Help needed removing malware - please!

I've followed the directions exactly as stated - I've gotten rid of some of the problems, and decreased the frequency of others.

Things that are not happeng any more:
>the bogus security alerts
>endless re-directs to fake "security web pages"
>the shortcuts to the Online Security Guide and Live Safety Center no longer good shortcuts - the are still on my desktop, but are now the generic file icons

Things that are still happening
>occassional re-directs (new windows suddenly for web pages I did not request)
>IE privacy settings still changing to accept all cookies from "high" settin
>every website I go to loads at first, then a banner or ad is replaced with a poorly pixelated banner indicating that something is wrong with my computer and has a "scan" button already outlined.

I'm attaching all 6 of the log files that were requested.

I'll be forever in your debt if you can help me!!!

 

The other files requested are attached. Thank you so much!

 

http://www.majorgeeks.com/images/grenade.gif Welcome to MajorGeeks.com!

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Next, we need to remove a bad service.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteDomainService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Step 5:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 6: Begin here after rebooting from Step 5!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 7:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Step 8:
Before you attach fresh logs, let’s run ComboFix to cleanup any leftovers.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 9:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log
• ComboFix Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I followed the steps exactly as stated - actually, 3 times now, because the avenger.txt log keeps disappearing from C://. Each time I do that step, I check to make sure that the log is there, and then when I get to the end of the steps, while I'm making sure I have all the logs you've requested, that one is missing!

In any event, here are the issues I'm still having:

>bogus security alerts from systray
>bogus security alert pop-ups asking me to download some anti-spyware software
>Online Security Guide and Live Safety Center shortcuts on desktop

the good news is that I don't appear to be re-directed anymore, and my computer seems to be operating faster now.

I'm attaching the logs as requested (except for the Avenger log, of course).

Thank you so much for your help so far - please advise on next steps!

 

And here is the Hijackthis log...

Thanks!

 

I need to see the Avenger log simply because I need to see the entries were in fact removed.

It should be located at C:\avenger.txt.

 

Well, I re-ran Avenger using the quoted script from your post so you'll have an avenger log - but I'm not sure if it's helpful or not since it's not in the order that you asked for.

I'm confused as to why the file would appear in C:\ right after I run it, but then disappear at some point?

Anyway, my problems don't seem to be happening anymore - although McAfee and Comodo BOC keep "removing" WinFixer, and the McAfee alerts tend to be confusing for a novice like me - but the shortcut icons are gone and are not reappearing, I'm not getting the bogus alerts anymore, and everything seems normal again. I would love some confirmation of that, though!

Because I was nervous, I've run both A2 and Spybot a couple of times and they found some cookies and some "Traces" of something "medium risk," but nothing that seems too onerous (especially the cookies).

Thank you for your help so far!

 

Let's get fresh logs from ShowNew, GetRunKey & HijackThis.

 

Attached - thanks!

 

Before you begin these instructions, be sure you shut down McAfee and any other antivirus/antispy program you have running.

Step 1:
Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Next, we need to run Avenger once more, just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 3:
After your system has rebooted and loaded from the previous step, start by downloading, installing and running CCleaner.

Running this will cleanup any leftover junk files in your systen.

Step 4:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Followed the instructions exactly - attached are the logs!

No issues with the process - and even things like accessing "My Computer" is taking much less time than before, and I don't have any visible issues with performance or anything wierd happening anymore.

Thank god there are people like you out there - I want to put you on my christmas card list!

 

And - the runkeys log!

 

We need to run Avenger once more, just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once completed, attach a fresh ShowNew & GetRunKey Log.

 

Done! Also attaching the avenger log. I'm assuming you know this, but I haven't been able to access the forums since early yesterday morning - I keep getting a notification page from, I think, the hosting service for the site.

Anyway, here are the logs! Thanks!

 

I would like to check something that keeps returning, please see the threads below, run these scans and attach the two logs please.

Running AVG Anti-Spyware

Using Sophos Anti-Rootkit

 

AVG would not produce a report! I followed the directions exactly as they were written in the guide - I'm attaching a .doc with screenshots to show you what I saw. It found just a WebTrends tracking cookie.

Sophos also found nothing - attaching that log as well!

I'm going to run AVG again to see if it will produce a report, and I'll respond back with those results.

OK - the screenshots were too large to upload - but, basically, they showed the settings page with the settings exactly as the guide instructed and the reports tab where it said "No Reports Available."

Thank you very much for your help!

 

OK, now AVG produced a report - but it was nothing found. Attaching.

 

Last few, I like to be certain there is noting hiding.

Also, attach a fresh ShowNew & GetRunKey Log.

Running Rootkit Revealer

Running GMER to detect rootkits

Using Silent Runners

 

SilentRunners never prompted me that it was all done? I gave it an hour...

In any event, here are the logs (this post and the next).

Thanks!

 

ShowNew and RunKeys logs...

 

Everything looks good, are you having any current malware problems?

 

Nothing that's visible to me - no more performance issues or strange things happening that were so apparent when I started the thread.

Thank you so much! Should I toggle System Restore at this point?

 

Yes! Also, if you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!