Godzilla Worm and possibly others

I have determined that I have the Godzilla worm and possibly other malware/viruses, however, I am having difficulty running (or updating virus definitions) for most of the spyware/malware programs.

I think I obtained whatever I have because I did not promptly update my ZoneAlarm firewall last month. (That's how I usually end up picking things up.) I noticed the problem shortly before Christmas, but haven't used the computer much (managed to limp along the few times I did using safe mode and some ad-aware se cleanings with old definitions). I finally have some time to deal with this and a need to get my computer running well for the new semester.

I apologize but due to the problems, I can't run most of the cleaner programs you requested at this time. I've run ad-aware se (with 2 year old virus definitions -- from the last time I had major problems -- when I try to update them I get an error). I tried to use AVG, but aparently I don't have it currently installed and it won't allow me to install it in safe mode. I ran CCleaner on all accounts. I can't access majorgeeks.com from the infected computer even in safe mode so I can't download some of the other programs.

When I checked the Add/Remove Programs, I saw nProtect KeyCrypt, but I don't know if this is a bad program or not because I have features for Korean websites installed. I did a search on it but I'm still unsure if this is a real program or malware.

Ad-aware keeps coming up with 2 registry keys that seem to replace themselves when I restart in regular mode (but not in safe mode) even after I have already removed them. They are:
HKEY_CLASSES_ROOT:iehlprobj.iehlprobj
HKEY_CLASSES_ROOT:iehlprobj.iehlprobj.1

I also get a pop-up that says "Validation failed for C:\WINDOWS\system32\ZoneLabs\UpdClient.exe"


Here is what has been happenning currently (some runs of adware and other thing fix stuff temporarily but it always returns):

When I open my computer in regular mode, none of my desktop icons appear and my mouse isn't usually working. I can, however, use task manager, but I can't get my computer to access the internet.

When I open the computer in safe mode with networking, I can access the internet using Mozilla, but can't access any anti-virus or anti-malware sites (or this site). I'm using an uninfected computer to post and check out information on my problems.

I tried to use some posted instructions from another site (see below) to fix the Godzilla virus, but I can't find the the process wscript.exe or the file MS32dll.vbs


**********************
How to remove “Hacked by Godzilla - MS32DLL.dll.vbs” (VBS.Zodgila) worm?
Open Task Manager ( Right click on your taskbar and click “Task Manager” )
Click on Processes tab and select “wscript.exe” and click “End Process” button. (Remember to remove all wscript.exe)
Go to My Computer, Click on Tools -> Folder Options, click on View tab
Under Advance settings,
check “Show Hidden files and folders“,
uncheck “Hide extensions for known file types“,
uncheck “Hide protected operating system files (Recommended)”
and click “OK” button
Go to C:\WINDOWS or C:\WINNT and delete file MS32DLL.dll.vbs
Now go to all your drive in your computer, and delete autorun.inf and MS32DLL.dll.vbs including your USB Drive and Floppy disk. All the autorun.inf and MS32DLL.dll.vbs file is located at the root directory of your drive, ex: c:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs …

To access your drive, Go to My Computer, right click on the drive and select “Explore”

Next we are going to clean your registry record. Click Start -> Run, type regedit
Go to HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \Current Version \Run and delete MS32DLL (right click on it and select delete)
Now we are going to disable CD Autorun, Go to HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Cdrom look for Autorun and double click on it and enter 0 as it’s DWORD value

You can skip this steps if you do not wish to disable CD Autorun feature. But Hacked By Godzilla worm spread when CD Autorun is ON.

Go to HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main and delete “Window Title” which has it’s value of “Hacked by Godzilla“
Now go back to My Computer, Click on Tools -> Folder Options, click on View tab
Under Advance settings,
uncheck “Show Hidden files and folders“,
check “Hide extensions for known file types“,
check “Hide protected operating system files (Recommended)”
and click “OK” button
Empty your Recycle Bin.
Restart your PC and your PC should be clean from Hacked by Godzilla now

 

Hi jellobean!
Welcome to Major Geeks!

Please download the following to a transferable medium (cd, diskette or flashdrive) and see if you can install and run it in either safe or normal mode:

Also, please try downloading the MGTools which you can find by going to the READ & RUN ME FIRST and scrolling down to the bottom of the page. Select the instrucstions for your operating system and find the link for the MGTools on the next page. Try to get these installed into the drive where your operating system is loaded and then run them as per the instructions. These may be possible, because they do not require any updates.

abri

 

I managed to run the ComboFix but couldn't get the MGTools downloaded before the browser stopped working. I'm still having the browser and connection issues, but running CCleaner and Ad-Aware (old definitions) will give me 5-10min of internet connection after a few restart attempts. I still end up back with problems after about 5-10 min.

Here is the ComboFix log:

 

Hi jellobean,

1) Do you know what the following .exe file belongs to? Do not run it.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ensb]
c:\winnt\ensb.exe

2) Look for autorun.inf directly under C:\ in your root drive. If you find it, please delete it.


3) Next copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) If possible, please download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Whether or not you are able to complete the above, please run CCleaner in the default setting with the Windows tab on top.

6) See if you can download and install the MGTools which are found in the 2nd part of the READ & RUN ME which is on the page specific to your operating system. If so, follow the instructions for producing a log.

7) Let me know what you are able to achieve of the above and if the registry patch (REGEDIT4) was successful. If you are able to get any further and have logs to post, please post them as well.

abri

 

I'm still having trouble with my internet access so I'm going to post what I have while it's working. I have MGtools downloaded but haven't had a chance to run it yet because I hadn't copied the run directions into a word file before I lost internet access the last time.

From your most recent requests:

1) Do you know what the following .exe file belongs to? Do not run it.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ensb]
c:\winnt\ensb.exe

No I don't know what this belongs to.


2) Look for autorun.inf directly under C:\ in your root drive. If you find it, please delete it.

I couldn't find this file.


3) Next copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

I think this succeeded.

4) If possible, please download The Avenger by Swandog46, and save it to your Desktop.

I managed to download and run this. Log at the bottom.

5) Whether or not you are able to complete the above, please run CCleaner in the default setting with the Windows tab on top.

Done.

6) See if you can download and install the MGTools which are found in the 2nd part of the READ & RUN ME which is on the page specific to your operating system. If so, follow the instructions for producing a log.

Have downloaded. Still working on this. Will post again if I finish and can access the internet.

7) Let me know what you are able to achieve of the above and if the registry patch (REGEDIT4) was successful. If you are able to get any further and have logs to post, please post them as well.

Avenger Log:




Thanks for the help. Sorry for the delay, I was traveling over the weekend.

 

I managed to run the MGtools and have attached the logs to this post.

Other logs in previous post.

 

Hi jellobean!

1) First go to start> control panel> administrative tools> services> scroll down to " npkcsvc - INCA Internet Co., Ltd." may be named "(INCA Internet Co., Ltd) " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

2) Next run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.225.251.61:80
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso1.dll
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe


Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {1A29905C-C082-11D4-9376-00AA00BFFB71} (checkVerX Control) - http://download.hts.nefficient.co.kr/hts/wcom/cab/checkVer.cab
O16 - DPF: {2B3CC8B1-EC8B-4BFE-B9ED-3460E383292E} - http://63.105.207.150/oneclick/webmail/NetpiaPIIPOCX.ocx
O16 - DPF: {C32F17F5-1702-4179-B6BF-99D0C4D340E1} - http://plugin.netpia.com/oneclick/webmail/NetpiaPIIPOCX.ocx
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/hts/wcom/cab/efile_crypto.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/nts/npkcx_nts.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab

3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

5) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK, SE v1.4.2_03 <------ go to Sun's website for the newest version of SDK
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger


7) Now Reboot your computer after uninstalling the above.

8) Install the current version of Sun Java from: Sun Java Runtime Environment

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.
Also, let me know if the REGEDIT patch gives you a success message.


Let me know how things are running now?

abri

 

1) First go to start> control panel> administrative tools> services> scroll down to " npkcsvc - INCA Internet Co., Ltd." may be named "(INCA Internet Co., Ltd) " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Completed

2) Next run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.225.251.61:80
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso1.dll
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

Fixed

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {1A29905C-C082-11D4-9376-00AA00BFFB71} (checkVerX Control) - http://download.hts.nefficient.co.kr...b/checkVer.cab
Not sure what this is, but since it is Korean it may be something I use since I do have some security stuff installed for Korean banking and this is .co.kr sites.
O16 - DPF: {2B3CC8B1-EC8B-4BFE-B9ED-3460E383292E} - http://63.105.207.150/oneclick/webma...piaPIIPOCX.ocx
Fixed
O16 - DPF: {C32F17F5-1702-4179-B6BF-99D0C4D340E1} - http://plugin.netpia.com/oneclick/we...piaPIIPOCX.ocx
Fixed
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr...ile_crypto.cab
Again, not sure based on the .co.kr extension
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/nts/npkcx_nts.cab
I can't remember if I got rid of this or not. I'm still trying to figure out what nprotect is.
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Rel...mulMap_V17.cab
This is the ActiveX control for my bus map website. This is definitely a legitimate program.

3) Download and install Erunt. Use it to create a backup of your registry.

Done

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Done. Received Success Message

5) Go to add/remove programs and uninstall the below:

Done

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger

Disabled

8) Install the current version of Sun Java from: Sun Java Runtime Environment

Completed

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.
Also, let me know if the REGEDIT patch gives you a success message.

Attached


Let me know how things are running now?
As of yesterday's fixes the computer was running okay, much better than when I started. I am still having two major issues.

1. I still have an issue where my desktop icons and the windows tool bar do not load. When that happens I still have most functionality but must use the task manager to access and run everything. This happens about half the time when I restart the computer.

2. I still have an issue with internet connectivity. Often I cannot access the internet. Resarts will sometimes change this. Usually occurs with problem #1, but also occurs when desktop icons do appear.

There is something that is still causing IE to try and access the internet of it's own accord. Zone Alarm gives me warnings and I deny it, but something must be causing it. I use Mozilla as my default browser.

I'm also getting a message:
Validation failed for C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
although I am not sure if it is affecting anything.

I think I remember seeing some message at some point about a program named iexplore and thought it might be connected to my missing desktop icon problem.

Thanks so much for all your help. You have probably helped me to salvage at least another 6 months out of this computer already. I'm hoping to get this all straightened out before my new semester starts in March and it's looking like you help will allow that to happen.

 

Hi jellobean,
nprotect is nortons. You have one Nortons program in add/remove programs

nProtect KeyCrypt

Is this something you're using or have used in the past?

Are you also using Kaspersky? Fidbox is a Kaspersky file name.

You have a lot of temporary files which are all the same size and I'm wondering where they're coming from. Could you find
C:\WINDOWS\Temp\ace61.tmp if it's still there and upload it as a zip file here?
abri

 

I had Norton's on the machine in the past but never used it. I'm going to remove this program since it seems to be a remnant.

I'm not using Kasperkey. How should I remove that file?

I looked for the file but could not find it (even after showing hidden files), however, when I ran CCleaner it said that it removed a file by that name from that folder.

I'm still having serious internet access problems. It took about 10 restarts including a few in safe more before I got it working today. The problem a few times was that I got a connection but it was so slow it wouldn't load anything.

 

Hi jellobean,
Did you miss my last question in post 9? You have a lot of files in your temp folder under WINDOWS. They are all the same size and indicate there's still malware.

Please run CCleaner at the default setting with the Windows tab as the one on top.

Then run Combofix again and get a fresh set of MGlogs by double-clicking on C:\MGTools\GetLogs.bat. Attach the Combofix and MGlogs here with your next post.

abri

 

Did you miss my last question in post 9? You have a lot of files in your temp folder under WINDOWS. They are all the same size and indicate there's still malware.

Those were the files I looked for and could not find but showed up on the CCleaner run after I looked for them.

Please run CCleaner at the default setting with the Windows tab as the one on top.

Done.

Then run Combofix again and get a fresh set of MGlogs by double-clicking on C:\MGTools\GetLogs.bat. Attach the Combofix and MGlogs here with your next post.

See below and attached.

****************************************
This is the log that popped up after running ComboFix but it wasn't named the same.

 

Hi jellobean,

Plase run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"


Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - S-1-5-21-3779935395-2221179514-3766738458-1006 Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe (User '?')
O4 - Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/nts/npkcx_nts.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab

After you click fix, just close hijackthis.



Something in your computer is creating the below tmp files and it's not clear what.

C:\WINDOWS\Temp\
dtfca.tmp Feb 7 2008 176128 "dtfCA.tmp"
ldfcd.tmp Feb 7 2008 176128 "ldfCD.tmp"
qffcb.tmp Feb 7 2008 176128 "qffCB.tmp"
srfcc.tmp Feb 7 2008 176128 "srfCC.tmp"

C:\Documents and Settings\Cassidy\Local Settings\Temp\
chc12.tmp Feb 7 2008 176128 "chc12.tmp"
lga4.tmp Feb 6 2008 176128 "lga4.tmp"
uecc4.tmp Feb 7 2008 176128 "uecC4.tmp"

You will delete any of these except those from the current date by simply running CCleaner at the default setting with the Windows tab as the one on top. Please do this now.

Then I would like to have you run some rootkit scans and I may also have you do one or two online antivirus scans as well, but I want to first see if the rootkit scans turn up anything.

• AVG Anti-Rootkit (Vista)
• BitDefender RootkitUncover
• Rootkit Revealer
• Sophos Anti-Rootkit - see Using Sophos Anti-Rootkit
• Trend Micro RootkitBuster (Vista)

Attach the results with your next post.
Thanks.
abri

 

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - S-1-5-21-3779935395-2221179514-3766738458-1006 Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe (User '?')
O4 - Startup: MoonPhase.lnk = C:\Program Files\Moon\moon.exe
The two above belong to a moon phase program I use.
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/nts/npkcx_nts.cab
Fixed
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Rel...mulMap_V17.cab
This belongs to the Seoul Bus Map site that I use.

You will delete any of these except those from the current date by simply running CCleaner at the default setting with the Windows tab as the one on top. Please do this now.
Done.

Then I would like to have you run some rootkit scans and I may also have you do one or two online antivirus scans as well, but I want to first see if the rootkit scans turn up anything.

* AVG Anti-Rootkit (Vista)
No problems found.
* BitDefender RootkitUncover
No problems found.
* Rootkit Revealer
See bottom of message.
* Sophos Anti-Rootkit - see Using Sophos Anti-Rootkit
See bottom of message.
* Trend Micro RootkitBuster (Vista)
See bottom of message. No problems found.

Some other information on problems I've had in the last few days and scans I finally got to run today.

A problem I had yesterday involved my system clock. ZoneTick (multi-time zone clock program) had become corrupted so I removed it. When I tried to reinstall it, it stated something about not being able to hook the system clock or something similar. Perhaps this is related to my problems.

I'm also still getting that Valaidation failed box from my Zone Alarm. I'm not sure if that might be related.

I had previously had Spybot S&D downloaded but it stated that it had been corrupted so I removed it. I finally managed to download it again, but when I tried to run it, I had some problems. I guess the teatimer installed and I got the following message:

Spybot-Search & Destroy has detected an important registry entry that has been changed
Category: User-specific browser toolbar
Change: Value added
Entry: {EFA2E64-B078-11D0-89E4-00C04FC9E26E}

After the box popped up, Internet Explorer immediatly attempted to access the internet which I did not allow.

I also denied the change in the Spybot popup window.

I think there is something inside my internet explorer because it is always trying to access the internet without me opening the program (I only use it to access one or two Korean sites that don't work in Mozilla and I haven't done this at all recently).

About 10 minutes later I got the same Spybot message with just one difference:
Engry: {C4EE31F34768-11D2-BE5C-00A0C9A83DA1}

I again denied the change.

Also, a program iexplore.exe keeps showing up in my task manager processes. I always end it when I see it and I think it may be connected to the some problem because one of the programs you have had me run noted it and said it was a problem.

I used CCleaner to try and clean out my Startup. After eliminating the programs I knew I didn't want/need I was left with the following that I wasn't sure whether I needed to leave there:

Startup Common Camio Viewer 2000.lnk C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

Startup Common hppsc 2000 series.lnk C:|Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

Startup Common hpoddt01.exe.lnk C:|Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

Startup Common Microsoft Office.lnk C:\Program Files\Microsoft Office\Office\OSA9.EXE

Startup Common Microsoft Works Calendar Reminders.lnk C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe


Later, I finally got Spybot S&D to run and these are the programs it found. The program froze/crashed while I was trying to fix the problems and I didn't have time to run it again.:
AdRevolver
DoubleClick
MediaPlex
Pinfi.Parite

I also mangaged to download and run AVG Anti-Spyware. It found the following problems:
Adware.HiWire
Adware.Generic
Trojan.OnLineGames.kxn
Worm.Solow.a
TrackingCookie.Tribalfusion
TrackingCookie.Atdmt
TrackinCookie.Doubleclick
TrackingCookie.Yieldmanager
TrackingCookie.Mediaplex
TrackingCookie.Advertising
TrackingCookie.Adrevolver
Adware.LookMe

The program had them all listed for Ignore Once action, but I'm not sure why. I wasn't sure whether to quarantine or delete them. I chose to delete them.

Here is the report:

ATTACHED NOW - by chaslang


Here is one rootkit report

+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
+----------------------------------------------------


--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

Here is the other rootkit report. As you can tell from the log, I ran this multiple times but never got a completly successful run.

ATTACHED NOW - by chaslang

Here is the other rootkit log.

ATTACHED NOW - by chaslang

 

Hi jellobean,
Please go to Alternate Scans again, only this time try running the BitDefender online scan. Have it fix anything it finds. This scan can only be run with Internet Explorer. If you don't want to use internet explorer, there's at least one scan that runs with Firefox, but BitDefender would be worth running.

Thanks for the thorough work.
abri

 

Sorry, but I am getting really confused. Last time I looked at this thread, the message was different and from abri. I followed those directions and came back to post the results and suddenly the message is different with different instructions. I'm just going to post the logs that were requested and then you can let me know what still applies from your message and why my messages are suddenly appearing and disappearing and changing. Thanks.

 

Sorry Jellobean,

I asked Chas to look at your thread and we were talking about it. I still have those instructions so I'll take a look at what you've posted here and then see if it would be a good idea to simply continue with those from Chas. It's not quite clear where these tmp files are coming from but generally drivers that don't belong on your system can be behind malware so that's why Chas wants you to delete the drivers.

Okay, what I can see already is that BitDefender got rid of a whole lot, but at the very end of the scan, those tmp files are still showing. Please go ahead with Chas's instructions and we'll see if that will get rid of that one piece of malware which seems to be particularly stubborn.


abri

 

Thanks for the help guys. Sorry I've taken a while to respond. We've been visiting my sister and her kids this weekend. One note, I'm going to have to shut down at about 11am EST today for my trip home so I might have that reboot issue you were talking about.

The computer is back to where it was last week. I had some real problems for a few days when I uninstalled zone alarm but couldn't get an internet connection to stay connected long enough to download it again. I managed to do that last night so it's working okay again.

I've attached the logs you requested.

Thanks again.

 

Sorry, I had dropped the file as you requested, but I think I may not have gotten a complete run or might have rerun it over again. I'm not sure. Here it is again.

 

I have my computer turned on and will leave it that way until I get a reply. Sorry this took some time, but I just traveled back overseas this week. I am attaching a MGlogs.zip file that I just ran now. I'm hoping you don't need a new combofix run. The one I did a few days ago is above.

I have a question about this virus. Can I safely send files via email or do I stand a chance of infecting other computers I use. Thanks.

 

I've done as you requested and am attaching the logs.

I will leave my computer running until I hear back from you again.

I am not sure of the importance of keeping the computer running through the entire process, but did have to restart it a few times after I ran the combofix.

I left the computer running after my last post and ran the requested combofix. When I tried to run the CCleaner, it was corrupted and my internet connection was not working (if I leave the computer running for more than a few hours the internet connection stops working and I must restart the computer) so I rebooted the computer. After restarting the computer (I had to do it two times because the first time I did not get the desktop and taskbar), I re-downloaded CCleaner and ran it. I also ran the online bit defender. Because the bitdefender takes a few hours, the internet had stopped working after it ran. I restarted the computer before running MGlogs because I knew I would need a connection to send you the files. I will not restart again until I hear from you.

 

Since I had time, I ran another Online BitDefender Scan. I'm attaching it here.

It showed only one infected file (not including one adware problem) other than my restore points. I'm hoping this is a good thing.

Should I go in and ditch all my restore points?

Thanks for your help.

 

I ran the BitDefender scan twice, but don't have a log for the second time because it came up with no problems (after the first scan I deleted the one adware infected file).

I have included the other scan log you requested and a new MGlogs file.

I tried to run the sfc scannow, but received the following error:
Windows cannot find '*sfc'. Make sure you typed the name correctly, and then try again.

It probably doesn't matter too much because I don't have my disk with me. I live overseas and all that stuff in at my house in the states. I will have to call my parents and get them to dig through some boxes to find it. It will probably take a few weeks to get it.

I am wondering if my computer is clean enough to transfer files using an external drive. The system is functioning okay. I know I may run into problems with deleted files, but if I can limp along until I get my disk that's fine.

One other question. Is there anywhere I can get the download for Spybot 1.4? The uninstaller is corrupted so I need to redownload it in order to uninstall it. Thanks.