Can you please help! Serious Probs! HJT Tutorial

Hi there! Fantastic site, really! and I'm hoping you can help me? My computer has been giving me nightmares! I have been experiencing seriously frustrating malware problems since around the 20th of June!
(Today is 27 August).

I realise this post is lengthy, - I have tried to be as concise as possible, and would like to thank you heaps for your time.

Here is what has happened:
My operating system is XP Pro. I usually use a combination of Spybot S & D and Zone Alarm (Firewall and AV) as my defence against malware, but earlier this year my ZA subscription expired and I did not renew. My PC was happy for several months until Spybot Teatimer suddenly picked up malware trying to change the registry.

(I was not connected to the net at that time that this happened, however, one of the last things I had done online (the evening before) was to pay for an ebook on an alternative fuel/ petrol saving innovation via Paypal - which had involved setting up a new Paypal account).

The malware got Spybot really worked up, and had Spybot resident continually flashing 10 to 15 messages at once which covered up to half of the screen etc. The resident was showing three different names for the malware it was finding. (In the end it was a week before I got through this initial malware - but more was to follow).

Initially the malware included ‘Prorat’ and one called something like ‘Win XP Security Override’ (or a name close to that) and there was also one called either ‘Banker Trojan’ or ‘Banker Info Stealer’ . Soon after this Spybot began finding several infections of ‘Winlagons’ on each scan. The computer became difficult to restart, and then I began to get worried. I began searching online for cures and scanners around the clock and downloaded and tried out several during that first week. Xsoft was recommended, although I became suspicious of it after a while. Panda AV had also been recommended, although I do not recommend it myself, particularly as it took me around 3 hours to uninstall it (you need a special code not supplied in the uninstall).

I discovered “Anti Prorat 2.1 ” online ran it and it seemed to get rid of Prorat totally. However I still obviously had other problems, Spybot was still going crazy. Then about week two into this my (previously very stable for three years windows XP) machine crashed and would not restart. I managed to force a start through safe mode and by installing Windows Recovery Panel and getting a System Restore to about a week back.

Over the next fortnight I installed various fixers and anti-malware including Adaware, SpyDoctor, Protector Plus AV, and various others (one by one of course – not running them together). The malware which scanners found during this week included; “Trojan.Virtumonde”; “Trojan Downloader.Small CML” ; “AdawareComponent.Unrelated”; “Monder4 GEN Trc File; “Trojan/CWS Cor Registry Va”; “InfoStealer Ban Registry”; “My Search Tool Bar”; “DownloaderWinlagons”; “Virtumionde”; “Virtumonde.dll”;”Win32gent.p3”; Trojan CWS Combo Downloader”; Winlogons AF Trojan”; and WinFixer2005”.

Of course I was often getting between 10 and 20 duplicated infections of some of this malware running at the same time. I believe that some of the malware invited further malware, I discovered some blogs and information pages that suggested that this was the case. I also discovered some blogs that suggested that some of these anti spyware sites and programs were not necessarily as they seem – i.e. they may be fakes. I was fast gathering these sorts of suspicions myself as previously mentioned, over three weeks of trialing. Eventually, however, I had found removal tools which seemed to work for much of the malware but I still could not get rid of virtumonde.
The programs I used at that stage were “cleanwinlagons.exe” ; “cws shredder. Exe” and “Vundofix” (supposed to be used in conjunction with a shredding program called “KillBox”).

I was then away from my PC for around one week during which time the PC was physically unplugged from the net, and switched off. Then finally, around the end of July an updated Spybot v 1.60 seemed finally to deal with Virtumonde (a freshly updated version of Zone Alarm pro was also running). I thought my PC may have been clean but I remained suspicious. I spent a few days working normally with the PC and it was running fine, although I still had concerns. I was then away from home for another 5 days – nobody had access to the PC which was again switched off .

When I returned I found I couldn’t connect to the internet and my ISP said they had disconnected me because cmy omputer had been sending unsolicited email in the week before…. (I am so very sorry everyone - how does one send apologies to the planet)!!!! I changed the smtp protocol to “dummy” in an attempt to stop email from uploading to the net and still be able to get online and find an answer. By this time I had decided to try the Major Geeks site after remembering that I had seen HijackThis there. MG is a great site by the way, absolutely excellent! well done! and thank you! This is now one of the few sites I am prepared to trust in relation to anti-malware. At around this time one of the anti-malware programs I was running (must have been ZA, Adaware or Spybot) found “TrojanW32,Monder” and “ObsfucatMonder”.

Going back online I began downloading the programs required to run HiJackThis as well as continuing to search for information on this malware. I also had a look at the startup menu in msconfig and stopped everything I could not identify from running on start up. I believe around this time something else changed. I could now see the computer was definitely trying to upload as far as I am aware, this had not been happening earlier in the session. However, what was definitely evident and occurring in front of me was that the malware could go through Zone Alarms firewall! Even with “internet lock” engaged the computer would attempt to upload at a mommoth rate. ZA wouldn’t even flicker…!

I believe the program doing this was “svchost.exe” (this is what seemed to be running hardest at then time, and there are now always about four or five versions of svchost.exe running at once on my PC over the last two-three weeks and I can not disable them, nor can I erase svchost.exe in the System32 folder). I then took the computer completely off line and set up a second machine. I also used a friends computer to download a Symantec fixer program called “FixWelchia.exe” that is supposed to fix problems with svchost.exe, but it could not find any infections. I am also aware that there is malware called “svcchost.exe” – however, I can not find this on my machine.

I used the new machine to download “Filseclab”fro0m Major Geeks, and tested it on the new machine. I am very impressed with it. I copied it and transferred it to the infected XP system. It works really well - it catches the upload and also named one of the programs trying to connect as svchost.exe. (thank you MG). Starting from yesterday Filseclab has detected a program called “Sockets de Trios V1” also trying to access the net. Anyways, last week having got back on line, I tried to run the scans required for HiJackThis but I messed it up.. and had to run the scans again which were only completed yesterday. (OH NO! – heres what happened) - All logs are provided with this entry:

Attempt 1 at HijackThis.
I followed the instructions for routine maintenance, I also left Spybot installed. An updated version of spybot S&D was therefore running during the first scan, (SuperAntiSpyware) BUT I had forgotten to turn the Teatimer off. ALSO : I made a second error, the first scan was done with the start up menu set to prevent some programs starting ie; it was being run by msconfig, at my instruction. The programs I had selected to prevent starting at start up were “-quiet”; “gtwatch”; “EasySpyRemover”; and “Winampa”.

I had not realised that I had messed this up until halfway through the scan. I let the scan run and followed the instructions properly for SAS scan number 2. That is; I switched the MS config control off (set to normal) rebooted (again) and this time also disabled Teatimer. I then ran the scan again to get SAS scan Log Number 2 (which found nothing amiss – totally unlike the first scan!). I continued the rest of the process with Teatinmer disabled and the start up settings set to “Normal” as required.
Although there is some distance in time between each scan, no other process was started between each scan, and the order of scans given in the MG instructions was followed Although there were shut downs in between, no programs were opened or started between or during the scans (apart from IE once or twice as I had to connect to the Net to
retrieve some instructions from MG that I had omitted to print). When running MG Tools at the very end of the 'Windows XP cleaning process' I did get a (type 4) error message ("Application Error, The application failed to initialize properly ....Click on any key to terminate") - I was unable to download the Microsoft .NET Framework software as by that stage I had no connectivity to the net at all. I have saved the logs and will attach them here and in the following thread as Logs 1,2,3,4.

Attempt 2 at HijackThis
A few days later having set the second computer up, and being better able to access downloads I ran the HijackThis process again from start to finish as required, from routine maintenance right to the end with Teatimer disabled and the Start menu set to normal. The logs are included in the nex two as logs 6,7,8, and 9. At the end however, I got the NET.Framework problem again. I installed the NET.Framework update and re-ran the MG tools scan.

This thing is seriously driving me crazy and I need the machine, it really is not a system I can wipe ! I really hope someone is able to help me, I am really sorry that I have potentially messed the scans up completely but I am hoping some diagnosis may still be possible without it being too difficult.

Can you please assist me!

 

Thank you HEAPS for looking at this! The MG zip file is attached as well as the second SAS log. Remaining scans to follow.

 

Two further scans attached.