I need HELP! Please, I am new here!

First off.... This is a great forum and website with lots of info! I am pleased I found it! NOW..... Okay I have gotton some form of malware on a older CPU used at work. I went through the complete list of READ & RUN me first posted here in the forums. I did everything as far as I know and my cpu is still infected with pop ups and redirects to certain sites. I posted my attachments below.....

A pop up ballon continues to come up saying I have been infected with a "PSW.x-Vir trojan" If that means anything. I constantly get redirected to spyware sites. This happened after visting a forum and clicking on a bad link to open another window up. I have also recieved these messages stating I have been infected with "Networm-i.virus@fp" and this one "W32.Myzor.FK@yf" and "spyware.cyperlog-x"

If anyone could help, I NEED IT! I appreciate the help very much so and thanks in advance. Also please let me know if I provided all the necessary information. Thanks again.....

 

Hi tapyouout!
Welcome to Majorgeeks!

1) Can you see anything that looks like the following in Windows Explorer?

C:\WINDOWS\SYSTEM32\.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {F5990687-2922-38E4-934B-1487789F4D46} - C:\WINDOWS\System32\cdmweb\jpdioxdvct.dll (file missing)
O3 - Toolbar: Web Application - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\NetProject\wamdl.dll
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe

Do the following belong to programs you know or want to keep? If not, please fix them as well.


O14 - IERESET.INF: START_PAGE_URL=http://portal <---- does this belong to your ISP or Computer manufacturer?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com
O17 - HKLM\Software\..\Telephony: DomainName = vegas.jensenprecast.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com

After you click fix, just close hijackthis.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6 Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

okay... thanks for the reply! I just did everything you instructed to the tee in your post, only thing is when I ran the last step (MGtools) it terminated the process half way through. I still believe I found the log and have attached it along with the avenger one as well. Let me know if I provided the correct logs and info.

I just did these steps and actually in the 10 minutes since running these steps I have not recieved any pop ups or redirects... YET. I'll let you know what happens... also if this did clear things up, is there any other additional steps to take? Thanks again for the help too!

Also pasted below are programs I had to keep for work.....

O14 - IERESET.INF: START_PAGE_URL=http://portal <---- does this belong to your ISP or Computer manufacturer?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com
O17 - HKLM\Software\..\Telephony: DomainName = vegas.jensenprecast.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vegas.jensenprecast.com

 

Hi tapyouout,

Please go back to the READ & RUN ME FIRST and scroll down to the bottom of the page and click on the link for your operating system. On the next page, find the link for MGTools and reinstall it over the old one. Then try running it again and see if it will run to the end. I would like to check the logs to make sure those things were deleted that should have been deleted. Sometimes it takes longer to run than others and you need to wait. However, it shouldn't take more than 10 minutes. After you reinstall the MGTools, please post the MGlogs.zip you get from running MGTools.exe.
Thanks.
abri

 

Okay I had to get an update of Microsoft .Net Framework in order for MGtools to run fully. It did and I attached the log below.

My system is running great after doing everything you recommended, however it still is a little slow, but no more spyware or malware that I can tell atleast. I just want to make sure everything is out, thanks again for your help and let me know what you see!

 

Hi tapyouout,
With your first post you attached the MGlogs.zip. Since then you haven't been able to deliver the complete set of logs. Please follow the instructions for reinstalling MGTools.exe which can be found as described in post 4 and post a new set of MGlogs.zip. The individual logs won't give me enough information to make sure the malware is out of your computer. The logs can be found directly under C as a file. If you scroll down until you come to the superman icon, the logs will be the file just above this.
Thanks.
abri

 

Sorry about that.... let me know if this works!

 

Hi tapyouout,
I don't see any further signs of malware. As part of the final clean-up instructions, we'll have you remove all the things we installed on your computer and if you don't want to buy AVG Antispyware, just remove that via add/remove programs. After you complete the below instructions, you may want to defrag and ask for recommendations regarding things being slow in the Software Forum. You don't have an unreasonable number of programs running at startup. You do still have a lot of temp files. Be sure to run CCleaner whenever you finish with the internet. You can also use this as a registry cleaner, but I recommend doing the below instructions first which include deleting all previous restore points and setting a clean one. That way if you delete a registry entry you need, you can go back to this new restore point.

abri