help fully removing a virus...

getting redirected from sites. the last time it did it like 2 secs ago,the screen flashed, start bar vanished and some message poped up in the top left corner. flashed to quickly to read though....had some virus detection ealier i think i got most of it removed, no warnings from trendmicro antivirus for awhile now....

 

Hi murkywater,

Please do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O21 - SSODL: BootChk - {b39a750d-5eda-49cd-9b8c-38df243c693b} - C:\WINDOWS\Installer\{b39a750d-5eda-49cd-9b8c-38df243c693b}\BootChk.dll (file missing)
O21 - SSODL: ServiceComponent - {30ed8dbb-afa2-4435-95b8-3c8a66b3a65f} - C:\WINDOWS\Installer\{30ed8dbb-afa2-4435-95b8-3c8a66b3a65f}\ServiceComponent.dll (file missing)
O21 - SSODL:
O21 - SSODL: zip - {fe5d0d49-6d45-41aa-b12f-619109dddf41} - C:\WINDOWS\Installer\{fe5d0d49-6d45-41aa-b12f-619109dddf41}\zip.dll

After you click fix, just close hijackthis.



4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

7) Please run CCleaner.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, I would like to know if you get a success message for the registry patch (REGEDIT4)


Let me know how things are running now?

abri

 

sorry, but i can not complete your guide (O21 - SSODL: ) gives an error to analyze.exe ive attached a pic also when i delete (O21 - SSODL: zip - {fe5d0d49-6d45-41aa-b12f-619109dddf41}) it comes right back... i've also tryed in safe mode and got same error....

 

Hi murkywater,

Are you able to complete the other instructions which follow HijackThis?

abri

 

the avenger ran but didnt recognize the command. so i manually deleted the file, hjt still wont remove the 021's...i have DCEBoot.exe in a winrar zip incase the command is wrong and you want me to retry avenger...

 

also ive been getting alot of explorer.exe errors (encountered a problem and needs to close)

 

ok so i was messing around with hjt and found "Generate Startup log" any ways i ran the scan and got the following.... the Explorer.EXE kinda stuck out when i viewed it, capital .exe?, just looked odd to me.... thx for all the help so far... scans below...

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\MGtools\analyse.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe

 

Hi murkywater,

1) Explorer.EXE is normal.

2) See if you can delete the WINRAR file which contains DCEBoot.exe

Then see if you can delete the following file

C:\WINDOWS\Installer\{fe5d0d49-6d45-41aa-b12f-619109dddf41}\zip.dll

3) After that, run HijackThis again (it's called analyse.exe in the MGTools folder), Do a system scan, and check the following two if they are still there and click fix after you exit all browsers:

O21 - SSODL:
O21 - SSODL: zip - {fe5d0d49-6d45-41aa-b12f-619109dddf41} - C:\WINDOWS\Installer\{fe5d0d49-6d45-41aa-b12f-619109dddf41}\zip.dll

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know how things are running now?

abri