Idk what the virus is but my hijack file is inside.

Everytime I start my computer my background is changed and it says I have spayware and that I need to remove it. Also my screen saver is roaches eating the screen and I can never change it. Please help

 

Hi tony82x,
Welcome to Major Geeks!

I'm making a bug collection, so if you'd like to contribute, please attach a screen shot of the bugs with your next post. Then please continue as follows:

Go to the READ & RUN ME FIRST and work through all the instructions. If there is something you can't do, just make a note of what happens to tell us later and then continue on. When you're finished, use the Manage Attachments button down below the reply window to attach your logs. If you get all four logs, you'll need to post twice, because you can only attach three logs with each post.

Thanks.
abri

 

I have done everything in the Read Me section and nothing. My background still changes but no bugs anymore. I did get you bugs for your collection! :-D

 

Here are the rest of the logs.

 

OH! GRUESOME! :-D
Thanks! These are going to be the viruses that go down in history! I bet you could sell that picture!

As for your logs, I've started looking them, but it will probably be tomorrow before I can post the next instructions.

One thing I see is that MalwareBytes did not fix what it found. Please rerun it and make sure if fixes anything it finds.
Also, I need the MGlogs.zip. If you've already installed and run them, the logs will be a file called MGlogs.zip directly under C:\
If you didn't install them, please get them at USING MG TOOLS

abri

 

Here are the Mglogs you wanted and also I ran another scan I put that log in too. Can't wait to crush this thing! lol

 

Hi tony82x

Just don't stomp on the screen to kill them!


I'm wondering if the following file is the picture, since it seems to have come in with the malware. If you zip it and attach it before I have you delete it in the combofix below, I can take a look at it.

C:\WINDOWS\system32\phc3cwj0ecec.bmp


Then, please do the following:


1) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 5
Viewpoint Manager (Remove Only)
Viewpoint Media Player

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: WhiteSmoke IE Toolbar - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - C:\Program Files\WhiteSmoke_IE\tbWhi1.dll (file missing)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: WhiteSmoke IE Toolbar - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - C:\Program Files\WhiteSmoke_IE\tbWhi1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphc3cwj0ecec] C:\WINDOWS\system32\lphc3cwj0ecec.exe
O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas44.exe" /minimize



Optionally fix the following as well.

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Anthony\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)


After you click fix, just close hijackthis.


4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
CDAVFS

FILE::
C:\WINDOWS\st_affiliate.ini
C:\WINDOWS\av_affiliate.ini
C:\WINDOWS\as_affiliate.ini
C:\WINDOWS\system32\drivers\CDAVFS.sys
C:\WINDOWS\system32\lphc3cwj0ecec.exe
C:\WINDOWS\system32\phc3cwj0ecec.bmp
C:\Program Files\CyberDefender\AntiSpyware\cdas44.exe
C:\WINDOWS\system32\lphc3cwj0ecec.exe
C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe
C:\Program Files\WhiteSmoke_IE\tbWhi1.dll
C:\WINDOWS\SET39.tmp
C:\WINDOWS\SET44.tmp
C:\WINDOWS\SET4F.tmp
C:\WINDOWS\SETEF.tmp
C:\Documents and Settings\Anthony\Local Settings\Temp\toasterWrite1.html
C:\Documents and Settings\Anthony\Local Settings\Temp\toasterWrite2.html

FOLDER::
C:\Documents and Settings\Anthony\Local Settings\Application Data\CyberDefender    

REGISTRY::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBBA2A2F-7B79-462A-A550-E500FE0DD556}"=-
[-HKEY_CLASSES_ROOT\clsid\{ebba2a2f-7b79-462a-a550-e500fe0dd556}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBBA2A2F-7B79-462A-A550-E500FE0DD556}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc3cwj0ecec"=-
"CyberDefender Early Detection Center"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ebba2a2f-7b79-462a-a550-e500fe0dd556}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Im going to go through all that right now but before I do the Bugs are back. Like it got infected again.

 

I dont know what you mean by zip it. Im not much of a computer wiz but I did put that command in the prompt and the file that is attached is what it gave me.

 

Ok well I did everything you said but still nothing. It seems that I cannot get rid of the main background thing. But once again the screen saver is changeable again but it will probably going out again lol. The new files are included. Hopefully this isnt to serious.

 

Well now I don't have the bugs and I don't have the background change but, I cannot goto properties and change my background like it still has control. I have taken a picture and attached it. I can get into the properties but it doesnt show the tab it only has 4 tabs, which you will see in the included pic.

 

Sigh just found another problem I can no longer connect to Aol.........Ok nevermind I can now... Wow I feel like a retard posting so much sorry.

 

Hi tony82x,


1) Do you know why your most recent HijackThis log would look so different from the one before it? You're missing all of your 09 and 016 entries. Did you click all of them and have HijackThis fix all of them rather than just the ones that were listed? If so, you need to start HijackThis (C:\MGTools\analyse.exe) by double-clicking on it and when the program opens, click on None of the above just start the program. On the page that opens select Config, on the next page Misc Tools and on the next page Backups. Put back in those items which I did not ask you to remove. There's one poker entry you can leave gone.

If you did not remove all these items, or if you're not able to restore them, please tell me.


2) Then, please delete the contents of the following folder: (If you can't see the folder or can't delete the contents, please tell me)

C:\Documents and Settings\Anthony\Local Settings\Temp\


3) Then delete this folder:

C:\Documents and Settings\All Users\Application Data\Avira

Then I would like for you to do the following:

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Please do the following:


Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter CDAVFS in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the RegSearch log.

Also, please let me know if you get a success message with the registry patch (REGEDIT4).
Let me know how things are running now?

abri

 

Abri, It will not allow me to delete 2 files inside. (~DF23AB.tmp) & (~DF2398) So I will wait for a reply before I go further. I also havent tried to delete them in Admin account if you want me to do that I can try. Aslo I restored the files.

 

Ok I went into safe mode and still no luck the files wouldnt show.

 

Hi tony82x,

I edited your registry patch in post 13 step 5 to add the entry chaslang pointed out that will fix your missing tab.

If you cannot delete the temp files, just go on with the rest of the instructions.

abri

 

Ok I have done all the steps up to the Regsearch. Bleepin site is down so I got it from another site. I ran the search like you said but, all I got was the search saying done with no file attached. On a good note I can get into my background settings.

 

Also I still cannot connect to Aol

 

Ok well I got what you need. The regedit 4 worked I can access my background but now I cant connect to aol. Is something still wrong?

 

Hi tony82x,
I need some more information. You had a problem connecting to AOL and then it went away. Then it came back again. What happens? Do you mean that you can't complete the login? Or is there a problem with the connection itself? Have you been using it for a long time? Has anything changed in your software, like adding a firewall, where you would need to be allowing it? Have you had any AOL updates recently?
abri

 

Well it was working fine when I had that virus but it seems like I cannot connect now that there is no virus. It will dial all the way through but then it will freeze up.

 

Hi tony82x,

Please uninstall AOL (for your own peace of mind, make sure you make a copy of your addresses and emails to another folder or external medium, even though this is probably done automatically).

After you uninstall AOL, reboot your computer, then reinstall AOL.

Let me know if you can reconnect to AOL after this?

abri

 

Ok I did all that but its still doing the same thing as before.

 

Hi tony82x,

Sorry it took some time to get back to you. A few questions:

Did Cyber Defender come bundled with your AOL software or did you download and install it yourself? What happens if you try a different dial-up number?
Is it possible, since you had an initial problem and then it went away and then it came back, that this is a problem with either your modem or at AOL's end? Have you called them to see what they say?

If you go back to a restore point prior to June 5th, your computer will be in the same state as when we started. We can redo the instructions from that point, but leave Cyber Defender in and see if this will get rid of the virus without getting rid of your internet connection. If you've never gone back to an earlier restore point, go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates from just before June 5th and allow your system to return to that date. This will put the virus back on your computer. See if the connection problem goes away.

Let me know how this goes?
abri

 

I have gotten this error message since I have uninstalled Aol and I get it everytime I start up internet explorer.

 

Hi tony82x,

Please go to the MGTools folder under C:\ and find the file analyse.exe. Double click on this. When it opens, click on None of the above, just start the program. Click on Config. Click on Backups. Look for the following entry, put a check in the box, and click on Restore:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

When you finish, just close the program.

See if this gets rid of the error message.

abri