W32/backdoor-CFB virus + others

I don't know what this means, "all the usual and recommended tools ". You need to be more specific.
Did you run ALL the steps in this thread: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If so, did they find and clean anything.

If you have run ALL the above steps, you should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

And post a HijackThis log as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

You said, "Stinger has detected a W32/backdoor-CFB virus" . Did it fix it?

 

Try removing these and let us know:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll

What are these?
O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
Remove them and stick to the programs we offer for download here Uninstall those 2 from add\remove programs.

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

 

They should have been in Add/Remove programs but if you already removed the folders then yes have HJT fix any lines referring to those applications.

What is the O2 line?

Having 31 process running is not unusual.

 

Yes, post your log!

 

That's because you have one of the new forms of about:blank issues (the about:NavigationFailure version). This can be annoying to remove just like the other versions.

1) Make sure you have viewing of hidden files enable as per the READ ME FIRST tutorial.



2) Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now and do not open it again until I tell you too (so print these instructions or save them locally):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {CD4388BB-2F8B-4CE6-AABC-A6F21A5691CD} - C:\WINDOWS\System32\hamel.dll
O18 - Filter: text/html - {0D8B9D78-B7E1-4A64-97A2-C457714D1F42} - C:\WINDOWS\System32\hamel.dll
O18 - Filter: text/plain - {0D8B9D78-B7E1-4A64-97A2-C457714D1F42} - C:\WINDOWS\System32\hamel.dll

​

3) Now use Windows Explorer (right click Start and select Explore) to locate and delete:

C:\WINDOWS\System32\hamel.dll
If you have a problem locating or deleting this file, I need to know that. If it will not delete, reboot in safe mode and continue the steps below in safe mode. If it deletes okay continue in normal mode.

4) Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com). Click Apply. Now click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

5) Now empty your Recycle bin!

6) Now whether you are in safe mode or normal mode, reboot.

7) Connect to the internet open your browser then exit your browser

8) Create a new HijactThis log

9) RUn your browser again and come back here and tell me how things are working and post your log.

Additional things we must look after completing the above:
I don't like the looks of this line with monitor.exe on but I need more info before deciding anything:
O4 - HKCU\..\Run: [monitor] monitor.exe

Can you go to Start > Search > enter "monitor.exe" without the quotes. Right click the file and post the file's properties and version info? Also once you know where the file is located, browse here and submit the file for an a single file online antivirus scan at:

http://www.kaspersky.com/scanforvirus.html

Let me know what you find out from Properties info and from kaspersky. If you have difficulty finding the file, setup the below options for Windows Search to look for hidden files:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter monitor.exe
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Do you have Talisman Shell Switcher installed? The reason I ask is these lines (do not touch these, just answer my question)

O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
​

 

Your log looks okay other than the monitor.exe file. I need properties info on it. What did you give me from prefetch?

I see you got rid of the tss.exe lines too.

 

Okay the tss lines must have been related to the other problems then.

Yes, properties info is obtained by right click on the file and selecting Properties. Most valid program files have version tab where you can find lots of information by selecting each of the items in the Item name: pane. Take a look at c:\windows\explorer.exe for an example. Then check out the monitor.exe file and tell me what you get for each of the Item Names.

Yes you need to type it into your message

 

Wait a minute! Why are you now telling me Stinger is complaining about explorer.exe being corrupt. Didn't you run Stinger when you first started this thread when following the READ ME tutorial. Or are you saying this is a new corruption. Did you run Stinger from safe mode.

You need to have HJT fix the line:
O4 - HKCU\..\Run: [monitor] monitor.exe

and boot into safe mode and delete the
monitor.exe file (whereever it is) and also the one in Prefetch.

 

Okay! I did not know that. Your first message only said "Stinger has detected a W32/backdoor-CFB virus" You did not say what file. Does it give a full path to the file?
If it is c:\windows\explorer.exe, this is going to be difficult.

Did you delete the monitor.exe in Prefetch and were you able to get the line in HJT fixed permanently?

 

Instructions on using this are here:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html

 

Why did you try to upgrade to SP2? We did not suggest it. It is not a good idea to upgrade to SP2 with any form of malware present on a PC. It can cause problems in the upgrade. What OS are you running now?

 

Okay so post a current HijackThis log attachment and tell me again what problems you have right now.

 

Cool idea Kodo. I was thinking about having Kittee replace explorer.exe too.

 

Kodo,

Did you notice Kittee also picked up a new problem. An about:blank/about:NavigationFailure
hijack.

This was not present earlier.

 

Kittee,

Kodo and I want to confirm whether explorer.exe on your system has truly been modified. Here is what we are thinking about:

To see if explorer.exe is really getting infected, we want to get an MD5 signature for a known good explorer.exe (the one Kodo gave you in the download link) and also get one for the explorer.exe on your system after Stinger detects a problem. We are wondering if the problem may be that it is not explorer.exe but something loaded by explorer.exe (like a DLL) that is actually the problem but Stinger detects it in explorer.exe.

So here is what we want you to do:

Go to the below link and download and install this small and quick MD5 compare tool we can use:
http://www.download.com/SolidBlue-W...tml?tag=lst-0-1

I have already determined the MD5 for the original explorer.exe that Kodo gave to you. Its is: a82b28bfc2e4455fe43022a498c0ef0a

Copy and paste the above MD5 into the Compare box in WinMD5Sum, now where you see the File name box click on the button to the right that has ... within it. Then browse to your current c:\windows\explorer.exe and select it. This will give the MD5 signature for it and automatically do the compare. Tell us whether they compare or not.

 

What version of Stinger have you been using?

It is now up to version 2.4.3. Get it here: McAfee AVERT Stinger
And give it a run see if you sill get the same results. Save the report file this time and post it back here.

It does not make sense that Stinger would only find the problem when the Explorer.exe program was running. Stinger scans the files not memory. And since your MD5 comes out the same as a good explorer.exe, it does not make sense that anything is wrong with yours.

 

Hi Kittee, Where have you been?

Try going here and reading this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.J

The link to the downloadable fix is in the above but I'll repeat it below.
https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip


Try that and let me know what happens.

Edit: thanks kodo. Yeah I had that on my list of things to look at next. I wanted to give the above automatic tool from TrendMicro a try.

 

That's great news Kittee. I'm happy we finally got that fixed. Yes you should post a new log. It's been a while. You should not be getting CWS problems all the time.

You should take a look at this thread too and see if there is anything in there you have not done: How to Protect yourself from malware!