not sure if infection is gone

hi, this past monday i had a nasty infection where i could not dowload scanners or open my web browser without gettin the internet has encountered a problem and needs to close. i ran scans on malware bytes in normal and safe mode and it found 1 file that i deleted but came up again on both normal and safe mode scans. i deleted again and it was gone. i then tried the trendmicro scan and it found 1 virus that i deleted. so far everything is ok but my computer is still very slow and after i deleted all the bad files, when i turned off my computer my internet connection modem light was blinking red meaning that internet connection was disabled. i also notice sometimes when i first turn on my computer my anti-virus will be off, that's how i think i got infected in the first place. i use avg 8.5 free version. that freaked me out so i ran all the scans yesterday, defragged, and everything came out ok, but my internet is still slow. how can i make sure everything is completely clean. thanks.

 

You will need to follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

hi, i can only run avg scanner in both normal and safe mode, any other scanner i can't. i tried another forum and they told me i have two infected patch files. they told me i need a windows xp cd to do a recovery console, but i don't have a cd. i only have a burned copy of windows xp sp1, my system runs on sp2. will this work? is there any other alternatives i can try??

 

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file)


Next, try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it and attach it in the next reply.



Now run a scan with MGtools and attach the log. Using MGtools



Next post please attach:

• c:\avplog.txt
• log.txt (from exeHelper)
• SAS log (if you can)
• New MGlogs.zip

 

i tried the avp, and the log came up quick and the window didn't close, this was the results

AVPFind.bat - (c) 09/01/2009 By Chaslang *
* *
* Helps to identify potential AntiVirus Pro infected system DLL files and *
* and poosible replacement files to use during cleanup. *
******************************************************************************

Windows OS is

Microsoft Windows XP [Version 5.1.2600]

============= Finding copies of eventlog.dll =================================
"C:\WINDOWS\ERDNT\cache\eventlog.dll" 55808 08/04/2004 06:00 AM
"C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll" 56320 04/13/2008 06:11 PM
"C:\WINDOWS\system32\eventlog.dll" 55808 08/04/2004 06:00 AM
"C:\WINDOWS\system32\dllcache\eventlog.dll" 55808 08/04/2004 06:00 AM

============= Finding copies of netlogon.dll =================================
"C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll" 408064 02/06/2009 12:46 PM
"C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll" 408064 02/06/2009 12:46 PM
"C:\WINDOWS\ERDNT\cache\netlogon.dll" 407040 08/04/2004 06:00 AM
"C:\WINDOWS\I386\NETLOGON.DL_" 181419 08/04/2004 06:00 AM
"C:\WINDOWS\mui\FALLBACK\040C\netlogon.dll.mui" 4096 08/23/2001 08:51 PM
"C:\WINDOWS\mui\FALLBACK\0416\netlogon.dll.mui" 4096 09/06/2001 02:39 AM
"C:\WINDOWS\mui\FALLBACK\0C0A\netlogon.dll.mui" 4096 08/23/2001 01:19 AM
"C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\sp2qfe\netlogon.dll" 408064 02/06/2009 12:46 PM
"C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll" 407040 04/13/2008 06:12 PM
"C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\sp2qfe\netlogon.dll" 408064 02/06/2009 12:46 PM
"C:\WINDOWS\system32\netlogon.dll" 407040 08/04/2004 06:00 AM
"C:\WINDOWS\system32\dllcache\netlogon.dll" 407040 08/04/2004 06:00 AM

============= Finding copies of scecli.dll =================================
"C:\WINDOWS\ERDNT\cache\scecli.dll" 180224 08/04/2004 06:00 AM
"C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll" 181248 04/13/2008 06:12 PM
"C:\WINDOWS\system32\scecli.dll" 180224 08/04/2004 06:00 AM
"C:\WINDOWS\system32\dllcache\scecli.dll" 180224 08/04/2004 06:00 AM

******************************************************************************


i also tried to download the exehelper but it says it had a virus and it moved it to the virus vault.

 

You need to allow exeHelper to run. Turn off your antivirus while downloading it if needed.

 

i finally tried exehelper and here are the results


exeHelper by Raktor
Build 20091021
Run at 00:18:52 on 10/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

 

i tried the antispyware and it says i had 1 adware tracking cookie, and 8 trojans unknown. i reebooted but nothing has changed as far as the internet explorer error popping up when i open my browser and other scanners.

i tried the mgtools and here is my log, let me know if i posted this right.

 

See if you can run ComboFix now. combofix.exe

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

here is the combofix log

 

Delete CombaFix from your desktop and download a new copy without renaming it.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs. Be sure top save it to the Desktop.

ComboFix.exe

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

FCopy::
c:\windows\$NtUninstallKB896688$\wininet.dll | c:\windows\system32\wininet.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Now run a scan with MGtools and attach the log. Using MGtools



Next post attach the new ComboFix log along with a new MGlogs.zip.

 

here is the combofix log

 

here is the mgtools zip

 

Delete these folders.

C:\combafix2099c
C:\combafix2716c
C:\combafix


Run CCleaner.



Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Attach the MBAM log and let me know how the computer is running now.

 

last night after i ran combofix everything was working ok. i ran a scan on malwarebytes last night and found 4 infections which i deleted. this morning i deleted the folders you said and i tried malwarebytes again and i got the error message but was still able to run it, here is the log


Malwarebytes' Anti-Malware 1.41
Database version: 3055
Windows 5.1.2600 Service Pack 2

10/29/2009 1:30:00 PM
mbam-log-2009-10-29 (13-30-00).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 174855
Time elapsed: 1 hour(s), 22 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)




i keep deleting this file: C:\WINDOWS\system32\xmldm (Stolen.Data) over and over again, but it wont go away

 

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to delete:
C:\WINDOWS\system32\dllcache\SETD53.tmp

Folders to delete:
C:\WINDOWS\system32\cock

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Attach the Avenger log in your next post.

 

here is the avenger log

when i tried to open avenger i got the error message but i didn't close it because it would close the avenger. it rebooted but nothing has changed. i still get the internet error when i open my browser :cry

 

Is this when you run Malwarebytes?

What does the complete error message say?

 

yes evertime i open malwarebytes i get a message that it has encountered a problem and needs to close, if i leave that message alone, malwarebytes will stay open. i always get that c\windows file when i run malwarebytes but it won't delete. i also get that error message everytime i open a scanner, my antivirus and my internet browser. my internet browser i have to open twice for one to stay open. the message is always internet explorer encountered a problem and needs to close.


i'm running a eset virus scan and the moment and 1 infection has already showed up called Win32/PrcView application.

 

Run Avenger again and use this as the input.

Code:

Comment: 

Folders to delete:
C:\WINDOWS\system32\xmldm

Attach the log when it's finished.


Before attaching the log try this.

Open Internet Explorer. Click Tools in the menu and then Options to enter the Internet Options window.

Select the Programs tab and then click Reset Web settings.

Restart Internet Explorer and let me know if the error still occurs.

 

here is the new log and i posted the log from the eset virus scan


i tried the tools, reset web settings but i'm still getting the error messages.

 

Thank you. I was going to have you run that next.

Try this please.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
• Check the box in section 2, Fix Windows Installer.
• Check the box in section 3, Fix Windows Update.
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in section 5, labeled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

Is the problem fixed?

If not the try updating Windows. I would suggest updating to at least IE7 and get SP3. IE6 is outdated and less secure that the newer versions and SP3 has important security updates.

Go to Microsoft Windows Update and get all critical updates.

Let me know the results after doing the above.

 

i'm not sure if i'm extracting dial a fix correctly because when i first download it i right click and select extract all and then when i save it i select desktop but it creates a shortcut and i click on that, and the 2 links open but don't open on my desktop. ???

 

Just double click it and it should open up the file.

 

but when i click on the shortcut 2 windows don't open just the box with the sections.

 

ok i ran the scan and closed it when it finished. the only error i get is the same internet explorer error when i open my browser.

 

i downloaded ie7, it rebooted and i ran another scan on eset, the scan was 99% done when all of a sudden my computer rebooted on its own. the scan said i have about 34 infections of the same virus i posted on my last eset scan.

 

Try another scanner plaese.

Download Dr.Web CureIt and save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg Start Scanning button on the right and the scan will start.
• Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

 

i tried the scan and i wasn't able to move/or delete some files here are the results:

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Deleted.;
Process.exe;C:\MGtools;Tool.Prockill;Incurable.Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\AOL Setup\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\AOL Setup\comps\coach;Archive contains infected objects;Moved.;

 

Please do the following:

1. Download this diagnostics tool MGADiag.exe and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.


Also let me know how the computer is running now.

 

i ran mgadiag, and it didn't let me copy the results but i wrote them down, my computer is still acting up, it's kind of gotten worse as far as not being able to open certain programs like combofix. do i have to post all the results or just certain things?

 

When you click the Copy button just come back here and right click and paste. The results should post that way.

 

after i clip copy it does nothing and it won't even let me right click the results :confused

 

OK after you click Copy. Come here and click once in the reply box to put the cursor in it the on your keyboard press (both at the same time) CTRL and V. That should paste it in.

If not then I only need the first few lines of the log.

 

Diagnostic Report (1.9.0011.0):
WGA Data: Registered, 1.9.40.0
Validation status: Genuine
Validation code: 0

 

Thanks.

What exactly happens when you try to open programs?

 

i still get the internet error messages and everytime i try to download a new version of combofix it either says application failed and gives a really long number or the file is corrupt and can't open. i tried to dowload combafix from different places, even trying to rename it and the same thing happens. my clock is also messed up, it has the numbers 14:47 currently instead of the normal time.

 

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

 

no, i don't have one. before i did i had a copy of windows xp sp1, i tried to do the recovery console with it but it didn't work. i had to return the cd to the person i borrowed it from.

 

Go ahead and run SCF and see what happens. If it asks to replace files write down which ones and let me know.

 

i ran the scan and when it was done, it closed by itself without reporting anything. is that a good sign?

 

It would appear to be good.

Let's try another scan. If ot comes up clean then we will move on to other things.

First:

SUPERAntiSpyware - running & getting a log


Next run a new MGtools scan and attach the MGlogs.zip.

 

i ran the antispyware scan and it found nothing. do i delete the old mgtools and download a new version?

 

No you will be OK with the current one.

 

i ran the mgtools scan, but when i try to upload the zip file it says internet has encountered a problem and needs to close and freezes the upload window, and when i close the error message my whole browser closes

 

Did you ever go to Microsoft Windows Update and get the updates?

I'm kind of running out of ideas here.

 

i go to that link but i never find the critical updates link. i also read somewhere not to update until you get rid of all infections. i went to that site and did the express install and downloaded updates for windows but i unchecked the option to download windows ie8.

 

If you got the updates then that's good.

Let me ask someone else to look at this topic. I'll post back.

 

i copied and posted the info from inside the logs here is the 1st one

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\WINDOWS\system32\xmldm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate

 

Inline log deleted!