followed Read and Run Me, still viruses, Antivirus XP

I'm usually pretty good with keeping on top of malware, but about a month and a half ago I got the "Antivirus XP" virus and after lots of work I finally got it to go away (or so I thought). I have Windows XP, by the way.

After cleaning the "Antivirus XP" virus, I ran: Avira Antivir, Ad-Aware, Malwarebytes Anti-Malware, Spybot S&D, Spyware Blaster, Stinger, FixBlast, and CCleaner. I use these programs regularly. I keep Avira Antivir as my "active" antivirus program and I also run Sygate Firewall.

All programs came back with nothing so I thought all was fine. But then about a week later, I started getting timed shutdowns (System Shutdown by NT/Authority) and the system would shutdown. I managed to get rid of that by doing the "Start->Run->shutdown -a" fix, but now every few days, Avira Antivir finds something new, like a trojan or something. I quarantine and delete all of them and re-run the aforementioned programs (which come back with nothing) but then the next day or a few days later, Avira Antivir will find another one!

They are usually trojans (I think) in the windows/system32 folder (affecting files like oembios.exe) with the name TR/Dropper.gen

So then I came to this website for help, and I followed all the steps in the "Read and Run Me First" instructions.

Turns out I had "Viewpoint Media Player" in my control panel so I removed that program, as instructed. Unfortunately, even after removing this program, Antivir continues to detect new viruses all the time.

I always keep system restore disabled, if that helps shed some light on any of this.

I have attached the SuperAntiSpyware, MalwareBytes, and ComboFix logs to this message. MGLogs zipped folder to follow...

 

... Here is my MGLogs.zip

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif


Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hi, thanks a lot for your help. I followed your instructions. I disabled Avira Antivir and SpywareBlaster but Avira came back on when ComboFix rebooted the computer. I ignored its "Virus Found" windows and just disabled it again, hope that's okay.

Also, I couldn't figure out how to disable Spybot S&D (not sure if there is a way to do it) so I just left it as is.

Here are the logs you requested. Thanks again!

 

Your logs look good, what was it picking up?

 

Avira kept picking up these two:

APPL/NirCmd.E.2.B application (source: C:\32788R22FWJFW\nircmd.com)
SPR/Tool.Hide.A program (source: C:\32788R22FWJFW\hidec.exe)

and it just picked them up again just now, before I replied to you.

I quarantined them.

 

I did not see that in your logs, anyway we need to delete that folder. Manually navigate to and delete the folder "C:\32788R22FWJFW\". If you can't delete it because of a message about something being in use then follow the below.

 

This is weird, but I don't see that folder when I open the C:\ directory in windows explorer. There is no message about it being in use, it just doesn't show up as a folder anywhere. I've set the options to show all hidden files/folders but still nothing. Should I run the Avenger program like you said?

I ran a full scan with Avira Antivir, and it also found these viruses (I quarantined them all):

C:\Documents and Settings\YOUKNOWWHO\Desktop\Combofix.exe (it thinks that is a virus, I quarantined it just in case)

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP47\A0008717.exe

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP47\A0008731.exe

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP47\A0008738.com

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP48\A0008774.EXE

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP48\A0008790.exe

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP48\A0008797.com

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP50\A0009336.EXE

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP50\A0009352.EXE

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP50\A0009367.exe

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP50\A0009374.com

C:\System Volume Information\_restore{7DE69FFF-C7CB-4501-80E6-ED0A9C1CFFFD}\RP50\A0009848.exe

 

Yes!

My final instructions will address these detections.

This is NOT a virus, it's a tool we use to remove malware. It's called a false positive from your AV. You need to download a fresh copy and leave it because if not the uninstall will not work when I post the final steps.

 

Okay. I downloaded and ran Avenger, executed the script. I looked at the log, but it was just a bunch of "wingding" characters for some reason.

Just to make sure I understand, you want me to uninstall my current version of ComboFix, download a new copy and re-install it? I could just restore the ComboFix.exe in Avira Anitivir, as it is just sitting in Quarantine right now. Or should I just uninstall, then reinstall? Thanks.

 

You can't uninstall ComboFix if you quarantined it, you should restore it and then uninstall it using the command below.

With all files/folders enabled, can you see the folder C:\32788R22FWJFW?

Attach the Avenger log so I can see it.

 

Before you remove anything I would like to confirm the folder has been deleted.

 

Just to let you know, when i tried to uninstall ComboFix, Avira Antivir came up with this:

C:\32788R22FWJFW\hidec.exe
Contains recognition pattern of the SPR/Tool.Hide.A program

C:\32788R22FWJFW\NirCmd.cfexe
Contains recognition pattern of the APPL/NirCmd.E.2.B application

I had to disable Antivir so that ComboFix would uninstall, but it did uninstall and I deleted the ComboFix folder.

No, I cannot see that folder. But I couldn't see it before, either. I have attached the Avenger log and left everything else as is.

 

You may need to download a fresh copy of Combofix, save it to your desktop and then uninstall using the below instructions to successfully remove everything it used.

Disable your AV first of course due to the false positive.

It is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we had you run Avenger, you can delete all files related to Avenger now.
6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
9. Go to add/remove programs and uninstall HijackThis.
10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
11. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
12. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hi there. So after all of this, I found 2 icons on my desktop called "A9installer_880819.exe" and "A9installer_880819(2).exe"

I quarantined them both. Avira Antivir said it is a "TR/Dldr.FraudLoad.vdgh Trojan"

Am I all good, or should I do some more scanning?

 

Your logs look good, if you like you can run a full scan with Avira Antivir to make sure there are no leftovers.

 

Done. Looks good, thanks again!

 

You're Welcome!:major