Am I out of the woods???

Hello, I am working on my sister's computer. It was a unprotected, unblocked, computer. So it was just a beehive waiting for the bees.
I put Firefox, ZoneAlarm and the usual antispyware on, but too little too late.
The biggies were Nail.exe, the Surf one and Aurora
Their internet was always slow or not working at all.

I have followed your "Basic Spyware, Trojan and Virus Removal" thread.
Downloaded alll the software that you suggested. Already had Spybot and AdAware.
Went into safe mode and went to the website for Bitdefender.
Found 60 infected files and deleted all but one. WMPlayer was the only one it didnt delete
The Rav site never loaded for some reason.
I went ahead with the rest of the steps.
Ran Stinger. 2 files were found and deleted. Some virus starting with Q.
Ran CC Cleaner. Cleaned 450 files.
Ran Adaware. No files found.

Here is my Hijack This Log done after all of this.


So after all I have done, am I out of the woods??? can I go back home yet?
I will check thread in the morning.

 

Download
- Pocket Killbox
- LSP - Fix
- Unlocker
- SSKfixXP.exe

Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

Run this uninstaller -http://www.bestoffersnetworks.com/uninstall/

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the inetadpt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet6_38.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Now scan and have HJT Fix the following:

Using Add or Remove Programs in the Control Panel uninstall the following:

Surfsidekick
Surfsidekick 2
Surfsidekick 3
​

If Surfsidekick is not in Add or Remove Programs, do the following.

Open Windows Explorer and loacte the following:

C:\Program Files\SurfSideKick 2
C:\Program Files\SurfSideKick 3
​

One or both may exist.

Start -> Run
Type "C:\Program Files\SurfSideKick 2\ssk.exe" /u or "C:\Program Files\SurfSideKick 3\ssk.exe" /u > OK
Enter the given security code(generated automatically by the uninstaller) > OK
Click on YES at the reboot prompt.
Make sure PC boots in Safe Mode afterwards.

Start -> Run
Type System32 > OK
Look for all instances of Repairs*.dll file, once located, right-click > Unlocker > Unlock All
Immediately afterwards delete all instances of 'repairs.dll' file.

Now run SSKfixXP.exe (towards the end of the process it might boot your PC if that occurs, make sure you keep tapping on the F8 key to boot back in Safe Mode). Run the fix again to complete the process.

Boot back into Safe Mode.

- Now while still in safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.

Go back and run all the steps as requested in our READ ME FIRST sticky; your log shows no signs of having complete both of the on-line scans requested.

Post a fresh HijackThis Log as an attachment.

 

It didnt show the bitdefender scan??? The Rav site couldnt load. It said page not found.

I am working on what you suggest and just wanted to post that. I will let you know the complete results.

 

Try this link for the RAV http://www.ravantivirus.com/scan/

 

Ok I have followed your new instructions and ran the old ones afterwards.
Downloaded all the files asked for
Ran -http://www.bestoffersnetworks.com/uninstall/
Ran LSP-Fix
Results: Did not find inetadpt.dll under either keep or remove.
Did find newdotnet6_38.dll, it was already under remove.
Successfully removed.
Ran Hijack this
Couldnt find-O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
When trying to fix files
It came up with a error. I could not copy and paste the error. It had to do with O20 - AppInit_DLLs: repairs.dl

Tried to find Surf Side Kick.
Didn’t find it anywhere

Found one instance of repair.dll
Unlocked it, then deleted it

Ran SSKFix and it didnt find anymore.

Ran ALBImore and it was successfull.

Ran the Virus scanners again. I was able to get the Rav this time. The internet has been going in and out, even in safe mode. Its cable
I copied the reports in case nothing shows up in the Hijack log.

I ran AdAware, Spybot, CCleaner, CWShredder, Kill2me, and HSRemove. I ran them in in safemode with no internet.

Here is the Hijack log.
I hope I dont have much to do, because I have a 3-4 hour trip home still to make.

 

OK, there are still a couple of problems left.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Now Post the Ewido log as an attachment.

 

I ran Ewido under safe mode with NO INTERNET.

The file is too large to attach. Do you want me to copy and paste the report in here??

 

Because of time constraints, can any of the other Malware experts help me?? I do need to get back home.

 

I split the report up in 2
I will do posts so that I can attach it. It was the only way.

 

Here is the 2nd part.

Please hurry. I need to leave very soon.

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post both logs as attachments and a fresh HJT log, you will need to do 2 posts to attach all 3 logs.

 

You got me right after I left.

I will give the instructions to my sister and have her email me back the logs. As soon as I get them, I will post.

 

Sorry it took so long. Here are the log attachments.

 

You need to run these scans in a timely manner, as the Trojan will mutate, causing us to start over again.

Please post a fresh Hijackthis log.

 

Here is the Hijack file

 

The log is not attached.

 

Whoops! Here it is "again".

 

Download
- Pocket Killbox

Make sure you have done the following:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Please make sure System Restore is OFF.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Command Service or cmdService ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Command Service or cmdService

Do the Same for Windows Overlay Components.

Run HJT Choose Open the Misc Tools Section choose Process Manager, Highlight: (Some of these may not be shwon in the list of running processes)

Choose Kill Process.

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

 

Can't download Qoologicfinder

I'll attach one more post with Panda Online scan

 

Is there a size limitation for attachments, because I'm not able to attach spyexposer.txt. It is 42 KB.

 

I apologize for all of this. I'm actually ZvillageIdiot's sister. He was helping me on my computer (& given the fact that he lives 3 hours away from me) has left me with the clean-up project. So bear with my "newness" to this whole process.

I believe I now have the Qoologic file & a complete RKtool file. See attachments.