Steps followed, still have problems.

Hello. It's been a long time (years) since I need y'all's help. I hope you can help me again. This is aggravating!

I followed steps 1-7 in trying to clean things out and in getting logs for y'all to look at. I'm still having virus and spyware problems.

Spybot:

Wind Updates, 1 entry, fixed.

Drive Cleaner 2006, 2 entries, couldn't fix. (A window of some sort keeps popping up for it.)

MyWay.MySearch, 1 entry, fixed.


AVG Anti-Spyware found nothing.


I couldn't get a log for either Spybot or AVG. I hope that won't be too much of a problem.


BitDefender found what looks like a lot (in MyDownloads, Local Settings/Temp, System Volume Information\_restore, Vundo Fix Backups, and WINDOWS\system 32). I will attach the log for it.


Panda found 2 viruses (disinfected 2), 6 Spyware, and 1 Hacking Tool and rootkit. I wll attach the log for it.


I ran Vundo Fix before and after doing all the required steps (because Virtumonde had shown up in a routine scan).


In addition to the logs for BitDefender and Panda, I will be attaching logs for GetRunKey, ShowNew and HijackThis!.


I hope I'm giving y'all all the information you need. I really need your help.

 

Now here are the logs for ShowNew and HijackThis.

 

Oh, and in case you're wondering (and I guess the logs might show it?), windows keep opening at random. Not a lot at one time, at least. But it's still pretty annoying. I don't know what they're all about. One said something about Jack9 (a gambling site?), one keeps saying something about someone on MySpace liking me or something, one pops up immediately after that one (after I click the x) about a celebrity on MySpace or some such. Then there's the one about an error (has to be false; it's coming from some online site) and then it offers some "virus protection".

Those are the main windows I've noticed.

 

I thought I had renamed HijackThis analyse.exe. I know it's called that now somewhere. lol I renamed it analyse.exe again (in the file where I have to click to run it) and then renamed the log file to analyse.exe.log. Hopefully I did it right.

The windows that keep popping up, in case that's important, are popping up in IE, even though I'm using Firefox.

Also, when I ran BitDefender, the results for each virus or spyware said that a "disinfection failed", was "deleted" and that the "update failed".


And now here are the logs. I really hope this right. I did my best and thought they were. :confused


I tried attaching the logs for GetRunKey and ShowNew, but it gave me an error message saying that I've already added them to this thread. Am I supposed to run them again or something?

Also, ComboFix had two text files. I didn't know which one you wanted, so I attached both.

 

Oh, I forgot to mention that I tried to remove WeatherBug using Add/Remove programs (I saw that suggested here somewhere), and it did remove it there, but it's still on my computer and functioning. I then tried removing it using WeatherBug itself, but I couldn't find a way of uninstalling it.

Is it really important that I get rid of it (I've had it for years)? And if so, how do I go about doing that?


I apologize for my ignorance and if this isn't the right place for that inquiry.

 

I hope I'm not speaking too soon, but no windows have popped up since my last posting. Still, I hope y'all will check out my logs and let me know for sure that things are okay and if I should do anything more.


Thanks!

 

*sigh* A window just popped up for system doctor, whatever that is. How annoying. They're back.

 

I apologize for so many messages in a row. I hope that doesn't make things confusing.

I ran GetRunKey and ShowNew again. Here are the logs.

 

Whew. This stuff makes me nervous. lol I'm going to do all that you suggested now (crossing my fingers that I do it right) and get those logs to you or whoever can help me next.

I appreciate it.

 

I will be helping you from this point, once you complete chaslangs previous post attach your new logs and we will go from there.

Good Luck!

 

I think there's a problem now. Well, a new one.

I downloaded Process Explorer, ran it. Found and killed wvuusrr.dll and sstts.dll in all but iexplorer.exe, which I saw nowhere on the list. (I went over it at least four times.)

Exited Process Explorer and ran HijackThis (system scan only). Found all but one of the things I was supposed to fix. (The one I couldn't find was 02 - BHO: (no name) - {CD001D9B-79E5-4934-9B23-F2151702DBCA} - C:\WINDOWS\system32\sstts.dll ).

I went ahead and fixed all the ones I did find.


I then downloaded The Avenger, ran it, check "input script manually", etc. Clicked "done", traffic light, restarted my computer.


When my desktop came up, I got a message box that said:

C:\WINDOWS\system32\cmd.exe

Then a smaller one on top of that one that said:

Windows - No Disk

Exception Processing Message

c0000013 Parameters 75b6bf9c 75b6bf9c 4 75b6bf9c 75b6bf9c


I clicked retry, which didn't work. Clicked Continue, which didn't work. And then clicked Cancel.


I did also see The Avenger log pop up, but I don't know what it said.


I haven't run Ccleaner yet. Should I do that now or does something else need to be fixed first?

 

Just continue on, we will remove what is leftover.

 

Here are the logs for Avenger, GetRunKey and ShowNew.

 

And here's HijackThis.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\wlomroek.dll (file missing)
O2 - BHO: (no name) - {59B76E2E-7F55-4971-A525-C4BACD108C70} - C:\WINDOWS\system32\sstts.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Once you complete this post, reboot and attach a final HJT log. How are things running?

 

I haven't had any pop-ups since some time yesterday. Looks like things are on their way to getting better.


Well, I was about to attach my latest HJT log, but there's no "Manage Attachments" button here anymore.

 

Close your browser, run ATF-Cleaner and then try again. Be sure you click the button http://forums.majorgeeks.com/images/buttons/reply.gif and post instead of clicking quick reply.

 

Oh, good. It's back.

So, here's the HJT log.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

While looking for all the ComboFix stuff to delete, I came across 158 files (in the C:\WINDOWS folder) called $NtUninstall, each with a different 6-digit number and then another $ at the end. What are these?

I also came across 123 notepad logs, each starting with KB, then a 6-digit number and then .log. What are these? Should I get rid of these logs and/or the $NtUninstall folders?


Everything that needed to be deleted (Avenger, etc.) has been deleted. I will now go on to step 8 of Read and Run Me.

 

These are legit, they are part of Windows Updates.

These are also legit, they are also part of Windows Updates.

 

That's good to know. It made me nervous when I saw so many. I didn't know what had gotten into my computer this time.


Step 8 completed. I turned off System Restore, rebooted and then turned System Restore back on.


Anything else before going on to step 10?

 

That should be it!

 

Thank you and Chas so much for your help!!

 

Your Welcome!

Surf Safely!

 

AVG just did a scheduled scan and said I had two viruses. I wasn't expecting that.

I wrote down what it said:

C:\avenger\backup.zip:\avenger\wlomroek.dll

Trojan horse BHO.APH

Infected, Embedded Object, Deleted


C:\avenger\backup.zip:\avenger\wvuusrr.dll

Trojan horse Generic6.OJT

Infected, Embedded Object, Deleted


C:\avenger\backup.zip

Moved to vault, Archive

(Clicked on "Details" and it said "Trojan horse BHO.APH".)


C:\ProgramFiles\Hijack This\backups\backup-20070817-014106-534.dll

Deleted

(Clicked on "Details" and it said "Trojan horse Generic6.OJT".)


Am I going to have to go through all those steps again?! Ugh.

 

Did you follow post #22?

These detections are backups from what we have cleaned.

Delete the folders below and you will be fine!

C:\avenger
C:\ProgramFiles\Hijack This

 

Post 22?


I deleted all I could find of all you told me to delete. I'll look again though and see if I missed anything.


Okay, I saw a couple that I missed and deleted them. Should I now re-run AVG?

 

Delete the two folder I mentioned in post 30.

Post 22

 

Done.

Should I re-run AVG?

 

You can if you like, but it should come back clean if you deleted those folders.

 

lol Okay, thanks.

 

Your Welcome!:major