Ok....Help...

Please!!!
My laptop has virus/s, I am accessing this forum on my uninfected desktop. Just when I think i have cleared it all (enough to access anti-virus updates online) it returns...at least enough to prevent me from doing so.
I really did try to solve this myself. I followed pre-hijack this instructions best I could.
AdawareSE detected first signs of it as Win32.TrojanDownloader.Small, with associated files dafdar.exe, 0x57.exe, & dar.exe
After deleting them I have not seen (those files) since, but searching for info on it I found winavxx.exe, and printer.exe and their associated ills to be similar to what was going on and searching my sys I quickly found those files and followed with regedits to restore control panel, task mgr, etc, pop-ups, hosts file (so many times).
I ran scans with about every tool mentioned on these malware forums. Yours seems the best from my reading btw...
Anyway, I am obviously missing some little piece of the (@#$%^) that's hiding in my system. Have to admit this one is a piece of work. Working from two systems via CD burns for d/l & log files here...and hopefully you can help with a solution.
Attached are most recent logs.
Anything you can suggest is greatly appreciated,
><((((*<

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy Log - only for Windows XP, 2K, & NT users
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender Log - from step 6
• Panda Scan Log - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Hello and thanks for reply!

I had difficulty reaching any site related to antivirus/scans etc, as the bug is denying me access to connecting with them, so I have been unable to get updates online via infected system. I found and repaired the hosts file several times but it appears fine now, so hiding somewhere else. I will run through the list again, perform tasks as specified, and post new logs however, with MANY THANKS for your help. This thing has me running in circles...
Where I have been able to...I have downloaded tools and updates, and copied over via CD burns from my clean desktop. I really have done all on the Read First instructions that I am able, back n forth several times, and attached logs of what I was able to run to date.

Here is what I have been able to do/fix, and all I have discovered on my sys, so far...
I honestly have lost track of which tool/soft found what at this point, but here is my best recap:
I knew right away something wasn't right when I hit an Angelfire Site article off of a forum thread...ran an AdawareSE scan and found (and deleted) the following:
Win32.TrojanDownloader.Small
dafdar.exe
0x57.exe
dar.exe
I looked but did not click the balloon message pop-ups pointed to http://www.caspersky-labs.com (owned by some Dmeitre dude in RU)

As stated before, still had symptoms and searched further for info, and found also in my system additional/recurring instances of WinAvxx.exe & Printer.exe and found & restored function/access to the following:
Control Panel
Task Manager
Regedit
Admin Privilage
Hosts File

Again, I went through step-by-step...but it's all a blur now if it was SpyBot or ComboFix that found the following (you would likely know by the naming conventions given):
Trojan.Win32/SystemHijack.gen
Trojan.Win32.Agent.ali
Trojan.FakeAlert
Trojan.Agent.AFHF
Cookies:
BurstNet
CGI-BIN
Geocities
Cookie.Monster
Tickle
Adriver
Right Media

Additional scans and fix's I have run-

Stinger (found 0)
VundoFix.exe (found 0)
Combofix.exe
aswclnr.exe (found 0)
SmithFraudfix (found ?)

I couldn't install SpybotSD because it wants to update during install process...connect times out and install just hangs there and goes no further.
I could not reach the PandaScan, or NanoScan sites.
All Scans I have been doing currently are coming up clean, but still cannot get OUT for updates/definitions. And obviously still have a ghost in my machine.

Yes, I am STOOOPID, to not have antivirus installed right now, but that is my situation currently.

Question: Are there ANY downloadable antivirus softwares that I can also download the current definitions as a separate self-extracting/install updater like Norton offers???
All I have attempted so far seem to update through running within the soft only...
Please, please, advise if you know where/how I can download and get a a full (current) version installed onto my laptop. Also if you are seeing anything in the logs I sent that jump out as being the item that is keeping me from accessing antivirus sites at this point so I can obtain scans needed.

Thanks again,
Fishead2k

 

This one should be named "SquareOne.Trojan"...

I followed everything on list, in order, to a "T"
When I came to updating JAVA, I downloaded on my uninfected desktop and burned to CD. I Uninstalled JAVA Runtime etc. on my infected laptop, and when I tried to install it needed to connect to internet...when I plugged in, it was of course blocked and reinstalled much of itself itself all over again. And now I have NO JAVA installed.

I was able to get SpyBot loaded, updated and run.
It found/fixed the following:
Microsoft.Windows.Security.Internet Explorer
SpyAgent [SBI $CBGAZBAE] C:\Win\unvise.exe

I'm desperate at this point. This has SO f'd me over for a full week now.

The Counterspy scan took close to 3hrs alone...been all day at this again, and seems I am back to square one, again.
CounterSpy found/fixed:
TrojanDownloader.Win32.Agent.bxx (12) obj
AnyPBookmark Browser Plugin (8) obj

If I could complete the steps all the way through I would, every time I try to hit the online scanners I am blocked & screwed again, please advise if you have any ideas to neutralize the site-blocking bugs from the logs I sent, I am starting over, and will post new logs when and if I can...ARGH!

 

Trend Micro Sysclean Package - Download + Pattern File

Running the TrendMicrsoft System Cleaner...
Download the Sysclean Package (sysclean.com) and the latest Pattern File (lptXXX.zip). Create a folder on your C: drive (C:\Sysclean), download both files to this folder, unzip the "lptXXX.zip" pattern file into this folder.

Reboot your computer into safe mode by pressing the F8 key down during boot up and selecting "Safe Mode" from the menu.

Once in Safe Mode open the folder C:\Sysclean folder and run "sysclean.com", check "Automatically clean or delete detected files", left-click "Scan".

This will produce a log, please attach this to your next post. We will run more steps later, after this scan try to run more steps from the READ ME.

Also, if possible attach the ShowNew, GetRunKey & HijackThis logs.

 

CURRENTLY: I have NO Admin-Privileges when logged as Admin in Safe Mode, all control points (regedit, task mgr, control panel computer/properties) are now roundly denied. That last lil window connected online to update JAVA seems to have allowed reinfection.
When I logon as the only 'user' I have setup on my machine, I am able to still access/see these functions but making alterations are forbidden, and I can no longer see the any offending registry entries as before where I was able to reset values and regain some ground with this (BUG!)

I'm not sure what to do now...I thought I knew my way around a computer, but this one is really kicking my....

Any suggestions?

 

See if you can run the below, once completed reboot back to Safe Mode and then try to run the scan from my previous post.

Also, if you can get me ShowNew & GetRunKey Logs.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Hello and Thanks!
It's been slow going back n forth on (clean) office desktop.
I spent yesterday hacking away again at this, and regained much ground.
Very close (once again), the idea of connecting to net is terrifying at this point, lol.
Attached are logs I finished off with last night in it's absolute current state.
I've not run the regedit stated in your last post yet, so I'll hold off till I hear back.
I did run the trend-micro scan you directed me to and found/fixed (1) item. Thanks, it got me started. Sorry I don't have a report from it.

My system is running pretty smooth now without all of the symptoms I was having, BUT, I have gotten this far several times only to have the whole thing start all over once I connect to the net.

***I have been unable YET to do any of the online scans, last I tried I was still being redirected to nul-ville, and prevented from all AV and search domains, including (I think) any URL's in my favorites/bookmarks.

I still have a couple major issues:
1. NO ANTIVIRUS INSTALLED! Downloaded and installed AVG+Firewall with all updates (and without) and got blue-screen-death on every reboot attempt. Uninstalled/Reinstalled several times with same results. Of note, the updater function had issues running (from 'file' of course), but seems virus messed with files associated with 'updating' in general.
As a secondary related to AVG install, I was prompted to update Roxio because of a bug that AVG has problems with a bug in older versions, I did so, but did not 'upgrade' to purchasing v.10 when mine worked just fine as it was. Unfortunately, the updates I loaded seem to have it running 'buggy' now...but I managed to burn txt/log files over that I am now sending. Spitting Error Msgs. now however with each function, and slow...any thoughts to repair possible damaged files?

CAN YOU PLEASE RECOMMEND A (GOOD) ANTI-VIRUS + FIREWALL that I can download WITH the current definition files so I can install/run completely offline? I am not concerned with it being Free, I just want something that can accomplish the above is not a bloated suite of crap. This machine came with Norton2003 installed, and I am familiar with it, just didn't renew scirpt last time arround looking for something better...then I got ZAPPED. Have CorpEdition on my W2k desktop and it's fine I guess (but it wont run on my XPHome laptop). I've not heard much praise of Norton in general these days. I purchased System Suite long time ago and hated all the extra crap, and annoyances! The one thing I do like is being able to download definitions as an .exe that I can run and its done. Anything you know of that offers updates this way, that doesn't require updating from within the running app?

2. Still finding bunch of host URLs in scans, and located some Reg. files containing them that Tools are leaving behind. Something, somewhere is re-populating this mess.

I found a couple key/files like this that the scans are NOT catching or seeing as threats:
HKLM/SOFT\Microsoft\Windows\Current Version\Internet Settings\P3P\History/(many bogus URL folders) all with value/keys set to Vname "default" REG_WORD (5)
Similar but more threatening looking ones:
HKLM/SOFT\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domains\...
(many many more) bogus URL folders, but many of these have multiple sub-folders with names like... \007Guard.com\install...www.install...the...www.the, etc.
Vname is just * and value set to (4)
For the life of me I can't discern the root/malware source that is behind all this, and with all the new lil progs I have loaded in last week, the process list is even getting hard to know what is good or evil.
QUESTION: Is it safe delete these creepy Reg folders (P3P) in regedit, will this actually get rid of them? Or is there another way I must go about removing them?

I'm hoping you can spot the offender/s easily in my logs, after reading all this, sorry for the long read. Thank you for your help!!!!
I wont do a thing till I hear back............

Many thanks,

Fishead2k

 

Couple additional logs...the file named virus2.txt is the AdawareSE scan I did immediately after this wonderful lil piece of...soft entered my machine... It shows the initial form it arrived as, and perhaps you can determine where it decided to build it's nest in my sys....?

Thanks again!!!!

 

Almost forgot...
I ran the following to get back to where I am at now, including all housecleaning steps:
Ccleaner on both admin/user in safe mode.
The Trend-Micro scan you sent me found (1) trojan, again sorry no report.
SpyBot crashed, but I think it valiantly took a couple bugs out in the process.
I may have run Stinger...
ComboFix also had issues running properly this time.
SmitFraudFix
CounterSpy found nothing this time around, but did find/quarantine the following the day before:
Trojan.Downloader.Win32.Agent.bxx
AnyPBookmark (plugin)
Trojan.FakeAlert
On a previous scan it found:
Trojan.Win32/SystemHijack.gen
and has found FakeAlert several times...recurring bug

Finally, Trojan.Win32.Agent.ali was found earlier by something I remember...it's all a blur now....

 

Sorry if this is "bumping", I just haven't heard a response in over 5-days, fearing I have fallen through the cracks... I have been trying to rid my machine of this since Sept 25th.
I have cleared all that I can, but I'm sure there is something still remaining.
Can someone please review my logs and advise if you see the problem?
Please help!

 

I apologize, went away this weekend.

Since it has been a few days I would like fresh logs from the below.

• GetRunKey Log
• ShowNew Log
• HijackThis Log

 

The machine has been turned of since...nothing has changed...please
...with many thanks for responding!

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 4: Begin here after rebooting from Step 3!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 5:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Step 6:
Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

My machine is all but clean now by all appearances, but I am worried about (those files?) I found in Registry, (many) bogus history folders...attached are fresh logs as requested.
Also below I copied a few suspicious reg-key locations I already mentioned that tools, scans, etc. are not catching that look clearly malicious.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\.atdmt.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\P3PROFILE

I found many folders with many subfolders inside "Domains" folder as seen at end of this string.
Like "P3P" folder above but much larger and 2 more directories deep in sub-folders
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\install

Thanks for your help!!

 

They are not bad, they are legit entries. It's all part of IE Privacy.

See this....
http://support.microsoft.com/kb/182569

 

It appears you either skipped Step 3 or it did not run properly, try it again please and attach the log.

 

Hey Man, Thanks for your help.
This has been such a pain in the...

Performed all exactly as specified, (thanks 4 great instructions) logs attached:

Can you please offer opinion of best AV program that is a stand-alone or w/firewall? Of the freeware suggestions on this page> http://forums.majorgeeks.com/showthread.php?t=44525
Are any of these ones you'd recommended, or am I better off buying a boxed soft somewhere? I've already downloaded them all, but did have problems with AVG install (it didn't like my old Roxio, even after I updated everything)
Same question goes for the Firewalls.

Also, Should I enable System Restore yet?

Last question...do you think it is safe to get online with this machine for online scans, or to fetch AV-updates?

Many many Thanks !!

 

Avenger log.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

See my previous post, step 11.

I recommend AVG AntiVirus with Comodo Firewall. I use both and they both are free and easy to use/configure. They both also use very little resources and do a great job.

If you had problems with it then I would recommend Avast AntiVirus.

Yes! See my previous thread, step 10.

Yes! Your logs look good.

 

bjgarrick,
Thanks a million man!!!

This thing set me soooo far back with work!
Now I can get back to normal.
Installed AV and Firewall as recommended.
Running (freshly updated) Avast full scan now....

Three Cheers!!!
Fishead2k

 

Your Welcome!:major