Need help with Virus problems

Hey,

I unwittingly downloaded a virus from P2P network, Shareaza, and now it's creating problems on my computer. First of all it kept on opening Shareaza even though I had closed it (I have now uninstalled Shareaza). I then realised folders had been created which contained hundreds of ZIP files of different names (virus replicating I assume?) Other files have also appeared in my common files named {F8245F9A-07C6-2057-1030-02021115002c} and it contains an exe file "Update.exe". I have Windows Defender and every now and then it identifies something called ClickSpring.PuritySCAN. I have run the programs as suggested by Majorgeeks, but this has not managed to fix the problem. I have attached the necesary logs. Any advice would be much appreciated.

Many thanks

 

Here are the rest of the logs. My bite defender log seems to be too big and I can't upload it.

 

Download
- Pocket Killbox
- ExplorerXP

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to COM+ Messages ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

COM+ Messages

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process.

Click on the "Back" Button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh HijackThis, GetRunKey, and ShowNew logs.

Post a BitDefender Online log.

 

Shadow, many thanks for replying and for your help. Just one thing, after I have created the FixReg.reg file I double click to open to it, but I am then asked which program I want to use to open it, rather than whether to merge or not. Which program do I use?

 

Hi Halo,
I did as you said, but the same thing happens. I noticed that as I go to save as, there is an encoding option which is set to ANSI. Do I have to change this perhaps?

 

Disable ANSI encoding, a reg patch file is a ASCII text file.

 

Hi guys, sorry for continuing to be a total ignoramus, but I'm still having problems with this FixReg.reg file. When I go to 'Save As Type' I change it to 'All files'. I then have one of four encoding options: 'ANSI', 'Unicode', 'Unicode big endian' and 'UTF-8' which one should I select?

 

Just leave it set to ANSI, that's the default encoding format.

 

I'm still having the same problem, even if I change it to other coding types or if I change the 'Save as type' to all files. I'm still being asked which program I want to open the file with. Any suggestions?

 

[FONT=Arial, Arial, Helvetica]Unzip REG File Association Fix (Restore default associations for REG files), to your Desktop.[/FONT]


Start -> Run
type regedit
click 'OK'

Registry Editor will open:
Click "Registry" in the menu
Select "Import Registry File ..."
Import Registry File dialog will open.
Navigate to your Desktop and double-click on xp_regfile.reg

Reboot

Now double-click on FixReg.reg and import the registry patch.

 

Yes that worked. Ok After, I run 'services.msc' There is no 'COM+ Messages' entry, only 'COM+ Event System' and 'Com+ System Application. Does this mean I can skip this step and go on to the next one?

 

If 'COM+ Messages' is not listed as a service then skip that step and continue with the instructions.

 

OK here are my new HJT, GetRunKey, ShowNew and BitDefender Logs. I wasn't able to remove the C:\WINDOWS\system32\svchosts.exe files using HJT, as a prompt came up saying that it was protected by windows or something like that.

 

Here's the BiteDefender Log

 

1. Now download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

Empty the Norton Quarantine Folder.
Empty the Recycle Bin

Run CCLeaner

Reboot

Post the following logs:
1. ComboFix log
2. BitDefender Online
3. ShowNew
4. GetRunKey
5. HijackThis

 

Here are the new logs

 

here are the rest

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

Be sure to tell me how things are working.

 

here are the new logs. My computer appears to be running normally. Windows defender isn't picking anything up now and script errors that appeared whilst I was using internet explorer have now stopped. I don't know if the P2P network software is affected as I haven't reinstalled it and checked, but overall everything appears to be in good working order.
Also some of the items that you told me to delete with HJT in the last post I actually use for online gaming and for viewing ebooks, so they may appear again in the new logs.
Is there anything else that needs fixing?

 

The P2P software was part of your problem, don't install it.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Excellent, all done. Thank you very much Shadow for helping me out, I really appreciate it. If there's any way I can return the favour, then just let me know.

All the best.