win antivirus pro 2007

i have been dealing w/ this for a week and tried various programs to remove it w/o success. i have run "read/run me first" w/ the following results. however, i could not get panda scan to work. please let me know what i need to do. your help is GREATLY appreciated.

 

here are the other logs...

 

Hi jdalessandro!
Welcome to Major Geeks!

I'm looking at your logs and will get back to you in a bit. Please disconnect your computer from the internet and turn off your Kaspersky. Then try running AVG Antispyware again. Something's blocking it. If it runs, post the new log to us after you turn your antivirus back on and reconnect to the internet.
abri

 

Hi jdalessandro!

Your computer is very infected. (duh! looks like you've been fighting it since August!)

Please tell me what's in these two folders:

- C:\Temp
- C:\WINDOWS\system32\en-US


Please go to either of the following websites: VirusTotal or jotti (or both) and one at a time, upload these two files and have them scanned:

Please post this information back to me and then I'll give you further instructions which should help.

abri

 

- C:\Temp

two folders, "1cb, fse". they both have ".log"'s in them.


- C:\WINDOWS\system32\en-US

admparse.dll.mui
extmgr.dll.mui
html.iec.mui
icardie.dll.mui
ie4unit.exe.mue.mui
inetcpl.cpl.mui
ieakeng.dll.mui
ieaksie.dll.mui
ieaku.dll.mui
iedkcs32.dll.mui
ieframe.ll.mui
iepeers.dll.mui
iernonce.dll.mui
iesetup.dll.mui
ieui.dll.mui
ieunatt.exe.mui
inetcpl.cplui
inseng.dll.mui
licmgr10.dll.mui
msfsbs.dll.mui
mshta.exe.mui
mshtml.dll.mui
mshtmled.ll.mui
mshtmler.dll.mui
msrating.dll.mui
ocache.d.mui
urlmon.dll.mui
webcheck.dll.mui
WinXDocObj.exe.mui
wininet.dll.mui

(is there a simpler way to do this rather than to type each file?!)

i'll upload/scan the other files and report back..

thanks!

 

C:\WINDOWS\am9obm55

could not be scanned. when the browse window pops up, this file is faded and there appears to be nothing inside.

C:\WINDOWS\klif.spi

File klif.spi received on 09.25.2007 19:07:37 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.22.0 2007.09.24 -
AntiVir 7.6.0.15 2007.09.25 -
Authentium 4.93.8 2007.09.25 -
Avast 4.7.1043.0 2007.09.24 -
AVG 7.5.0.485 2007.09.25 -
BitDefender 7.2 2007.09.25 -
CAT-QuickHeal 9.00 2007.09.24 -
ClamAV 0.91.2 2007.09.25 -
DrWeb 4.33 2007.09.25 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5162 2007.09.25 -
Ewido 4.0 2007.09.24 -
FileAdvisor 1 2007.09.25 -
Fortinet 3.11.0.0 2007.09.25 -
F-Prot 4.3.2.48 2007.09.25 -
F-Secure 6.70.13030.0 2007.09.25 -
Ikarus T3.1.1.12 2007.09.25 -
Kaspersky 4.0.2.24 2007.09.25 -
McAfee 5127 2007.09.25 -
Microsoft 1.2803 2007.09.25 -
NOD32v2 2549 2007.09.25 -
Norman 5.80.02 2007.09.25 -
Panda 9.0.0.4 2007.09.25 -
Prevx1 V2 2007.09.25 -
Rising 19.42.11.00 2007.09.25 -
Sophos 4.21.0 2007.09.25 -
Sunbelt 2.2.907.0 2007.09.25 -
Symantec 10 2007.09.25 -
TheHacker 6.2.5.068 2007.09.25 -
VBA32 3.12.2.4 2007.09.25 -
VirusBuster 4.3.26:9 2007.09.25 -
Webwasher-Gateway 6.0.1 2007.09.25 -
Additional information
File size: 252 bytes
MD5: 329d3b65860c3c0c820cd4e28e1004cb
SHA1: bcef9ca64b367333b3d2dc1a137bdab53c6201d9


let me know what to do next. thanks again!!

 

Hi jdalessandro!

Please run the following two scans:

1) The following link will take you to the instructions for VundoFix. Please follow the instructions in the link and run it multiple times until it comes up clean.
- Virtumonde aka Trojan Vundo Removal


2) Next run this utility:

3)When you've completed the above two, please post the final log for each. Then please create fresh logs for ShowNew, GetRunKeys and HijackThis. You'll have five logs altogether and will need to attach them in two posts.

Thanks!
abri

 

ran vundofix twice (in normal mode w/ kaspersky still on (is this ok?)) and came up clean.

kaspersky was also on when combo fix was run.

 

here are the others...

let me know what's next. again, thanks so much for your help.

 

hi jdalessandro!
Could you tell me what's in this folder?

C:\WINDOWS\AM9OBM55

After that I'll post the next set of instructions to you.

Thanks!
abri

 

nothing appears to be in that folder. again, the folder icon appears "faded" (along w/ a few others) compared to most of the folders under c:\windows. under properties, it says 0 contents and 0 bytes.

thanks!

 

Hi jdalessandro!
I think your folder is sort of paled out because not all your hidden files are visible. Please do the following and then check that one folder again. C:\WINDOWS\AM9OBM55 If it's empty, please leave it in the instructions below for Avenger under "Folders to delete" in the box. If it's not empty, please post what's in it, and remove that one entry from "Folders to delete" before you run Avenger.

1) Please look in Add/Remove Programs for the following and uninstall it. If you get any errors just make a note and proceed.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

the following is not in my hijack this log:

O2 - BHO: (no name) - {B2E2E142-C07C-4C37-9F6E-F144BAFA0CF0} - C:\WINDOWS\system32\ddcaw.dll

there is something very similar, but the numbers/letters in b/t the brackets is different: the rest is the same.

should i delete the file?

continuing w/ the steps...

 

here's the updates minus the unfixed file mentioned in the previous post.

 

things appear to be running much better. kaspersky occasionally has to block something, though (i think its trojan 32 or something like that). the desktop icons have white letters, not blue. the videos are running much quicker as well. however, there is still a bug in ie in that i cannot download my bank statements to my quicken (i used to be able to do that prior to the infection).

let me know what i need to do next. thanks!

 

Hi jdalessandro!

Yes, please delete that thing. It's mutating.

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

I will be back in a bit to look through the logs. I expect there will be a few more things that need to be done still.
abri

 

deleted the mutating file. just in case, a fresh hijack this log...

computer is SIGNIFICANTLY faster. feels nice to have the speed back!

thanks again!

 

Hi jdalessandro!

A couple of things got past us and we still need to remove them. Please begin with the following registry patch to get rid of that stubborn BHO line that HijackThis isn't getting:


1) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save As type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

2) Then I would like for you to print out these instructions and unplug your computer from the internet. Then turn off any antivirus and antispyware that is running and Windows Defender and try getting avenger to delete this one file again.

3)

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please restart your antivirus, antispyware and Windows Defender. Reconnect to the internet.

5) Please open the Avenger log and see if it was successful in finding and deleting the above file. If it was, please skip step 6 and continue on. If it was not, please follow the instructions in the next box and then continue on with the other instructions to the end of this post:

6)

7) After the command prompt window is closed, please delete the contents of C:\WINDOWS\Prefetch.

8) Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.
9) After you have completed the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

here are the first three attachments....

 

sorry, here are the last two attachments.

computer seems to be doing much better. videos are smooth, web pages come up faster, etc. however, i still cannot download my bank of america data into my quicken.

i spoke w/ the bank about this ~ 2 wks ago and they informed my it was my browser that was the problem. thoughts?

thanks!!

 

Hi jdalessandro!

We need to get rid of one more file, but a comment about the question in your last post. You first asked your baank about the problems you were having with your statements approximately a week after the virus was already on your system. The reason people put these things onto your system is not so they can damage your computer, but so they can get you to buy things to protect yourself, generally from them. They also put them on there so they can get to your private information. It's important at this point to understand how your computer got infected, so it won't happen again. We can reset your Internet Explorer settings which might help, but I will wait one more post with that. After we've gotten your computer clean, we will have you set a clean restore point and erase all the previous ones. We only do this when we are sure your computer is clean at the very end. Then there is a set of guidelines we will ask you to read to make sure you're as protected as possible.

I have not been able to find a firewall on your computer. Am I overlooking it? It's important to have a software firewall even if you are sitting behind the hardware firewall of a router. The Windows firewall is not adequate because it only prevents incoming traffic and doesn't deal with what is trying to leave your computer. That's one of the things in the guide. Also, viruses and all the various types of software the word virus encompasses, usually get onto people's computers because of their internet practices. Everyone is vulnerable, but certain types of activities make one more vulnerable and there are ways to operate more safely if you are truely planning to continue with fiancial activities online.

There is one more file we need to delete and I have a question about a folder you have under C:\

What is this? Is there anything in it?
C:\Jeppesen

Please do the following:

1)

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Please open the Avenger log and see if it was successful in finding and deleting the above file. If it was, please continue on. If it was not, stop here and just tell me, and we'll try deleting it another way.

3)If you have XP, please delete the contents of C:\WINDOWS\Prefetch.

4) Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.
5) After you have completed the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log

Let me know how things are running now.

abri

 

What is this? Is there anything in it?
C:\Jeppesen

jeppesen is an aviation chart company. it is on my computer through aopa (an airplane organization) that allows me to file flight plans online through their software. the file is empty and i have never used jeppesen.

got through the steps. file successfully deleted.

again, things appear to be "normal" minus the banking activity mentioned in the last post. we'll cross that bridge later.

you dont see a firewall on the computer b/c there isn't one! i was told when i bought my belkin router that its firewall would be sufficient. since this infection i have wondered how it got through the router firewall. in addition, when loading the firewall a few years ago, they told me not to use a computer firewall b/c it would interfere w/ the router. thoughts?

i want to continue doing financial practices online. however, i would like to do it as safely as possible. any thoughts/recommendations you have would be greatly appreciated.

 

Hi jdalessandro!
My own experience is that there's not a conflict between the hardware firewall of a router and a software firewall. I've used a couple of different routers so far and it's been fine. I use Zone Alarm free, have used Zone Alarm Pro and Sygate remains one of my favorites still, but I don't know if there is any support for it anymore. Zone Alarm free is not as bossy as Zone Alarm Pro and I prefer it that way.

The main way people's computers become infected is by opening files they shouldn't open and by clicking on websites and ads in websites they shouldn't click on. Some software brings adware with it. There's a more thorough discussion on this in the "How to protect yourself from malware".

My own recommendation if you want to work online with your personal data but also do p2p file transfers and gaming, is to set up a separate harddrive which can be unplugged and only plug that one in for things which require a higher level of security. Keep everything separate which has to do with fiinances. Run CCleaner everytime you go off the internet and before you do anything online which involves using personal information.

There are good protective pieces of software recommended in the "How to protect yourself" guide. Spyware Blaster is a great tool and doesn't seem to conflict with other tools that you need to use. Also, I think it's Adaware which identifies a list of tracking mechanisms your computer itself records for your convenience. It's worth studying this list of non-harmful trackers and deciding if there are any you can live without. You see the results of these when you start to type a word into the address bar or into google or places like this and a drop-down menu appears with places you've been before.

I don't see any other bad files on your computer. Please follow the instructions in the box below and be sure to do step 10:

abri

 

sorry about the lapse in replies...

We can reset your Internet Explorer settings which might help, but I will wait one more post with that. After we've gotten your computer clean, we will have you set a clean restore point and erase all the previous ones. We only do this when we are sure your computer is clean at the very end. Then there is a set of guidelines we will ask you to read to make sure you're as protected as possible.


can we reset the ie settings b/c i still cannot download my banking statements into quicken.

in addition, i would like to repay you for helping me get my computer back to normal. you have done substantially more than kaspersky has and i had to pay for that. let me know what arrangements we can make.

thanks again!

 

Hi jdalessandro!
Here are the instructions for resetting your web settings back to the default. I don't know if this will help, but try it:

abri

 

Hi jdalessandro,
I don't know if resetting your browser helped, but I would like to know.
As for your other question about repayment, yes, maybe, I'm not sure, I'll get back to you in about a week. I'm afraid that's not much of an answer but it's the only one I have right now.
As to your much-earlier question about if there is a way to post besides typing in the file names one at a time ... I can only think of a screen shot at the moment. I have to look into that myself. I can imagine there's something like a highlight/mark and shoot screenshot if you have the software for it. That would be the most useful.
I hope your computer continues to work better and that the browser problems you experienced get resolved.
abri

 

resetting the browser didn't help. called boa and they gave me some tricks as well, but to no avail. i waiting for a boa manager to call me back tomorrow. we'll see...

reply about the donation/repayment when you can. i simply wanted to thank you for your time/effort and for solving my problem.

thanks again...

 

If you want to support this site you can buy a Majorgeeks t-shirt or sweatshirt. Also, an email of appreciation to the owners (see there names and email addresses here: http://www.majorgeeks.com/page.php?id=2 ) is always appreciated. Also send your friends here.