Download and scans did not work. Help!

About two days ago my computer started to freeze up and I started to get all these balloons telling me I have worms, trojans, and viruses, and IE windows started popping up constantly telling me I need to buy their software to fix the problem. Some of the things they warn me against is PSW.x-vir trojan, trojan-spy.win32@mx, black door trojan, networm-i.virus@fp, and I get Windows Internet Exploror message boxes telling me that different things like cyberlogx and spybox@mxt trojan are trying to infect my computer and that I need to download the patch. I click cancel because I don't know if its legit or if its a virus. I would say virus because as soon as I click cancel I get a warning from IE telling me to buy the software. I would have to guess that this all started when my daughter tried to "click on a picture on MySpace". She said after she did that our SpySweeper AV kept coming up saying something was trying to dowload itself on the computer and that it would automatically block it, but then that box wouldn't go away. I finally got it to do a sweep and then close, but since then we've had nothing but problems. We have Windows XP. I downloaded everything, ran all the scans, etc, but I'm still having problems. I followed all the steps one by one, but I'm not sure if I did it right because the boxes kept popping up blocking what I was trying to do so even when the scans said not to open any windows while performing the scan, these things popped up like crazy and I closed out of them because they were in the way. I also realized at one point that my Spy Sweeper tried to block some things from the spybots and AVG while they were running their scans, but I allowed them when I saw them (if I don't click anything they will automatically block, so I'm not sure if that happened when I left the room or not.) I made note of two things that happened that didn't sound right during the process. 1. When I was told to empty the recycle bin after emptying my quarantined files there was nothing in the recycle bin to empty. 2. After running AVG, it said there were no reports available, but it did quarantine 1 item with 4 traces found. I'm at a loss. I'm attaching the logs that I did get, minus the AVG that said there were no reports. Thank you so, so much for your help!!

 

Hi tw94!
Welcome to MajorGeeks!

1) Please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atubwruf.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atubwruf.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotDeletingA4168] command /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7630] cmd /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8149] command /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9875] cmd /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9416] command /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6859] cmd /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB415] command /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8309] cmd /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3398] command /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD882] cmd /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9030] command /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9075] cmd /c del "C:\WINDOWS\system32\atubwruf.dll"
O20 - Winlogon Notify: atubwruf - C:\WINDOWS\SYSTEM32\atubwruf.dll

After clicking Fix, exit HJT.



2) Now run Avenger ( in the MGTools folder)

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

3) Please run CCleaner. If you need the instructions, scroll down at this address for the installation and instructions:
http://forums.majorgeeks.com/showthread.php?t=35407

4) Please go to add/remove programs and uninstall the following:

J2SE Runtime Environment 5.0 Update 9

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


5) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

abri

 

Well, I found C:/MGtools/analyse.exe, but when I double click on it a HiJack This box pops up that says "Out of Memory". What in the world do I do now???

 

tw94!
Thanks for your patience. Please skip to the next instruction and see if you can do that. If you can do the Avenger deletions, then go back and try running analyse.exe again.

If you get the same message about analyse.exe again, please create a folder under Program Files called HJT and copy analyse.exe into the new folder. Then rename it analyse2.exe and try running it again. If you are able to run it, then fix the items which I listed. If some of them are gone, that is okay.

Be sure to run CCleaner at the default setting whether you can do any of the above or not.

Thanks.
abri

 

Well, Avenger wasn't in MGTools for some reason. I'm striking out! I'm afraid I'm going to have to bite the bullet and take my computer in somewhere since I need it for my job. I was trying to avoid having to pay to fix it since I'm an underpaid transcriptionist, but I'm losing more money than I'm saving! I very, very much appreciate the time and effort you put in to trying to help me. I know it has to be frustrating to have so many people to help (for free) and to not be able to see what's going on for yourself. I'm sorry if I wasted your time, but I truly do appreciate the effort. I'm sure I'll be back with questions to try to help prevent future problems. Thanks again!

 

Before I take my computer to someone, I just have one more question. Would it do any good to do that restore thing? I was told once that the computer has the ability to reset itself or restore itself at set points. Is that right? Is that something I could do, or would the malware stll be on there? Also, is it too late to save some of the things I want to keep, if it has to be restored completely, on a disc or something? Or would the malware download onto the CD also? Thanks.

 

Sorry, this is a repeat of the post above. I tried to edit it and apparently created a whole new one. Please read the post above regarding what I couldn't find in analyse and not being able to find avenger. Thanks

 

Abri,
Please disregard my previous two posts!! I'm so happy. I decided to give it one more try and when i turned my computer on and Spybot did its thing, I was able to get into analyse folder and have no more popups (for now). So I did what you said in step 1, but I couldn't find all of them. The items listed below weren't options for me to check.

Also, I can't do step 2 because i can't find Avenger in MGTools or anywhere else. Is there some other way I can dowload that? I'm not sure what happened that I didn't get that one.

Thank you so much for your patience with me and all of your help.

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atubwruf.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA4168] command /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7630] cmd /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8149] command /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9875] cmd /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9416] command /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6859] cmd /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB415] command /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8309] cmd /c del "C:\WINDOWS\system32\atubwruf.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3398] command /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD882] cmd /c del "C:\WINDOWS\system32\atubwruf.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9030] command /c del "C:\WINDOWS\system32\atubwruf.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9075] cmd /c del "C:\WINDOWS\system32\atubwruf.dll"
O20 - Winlogon Notify: atubwruf - C:\WINDOWS\SYSTEM32\atubwruf.dll

 

Okay, here are the logs. I'm keeping my fingers crossed...

 

Okay, I've attached the MGlogs file. I had actually downloaded what I thought was the most recent version of Sun Java, but apparently it wasn't so I've uninstalled it again and reinstalled version 6. I hope that's the right one. Also, as I was downloading that my AV kept popping up saying that ssv.dll (File name: MSIEXEC.EXE) was trying to be installed as a browser add on from the company Sun Java...but I clicked block because it seemed like all the .dll things were bad. Is this right? The dowload finished regardless of that. I only had one temporary file that couldn't be deleted. Other than that, things seem to be running smoothly. Computer seems to be much faster than it has been lately. Thanks again for checking into this. You guys are very much appreciated.

 

How will I know if Sun Java didn't download right? It shows up on my add/remove programs. Should I uninstall and then reinstall?

Also, when I uninstalled BigFix it said that there were some items that could not be uninstalled and that I would have to remove them manually. Where do I do this?

Also, my SpySweeper is the version that has antivirus with it (recommended by Best Buy Geeks), so I hope its okay.

Lastly, one of the instructions on the Read and Run Me First said to change to normal startup... Do I need to do anything with this, or is that where it should stay?

I'll say this now so that you can go ahead and close this thread when you're done with it. I cannot tell you how in awe I am of you guys (and girls). I can't relay enough how much I appreciate your help with not only this problem but also having a place where we computer illits can come to get laymen's instructions on what we need to do to make our computers efficient. The time you donate is truly appreciated. Have a great holiday season!!