Evil malware won't go away, help needed

Saturday morning three new items appeared on our IE toolbar, relating to virus protection. That's where it all began. By Saturday night, our background was replaced with a red skull warning of privacy dangers. It pops up warning windows and automatically opens a website where I can purchase virus protection.

I've followed the basic instructions on this forum, ran ccleaner, combofix.exe, spybot -search & destroy, AVG anti spyware, and mgtools.exe. It seemed to fix it but left my background white, unchangeable. Then it came back. I ran SmitfraudFix and all the others again, seemed to fix and restored my background. It's back again. I'm attaching logs from my first attempt.

I'm running Windows XP, using router & modem, and I have a home network installed (I'm using my laptop now but I'm terrified it can get here too.) I have McAfee Security Center and had Virus Protection, Firewall, etc all running before this hit me.

Thanks for any help.

Colleen

 

Hi cjhenstra!
Welcome to MajorGeeks!

Did SmitFraud Fix get rid of part of the problem? Please continue with the instructions in the R READ & RUN ME FIRST making sure to note those for your operating system. You've already posted Combofix and AVG Antispyware, so I don't need them again, but I need to see the MGlogs.zip file which is produced when you install and run MGtools.exe. If you have not run CCleaner, please do that according to the instructions. Make sure your msconfig is set to normal startup before you get the MGlogs.zip, otherwise HijackThis will be missing your startup items.

If you have any questions, please ask.
Thanks.
abri

 

abri:

Thanks for your help.

I followed all the steps in the Read & Run instructions, including ccleaner.exe. When I ran the SmitFraudFix it seemed to clear it all up - my background was restored, nothing popped up, and the items were gone from my IE toolbar. Then it came back about 12 hours later.

That's where I'm at now.

Thanks again.

Colleen

 

Hi cjhenstra!

Please do the following:


1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 7"
Java(TM) 6 Update 2"
Java(TM) 6 Update 3

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


02 - BHO: SXG Advisor - {54505F14-AFC2-424A-B260-962F1AFDFD78} - C:\WINDOWS\dpvtporkgr.dll
O3 - Toolbar: elfwgps - {3BF455E1-0856-4575-AEFB-FE98B34E6E2D} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA4320] command /c del "C:\WINDOWS\bqxomdo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1792] cmd /c del "C:\WINDOWS\bqxomdo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB963] command /c del "C:\WINDOWS\bqxomdo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8626] cmd /c del "C:\WINDOWS\bqxomdo.dll_old"
O21 - SSODL: bqxomdo - {2C2CEAA6-A4A4-4E85-8EC2-4875441E1D1C} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {D0BC3DF8-1BEC-49C6-8D05-CEE0A74D8DC9} - C:\WINDOWS\aswmklt.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Download and install Erunt. Use it to create a backup of your registry.


7) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, let me know if you got a success message for the REGEDIT4 registry patch.


Let me know how things are running now?

abri

 

Things are looking awesome. I haven't had the program come back so I think we are set. Here is the latest log file.

Thanks again for all your help.

Colleen

 

Hi cjhenstra!

Did you skip step 5 in the last post?
Also, was the registry patch successful? Did you get a message to this effect?

Please do the following:

1) Please disable your guest account if it is not already disabled.

2) Now run CCleaner by double-clicking on the icon on the desktop. Run it in the default setting with the Windows tab on top.

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: SXG Advisor - {54505F14-AFC2-424A-B260-962F1AFDFD78} - C:\WINDOWS\dpvtporkgr.dll
O3 - Toolbar: elfwgps - {3BF455E1-0856-4575-AEFB-FE98B34E6E2D} - C:\WINDOWS\elfwgps.dll (file missing)
O21 - SSODL: bqxomdo - {2C2CEAA6-A4A4-4E85-8EC2-4875441E1D1C} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {D0BC3DF8-1BEC-49C6-8D05-CEE0A74D8DC9} - C:\WINDOWS\aswmklt.dll

Does the following belong to programs you know or want to keep? If not, please fix it as well.

O16 - DPF: {89F9AA82-9B9F-4D1C-A637-33388558FAAC} (AutoImport1_5_9.GW_Import_Control) - http://webcal.weber.k12.ut.us/webcal/cab/ccuweb1_5_9.cab

After you click fix, just close hijackthis.


4) Please run Avenger again as in post 4, only this time use the contents of this box:

5) Run CCleaner again in the default setting.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things are running now?

abri

 

I finished up all your instructions and then put my system back online yesterday. Within 2 hours, the program had returned. I am going to re-work everything in the Read & Run First instructions and will post the log files again. I might have missed removing something - obviously it is still coded in somewhere.

Thanks.

Colleen

 

Sorry, I missed your last post. I should have waited until I heard from you again to go back online. I thought we were done. I hope you will still help me fix this. I'll still start over and post the new log files.

 

Hi cjhenstra,
It sometimes takes perserverance to get rid of stubborn problems. I'll wait to hear back from you.