panda
5) HJT

 

Waited 10 minutes and couldn't upload the final files. Here is the lot....

Welll, this is disappointing.... the website wont accept 3 of the attachments - says upload errors. Can I just copy and paste the text of the reports here?

 

It calls the html bit_defender report invalid- doesn't accept html files I guess. I saved it as a text file - you should resave it as a .htm file to view.

The other two give an error and won't upload even thought they are very small text files. Would pasting the text be acceptable?

I've been working on this for 4 straight days now and i'm still loaded down with spyware. Each new scan finds something new no matter how many times I scan and fix. I really need to get this thing licked.

Thanks

 

runkeys and newfiles - figured out the bug

I had to avoid the first file-upload slot in order to get it to take the files- it takes the attachment when using the 2nd or 3rd textbox - weird. Otherwise it just lists the upload as inprogress indefinitely even for these tiny textfiles.

This is my 4 day offering of blood sweat and falling asleep at work to the geek gods. I have fulfilled your demands now answer my petition and grant me a clean machine I beseech you.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.


Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thank you so much for you help. I am indebted to you.

The machine never acted like it was infected with spyware. All of the spyware was of the silent variety. I am in an environment where I use my laptop on a public network occasionally. Either somebody was infected and it just probed me and exploited an IE vulnerability or else they were using the network as an opportunity to plant password harvesting software. I have never gotten any popups or redirects. The only thing conspicuos that ever happened was the appearance of junk applications and aol stuff. I never really gave this thing much reign though - kept on cleaning in safemode and had the system locked down with the firewall. I think the root of the problem may lie with the fact that I have (had?) a persistent trojan that active scan now has finally deleted.

I am uploading the latest hjt log.

 

Thank you so much for all of your help it is invaluable to me (us).

I have been holding off on conducting some pressing personal business (using my credit card to order something that we desperately need) until I could be sure that I wasn't handing the number directly to the Russian mafia.

Have you had a chance to check my logs? Am I clean? Can I go ahead and use the CC and do stuff like log into my Paypal account? I would like to send you a small token of my gratitude to thank you for your help. Do you have a paypal associated email?

 

Your HJT log looks good, if you would like we can look a little deeper to make sure nothing is hiding around.

Please see the below threads...

• Running WinPfind by OldTimer
• Using GetRunKey
• Using ShowNew

Once you have followed each thread you should attach these three logs to your next post.

• WinPFind.txt
• runkey.txt
• newfiles.txt

 

OK. Great. I'm starting to feel like we've gotten this thing rooted out but I am attaching the 3 logs to make sure. Something strange is going on- I can no longer run the trendmicro housecall scanner. It aborts under IE as an applet and active X and also under Firefox. I DID just install a whole bunch of updates and patches so it could be something else, but I was thinking that it might also be malware.

Would any of these tools catch a root-kit?

Thanks again.

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Once you complete this, reboot and let me know how things are running. Also, go ahead and run CCleaner again to cleanup any temp/junk files.