Major Malware Problem!

Hi,
I have read the "READ & RUN ME FIRST before Asking for Support" thread. I am not done because I ran into some difficulties during Step 5. During, Step 5 I tried to run Microsoft AntiSpyware but its giving me an error. One pop up window says "Unexpected Error; Quitting". The other pop up window I just provided a screenshot below.
http://img66.imageshack.us/img66/2021/mantispywareerror0wc.png
I can only run Microsoft AntiSpyware in normal mode. I cannot run it in Safemode at all. What should I do then?

I also have some questions about step 5. I ran Spybot Search & Destroy but I didn't run Recovery because the intstructions didn't state to do so. Was I suppose to although you didn't specify it? Also, what is SD Helper Function and Teatimer? I didn't see either one anywhere. I am aware I am suppose to use SD Helper Function and not the Teatimer. I just would like to know where they are so I make sure I follow the directions.

Thanks for your time.

 

Run MSAS in Normal Mode if it will not run in Safe Mode.

In Spybot click on Mode in teh Menu select Advance Mode. Click on Tools in teh left window, select Resident. Make sure the is a check mark in the box next to "SDHelper" and that the box next to "TeaTimer" is unchecked. Then exit Spybot.

SDHelper is a bad download blocker for IE.

 

Thanks for the help. Unfortunately, Spybot will not let me check "SDHelper" but it will let me check "TeaTimer". Why is this happening? I only tried to click the "TeaTimer" to see if the "SDHelper" was the only box that would not let me check it. I unchecked it afterwards.

Off topic!
How do I subscribe to this thread? Thanks.

Oh darn, I accidentally double posted, sorry! Can you double post?

 

I removed the double post for you.

Don't worry about SDHelper right now, just continue on with the scans.

When you created the thread you were automatically subscribed.

 

Thanks for removing my double post.

I continued with the scans as you instructed. The Bitdefender and Panda ActiveScan made me install them before I could scan. Is this normal because you didn't mention anything about installing in your READ & RUN ME FIRST thread? I attached a log of the bdscan and hijack this. I couldn't find anywhere stating to save the Panda ActiveScan log. (It was real hard to find anything since the scan was in a pop-up window. It didn't have scrollbars for me to see everything in the window and I couldn't enlarge it.) It just pulled up 19 Spyware and nothing else. I also went ahead and attached the Microsoft AntiSpyware.

It seems everything isn't gone yet since the Panda ActiveScan pulled up 19 Spywares.

How do I find the thread through my control panel without having to search for it or going into my email?

 

Whatever you are using MSConfig to disable, don't. Enable all startup items and services in MSconfig.

Follow the directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal and Running Spy Sweeper.

Post the smitfiles.txt file, the SpySweeper log, and a fresh HijackThis log. DO NOT disable anything with MSCONFIG.

 

Oh sorry about that but I did not try to disable anything with MSconfig. How would I make sure I don't disable anything?

I only used MSconfig because I couldn't get it to go into safemode with the F8 button.

 

Open MSConfig and make sure it is set to normal startup and nothing is disabled.

 

I didn't disable anything. I didn't notice that when I selected Safe Mode it automatically selects "Selective Startup" in the General Tab. After I try to go back into Safe Mode using the msconfig, it automatically selects "Selective Startup" when I click on Safe Mode. I have tried clicking "Normal Startup" while clicking Safe Mode but it won't work. What do I do then?

Also, does it matter if I select to run everything in Administrator or a user account?

 

Stop using MSConfig to get into Safe Mode, you should be able to use F8 at system boot to get into Safe Mode. You can't select Normal Startup and Safe Mode together in MSConfig.

If the user account has admininstrator privelages it will clean most of the system. You will still need to run the cleaning procedures under the other user accounts to clean anything that may be hiding under those accounts.

I need a HijackThis log from Normal Mode under Normal Startup.

 

I figured I couldn't select Normal Startup and Safe Mode together in MSConfig, but since I'm not that knowledgeable when it comes to computers I wouldn't know. Thanks for confirming it.

Oh, I have only one user account and it has administrator privileges.

I'm running the Panda Scan and its taking awhile. I was wondering how do I get a log of the scan? The last time I scanned I couldn't find how to pull up a log. It pulled up something about a Profile in a pop up window, but the scan isn't done. I'm able to select "Outlook" and "tmp" something. Is this how you get a log or no? (I didn't close it out, I'm just using my computer at work to post this.)

 

Just scroll down the page, there should be a button you can click to save the log.

 

I found it, thanks. I know why I couldn't find the button to save the log, I couldn't maximize the window at all last time when I scanned it in Safe Mode.

Anyways, I followed the directions for the Smitfraud, SpySheriff, SpyAxe & PSGuard Removal and Running Spy Sweeper.

I have attached both logs and a new HijackThis log.

...My computer has major lag after I ran the Spy Sweeper. I am also having difficulty opening up the IE by just clicking on the icon. I had to right click and click open IE.

I am also having trouble posting this post. Nevermind, I figured it out. Spy Sweeper was causing the lag. I closed out the window but I guess that doesn't close it out permanently. I had to close it out by right clicking the icon near the time display. Was I suppose to close this out because it said something similar to "Spy Sweeper cannot protect you from threats if you close it out"?

I don't notice a difference yet because its only been a short while since I just ran everything.

 

Scan with HijackThis and Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Now let's reset your web settings. How to Reset Web Settings

Post a fresh HijackThis log.

 

I followed the instructions and did everything.

In the middle of deleting the items in Killbox.exe and AVG pullled up a virus.

I posted a new HijackThis log as you requested.

 

Your log is clean.

On what file did AVG alert on, and what virus was it?

How is you computer running?

 

There is a screenshot of the virus from AVG below.

The computer is running ok but I haven't really been on it that long.

How would I know all the viruses and spyware have been removed? Also, I don't know anything about firewalls but I was wondering what do you recommend?

http://img89.imageshack.us/img89/642/zvirus0124064ra.png

I selected "delete file" when AVG asked me what I wanted it to do. But who knows if it really did delete.

 

That's s virus file. Double check in Windows/System32 to see if it was deleted.

 

It has been deleted. Am I good to go now?

The computer seems to be running fine for now but who knows how long that will last.

How would I know all the viruses and spyware have been removed? Also, I don't know anything about firewalls but I was wondering what do you recommend?

Thanks for all the help, I greatly appreciate it. :]

 

Let's see if there are any more files lingering around your ssytem.


Running WinPfind by OldTimer Post WinPFind.txt when done.

 

I scanned and attached the WinPFind.txt.

 

Close MSAS and SpySweeper, and run Hoster.

You can delete the following files:

You system should now be clean.

How is your computer running?

 

...I never had Spysweeper running. How would I close it if I don't see the icon near the time display?

I deleted the files already. Hopefully, I didn't have to run Hoster before deleting them. >.<

 

These are the programs that run at system start, on your system:

Both of these will block fixes to the HOSTS file if they are left running.

 

Ohhh! I already closed those after startup. The swysweeper was lagging the computer so I closed that and I think another user closed MSAS.

Is it safe to run Hoster now? I just want to make sure. Thanks!

 

Yes run Hoster.

 

Alright thanks! I ran Hoster and everything seems good. No viruses have popped up so far.

I have a question. Why Did I have to to delete the convert.exe? Was it contagious or infected?

Do I keep all the programs I downloaded?

Thanks for all your help! I greatly appreciate it!

 

It was infected with Cool Web Search.

Disable System Restore and then enable System Restore. This will flush all your restore points and create a new clean one for your system.

System Restore
How to Protect yourself from malware!

Safe surfing.

 

Oh. Is there anyway of knowing if the file was infected to begin with or it became infected? I'm asking because I share the computer with two other users and they plan on downloading the program again. I wanted to make sure it was safe. Here is the website they plan on downloading it from: http://joshmadison.net/software/convert/

My System Restore has been disabled since I ran the "READ ME..." thread? So do I just enable it? Or would I have to enable, disable and then enable it?

Which one of these firewalls would you recommend?
ZoneAlarmFree
Outpost Firewall Free
Kerio Personal Firewall
Sygate Personal Firewall Free

This may seem like a stupid question...but once I download a firewall is the firewall automatically up or do I have to set it up or something? I don't really know much about firewalls since I'm not very computer illiterate.

Last Question...may I delete all the log files on the desktop or do I still need them?

 

It may have been replaced by the infected version. I know the program you are talking about at that web site and it is legit. Pretty good little program.

Just enable your System Restore.

Zone Alarm Free is very good and requires less user interaction than the others. When you first start ZoneAlarm it will ask if you want it to automatically detect software on your system. It will configure the Windows services for you automatically. You have to grant access for all other programs. You can do this at the time you run the program, Zone Alarm will ask you what you want to do when you run the program.

 

Thanks for answering my questions.

...I have bad news. How about I'm infected again?! Another one of the user's on the computer downloaded Edonkey and that was a very bad idea.

So should I rerun everything in the READ ME thread or just run HiJackThis? I ran Spysweeper, MSAS, and Ad-Aware for now because it was pretty bad.

 

Uninstall Edonkey; then run the scans again.