I'm in virus hell

Hello,
I hope someone can help because I really do look like that icon. I'm in Ireland so it's 3 am and it's just one of the many nights I've been up trying to rid my computer of viruses!! I've had the pop ups, I've had programs shutting down because of the ccApp.exe, and now I've got Trojan and farmmext and ffisearch and never know where my browser is going to take me - I don't know how my little computer keeps going. I've been step-by-step through "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal", twice no less!! I tried to follow Chaslang's Highjack This instructions but I don't have anything in the log that starts with R0 or R1 and none of the other ones seem to match either. Some programs tell me something's a problem and then another one will tell me it's not and vice versa. I'm getting icons appearing on my desktop and throughout my computer for things I've never downloaded - and one creepy one of a girl looking at me with sex written underneath (I'm a female which is why it's creepy as well as it's the middle of the night! ) So I know better than to attach my hjt log until asked but I'm hoping you will ask because I'm about ready to pack the whole thing in.

Hoping someone can help but I need to get some sleep now so I'll check in the morning.

Thanking you in advance,
S

 

If you are running WinXP or WinME be sure system restore is disabled and the viewing of hidden files and folder is enabled per the tutorial.

First:
Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

Second:
Reconnect your internet cable, and procede:

Run these online virus scans and post results of each if possible:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After doing the above, Reboot and procede to attaching a HJT log.

Third:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hello again bjgarrick,

Thanks for replying so quickly and for your help. Well, I've done all that now and here is my hjt log and one of the other logs (as I could only add one more attachment) - let me know if I've included enough. My computer runs on Win 2k and 256mgs ram, if that helps. I still have AVG running and it's still alerting me that new trojans especially are getting in as I'm doing the scans. I await your thoughts.

Thanks again,
S

 

Did you run Microsoft AntiSpyware? If so, what were the results? What version program and what version definitions do you have installed?

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)

O4 - HKLM\..\Run: [WebRun] C:\WINNT\system32\web.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [krkarhs] c:\winnt\system32\krkarhs.exe
O4 - HKCU\..\Run: [WebRun] C:\WINNT\system32\web.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\Isrvs ←–– Delete this whole folder if it exist!

C:\WINNT\System32\web.exe

C:\WINNT\System32\krkarhs.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Good morning,

I had forgotten to try and get a report from Microsoft Anti-Spyware but I know there was at least 5 Trojan viruses. So I ran it again this morning because there's still lots of things happening on my computer and couldn't find how to run a report so I just did a screenshot and have included it. I also ran Hijack This as you said in your reply and included it because as you will see, it's changed quite a bit - I have the R0 files now. Unfortunately, I don't have time to do the rest right now and probably won't until Tuesday night my time, so if you have any more advice from this latest hjt log, I would appreciate it and will do it asap.

Also, still getting icons as you will notice a couple of spyware ones on the left side of the jpg that I didn't have anything to do with. Is it possible that the virus is putting my security levels to low?

Thanks again,
S

 

What version of Microsoft AntiSpyware are you running?
Your MA version should be Version: 1.0.509

What version spyware definitions are you running?
Your Spyware Definitions should be 5703

 

I didn't realize I had to update Microsoft AntiSpyware so quickly as I'd just downloaded it, but there you go - I had the right version but not the updated definitions. So I've done that and run it again but the last 2 times it's said there was nothing there, yet when I run Hijack This, those little buggers are still there. Did you have a chance to look at the second log I sent.

I really appreciate this and hope I'm not being too much of a pain in the behind - like the virus is to me

Thanks
S

 

Again, be sure you have the updated definitions. Check for updates right now to be sure, then reboot into Safe Mode with System Restore disabled.

Do one last scan with Microsoft AntiSpyware in Safe Mode, remove all found infections. Reboot and post a current HJT log.

 

Right we'll try this again. I don't have XP so I assume I don't disable system restore or is there somewhere to find this because I couldn't see it. There were 4 files deleted by Microsoft AntiSpyware but I can't see how to save a log from there. I've attached the hjt log. I also noticed the backups file in hjt that has all the files that I deleted before, should I be deleting those as well.

My head is spinning from all this....

Thanks for your time.

S

 

Before we do anything else I want you to uninstall Norton or AVG. Pick one because running both will cause conflicts.

 

Please download DelDomains and unzip it to your desktop.

Find the file from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Please follow every step as is!
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

NOW:
Please look in Add or Remove Programs for the following and Uninstall them if found:

Isrvs

Edit Pad

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/skelly1/My%20Documents/adventure_website/i ndex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/skelly1/My%20Documents/adventure_website/i ndex.html

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Edit Pad ←–– Delete this whole folder if it exist!

C:\Documents and Settings\skelly1\My Documents\adventure_website ←–– Delete this whole folder if it exist!

C:\WINNT\isrvs ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Hi again,

Well, I followed your instructions until I came to the bottom where it said deleting adventure_website and Edit Pad. I'll do it again and erase them if I have to but I'll just say first that the adventure_website is my own and Edit Pad is just a note pad program I've used for years but it could be that I downloaded a newer version and didn't like it but left it in there - I can delete that. And I can go in and delete my website folder and delete everything but the pictures - will that work? As I said I'll do as you say just don't want to delete things I don't have to. Though I will say that when I rebooted - after cc cleaner - I went to "run" to get notepad and my adventure_website index.html was in there and usually everything is cleared out so that doesn't sound good. There was also more antivirus icons on my desk that I didn't download - Virus Hunter Security and Spyware Avenger.

Awaiting your thoughts I'll be out of your hair soon I hope.

 

If you know the software and are familiar with it, its ok to leave it!

Attach a current HJT log so I can confirm your clean

 

Omigod!! It's getting worse - I deleted everything but the pictures from my website folder and took everything but the old edit pad .exe. Other than that I did everything you said and as soon as I reboot normally I can see a flash of a couple of browser windows and those 2 icons come back on my desktop and AVG and Microsoft AntiSpyware start going crazy telling me about all the viruses that are on or trying to get in. As well the computer is getting really slow - even typing this has been painful - and there's a whole lot more in the hjt log.

Microsoft AntiSpyware runs as soon as I come online and this is what it found just now - I'm not putting the whole name just in case:
IE Trusted Zone Hijack (Spyware)
Ceres
Cliks
and I put this site in as my homepage and it says it's a high risk any suggestions as to what I should put?

All I can say is

Okay, here's the log again.

You're very sweet for going through this with me - I just want my poor little computer to be rid of this!!

 

Before we do anything else,

Run these online scans!
TrendMicro Online Scan
Symantec Online Scan
Panda Online Scan
RAV AntiVirus Online Scan
ComputerAssociates Online Scan
Bit Defender Online Scan
Command On Demand Online Scan
Freedom Online Scan
AhnLab Online Scan
PCPitStop Online Scan

Post results if you can of anything found/removed.

 

Hi again,

I've been hiding in safe mode - my computer was overrun with things and I couldn't even run the online scans, so I retreated into safe mode with networking and started to run the list you sent. I forgot to run it for the first one but I got a few and then the rest were all clear. I also cleaned a bunch of things off in HJT so that seemed to help. I'm going to upload the hjt log that I just did here in safe mode and then I'll do another one when I go back into the scary side. It may take a couple of replies to upload the reports I got.

Thanks again,
S

 

Here's the other 2 reports - Trend was the first one I did but didn't get a report - it had all the usual suspects. I also ran registry cleaner and that cleared some too.

I think I'm going to stay in safe mode until I hear from you - don't want to mess up my hard work. Between my real job and having a life, this has taken a long time. So I'll run Trend again now and see if I come up with anything and wait to hear your advice.

Cheers.

 

Attach a fresh HJT log so we can be sure no baddies are set to startup.

Also, just to be sure lets do the following:

Download Generic Detection Tool - NT/2000/XP


NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

I can't believe it - I think we've finally killed it!! But I'll let you be the judge - I've attached the log.

But when I try to run the generic detection tool I get message
"16 bit MS-DOS Subsystem
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An installable Virtual Device failed Dll initialization. Choose 'Close' to terminate the application." Then an option to ignore or close. I tried both and each time it said that it would take several minutes but to wait until the log appeared. Again both times I waited for over 10 minutes and nothing, maybe I have to wait longer but which option should I be clicking?

 

Your HJT log looks ok, about the other I see no need in it anymore.

Are you having any further problems?

 

Good morning,

Everything seems to be running well so far. Just a couple of little things that may be nothing to worry about - I've gotten a couple of "about: blank" pages but I thought that might be more about my security level on browsers. And also, I can't interact with sites where they have a drop down calendar or destination - it won't insert it into the form it's supposed to, but I've had that problem for a long time. So unless you can give me advice about those things, I think we've sorted this.

Thank you so much for all your help, patience and quick responses - it's great to know help is close at hand.

Take care,
S

 

Your Welcome!

About your other minor problems, I recommend your posting this in the Software Forum. Those guys will get you all fixed up.

Good Luck!

You should see this article on How to Protect yourself from malware!