Ooops

So here's my story: I was trying to get something for free, and I got some kind of problem from it. Oops! Anyway, my task manager won't open, some command files are missing, windows are popping up like mad, and the icons on my desktop have a black background. I can't attach my hijackthis log, when I click upload it tells me there's an error. I'm not sure what else to do - thanks in advance for any help.

I think I have a french virus? I do not recognize two lines: nnnoooo.dll and ssqrr.dll. There may be more...I don't know. Can't attach anything.

 

Hi stellarstacy!
Welcome to Major Geeks! Try running the following scan called Combofix and see if that helps. If it does, please continue with the instructions and links in the second box. If it doesn't help, please tell us.

Run this utility:

After you've run Combofix, please follow the instructions and links in the box below!

abri

 

As stated before, I can't attach anything. I can't run bitdefender or pandascan because I'm using firefox, and msie is extremely unstable right now. Can't run getrunkey or shownew because it says the file is being used, or combofix because it says some command file is being used, but hijackthis says my command file is missing. I could paste my file, but it's not finding it when I browse for it under 'manage attachments'.

 

I can attach files now, yay! I have attached the three that I can get a hold of, still can't run pandascan and bitdefender, and shownew still isn't running. Thanks for your support so far.

 

Hi stellarstacy!

Please rerun HijackThis from its proper location under C:\Program Files\Hijack This\ analyse.exe.

You will have to install it properly into its own folder under Program Files and after you've installed it, please go into the folder where you put it under Program Files and right click on hijackthis.exe and select rename. Then replace the name hijackthis.exe with the name analyse.exe
There are certain viruses, and you may have one of them, which evade detection if hijackthis is run under its normal name. The details of how to install hijack this are under step 7 of the READ AND RUN ME.

Thanks!
abri

 

done

 

I've tried deleting the geedd.dll file from the command prompt, and it won't let me delete it. Tried deleting it with hijack this and I can't delete it. I can't open my registry editor because it says it's in use. The pop ups seem to have stopped - but my computer just recently rebooted itself after the toolbar dissappeared.

 

Thanks stellarstacy!

Now please run ShowNew and attach the log which is called newfiles.txt. This will enable us to manually identify and remove the bad files which are still on your system.

Please make sure MSConfig is in normal mode not selective mode. If you're not sure, please check the instructions in Step 0 of the READ & RUN ME FIRST.

Also, please make sure that Teatimer is turned off in Spybot S&D. To turn it off, please double click on the Spybot icon and after it opens, go to the top where it says mode. Make sure that advanced mode is checked. Then go down on the left side where it says tools and click on that. Click on the word Resident with the red and white shield. In the middle of the page you'll see a box next to Resident Teatimer. Make sure it is unchecked.

Thanks.
abri

 

okay

 

Hi stellarstacy,
Your computer's badly infected. I have to ask you if you are still installing things while we're trying to clean your computer? It looks like AOL Games including Monopoly were installed along with a screensaver. Did you put these things in? Or are things being installed on your computer without your knowledge? Along with AOL Games, there's evidence of a number of fixes which look like efforts you may be making in trying to clean your computer. Please allow us to work with what you have before you do anything further.
abri

 

Hi Stellarstacy!

1) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

J2SE Runtime Environment 5.0 Update 2
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WildTangent Web Driver

2) Now REBOOT your computer!


3) After you reboot, please install Java Runtime Environment vs. 6.3

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Please have this file C:\WINDOWS\system32\vbzip10.dll scanned at either of the following websites VirusTotal or jotti and post the results to me. There is a small window where you can upload the file and then submit it for scanning.


6) Do you recognize any of these which are located under C:\Program Files\ ? (do not delete any of them, just tell me)
Oct 19 2007 "A.ico"
Oct 19 2007 "a.zip"
Oct 10 2007 "AOL Games"
Oct 19 2007 "B.ico"
Oct 19 2007 "b.zip"
Oct 19 2007 "c.zip"
Oct 10 2007 "dizzler"
Aug 6 2007 "InterActual"
Oct 19 2007 "OneStepSearch"
Oct 19 2007 "Track_03.exe"
Oct 19 2007 "Video.exe"
Jul 21 2007 "Winamp"

abri

 

I recognize dizzler, it's my music player. Also winamp, and interactual sounds familiar too. The rest of it looks pretty foreign. I've uninstalled the programs that you suggested, and reinstalled java.

 

By the way, the scan on that file found nothing wrong with it.

 

Hi stellarstacy!

0) Please upload the following files in the box to either
VirusTotal or jotti and attach a report with your next post.

1) Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


12) After you have completed ALL of the above in the correct order, please attach the following logs.

• Jotti or VirusTotal
• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Please let me know how things are going.
abri

 

Here's the first set...

 

...and the last two. Thanks again for your help and patience.

I also have a question...I read the how to prevent malware sticky. McAfee came with this computer, but it's out of date now and I guess that means I can't download any new virus definitions. Am I better off deleting McAfee and downloading one of the free virus tools so that I have up to date definitions and a free firewall protector? I just tested my firewall on the suggested sites and it says its secure, would it still be as secure with a free firewall?

 

Hi Stellar!
Your report was for three of the five files: the psw.exe, the a.ico and the A.zip. What happened with these two? Were you able to find them? Could you try them again?

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

abri

 

I had already deleted those two files so I couldn't find them on my computer. Deleted the last set of files, the log confirmed the deletions.

 

Hi stellar!
I have to go through the logs more carefully and this takes time. Is there a way for you to get to IE so you can run Panda and BitDefender? Bit in particular is helpful because it checks archived files and Panda simply finds things that a lot of the other programs miss. Also, Counterspy is great if you can get it onto your computer as per the instructions in the READ & RUN ME FIRST

These all take time but they would be immensely helpful! Is there a particular reason why you can't use IE except that it's not set as your default browser? If it was removed through add/remove Windows Components (one of the buttons in add/remove programs), then it can be reactivated by going first to add/remove programs, clicking on the button called add/remove Windows Components and then scrolling down the list till you find Internet Explorer and putting a checkmark in the box, then clicking ok.

abri

 

Okay, I'll follow your instructions to get IE back up. It was freezing really bad the first time I tried the scans, but a lot of the stuff seems to be gone so I'll attempt the scans again.

 

Hi stellar!
Here is some information to your question and then a further set of instructions for you to run. If you're able to run the Counterspy (making sure to have it fix things), BitDefender and Panda scans, please complete those first before continuing with this set of instructions. It will help us if we can see the logs from these three scans.

In terms of your question about a firewall and antirus, if your firewall passes the test for both incoming and outgoing traffic, it's fine. It also has to be compatible with whatever antivirus program you choose to run it with. The order of uninstalling and installing antivirus programs matters. If you want to uninstall McAfee, please do the following. First download the installation program for a new antivirus program, but don't run it. Just download the installation program to somewhere where you can find it later. After you disconnect from the internet, go to add/remove programs and run the McAfee removal program and reboot your computer without allowing it to connect to the internet. Then while you are still unhooked from the net, run the installation program for whichever Antivirus program you've chosen to install. After it's installed, reconnect to the internet and allow the new program through your firewall and let it update. When we've determined that your computer is clean, we will give you a final set of instructions which includes our recommendations for free antivirus programs that are lightweight and work well.

On the 18th of October a program was installed onto your computer under C:\ called ps.exe. This appears to refer to a program called Punto Switcher for which almost all references are Russian webites. It has the function of an auto keyboard switcher. From today, there is a reference to FixWareout and there are a lot of .txt files directly under C:\

Please do not work on your computer at the same time we're working on it without telling us what you are planning to do and checking if it's going to work together with what we're asking you to do. We don't know if the files being installed are being installed by you or independently and this is important information for us in determining what to remove. It's bad if we're working at cross-purposes.

0) If you don't use Interactual, please go to add/remove programs and uninstall it. It may have been installed involuntarily anyway.

1) Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please run ATF Cleaner by Atribune.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

4) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Please let me know if things are starting to get better.
abri

 

I'm still running BitDefender and PandaActive scans, I'll attach them with my next post. I never installed that Punto Switch, I haven't messed with anything since posting here because I wanted to make sure I got rid of all this bad stuff first, so I guess that's more malware?

 

Yes, that's what I wanted to know. It seems like software is being installed onto your computer. That's what we'll have to work on stopping. More tomorrow...
abri

 

Okay. I'm going to have to rerun the two online scans because my friend used my computer and exited the pages before I could save a log. I'll post them tomorrow as well.

 

Okay. Ran bitdefender then activescan, but i didn't keep the report for bitdefender as my friend used the computer after it scanned and didn't save the report. I have the report for active scan. I reran Bitdefender but all it found was malware located within the system restore points. I can run it a third time if you absolutely need the log for it. I'm not able to upload the report for activescan, file too large...a lot of the items within the log are tracking cookies, I could delete those from the log and try to resend?

Anyway, I'm onto the last set of directions.

EDIT: Oops, still have to run counterspy.

 

Hi stellarstacy!

If you run CCleaner in safe mode for all the users, it will make the logs smaller by getting rid of the cookies and temporary files. If BitDefender only found infected restore points, then I don't need to see it. What we look for is where an update failed.
Could you zip the Panda log and then attach it?

abri

 

I installed a defragmenter yesterday, so it'll show up in the shownew...oops. Lots of oops. Won't happen anymore!

 

I'll attach the pandascan results when I figure out how to zip the file.

 

Forgot one...

 

Hi stellarstacy,
Please do not defrag your computer until it's clean. Please rerun ATF Cleaner and then rerun ShowNew and post a fresh newfiles.txt log.
Thanks.
abri

 

Mmm..hopefully it works.

 

Oh! That was good!

abri

 

I did install winzip to zip that file.

 

Hi stellar!

In your Panda scan there were a lot of cookies. Your browsers (both of them) should be set to allow cookies only for as long as you are visiting the website. It should automatically delete them as soon as you close your browser. There may also be an option to ask if 3rd party cookies should be allowed or not.

1) Now, if you have not installed CCleaner, please install it as per the instructions in the READ & RUN ME FIRST. Then go into safe mode and run CCleaner in safe mode for each user name and for administrator. Do not uncheck or check anything. Simply double click on the icon and it will open to the Windows tab. Leave it exactly like this and at the bottom right-hand corner is a button "Run Cleaner". Click on that. It will tell you this will permanently delete files. Click ok. If you don't get the temporary files out of your computer, the infections will continue to come back.

For the future, you need to run CCleaner at the default setting regularly - everyday before youi shut down your computer is a good time. Make sure that your browser is not set to store your history for more than one day and if you visit websites you want to keep track of, use your favorites or bookmarks.

Alot of what Panda found came onto your computer through music downloads. There are safer p2p sites and not safe p2p sites.

2) When you ran Counterspy, you did not have it fix what it found. Please rerun it and have it fix everything it finds. It found some really bad things, so it will be well worth your time to do this.

When you finish, please post the Counterspy log again.

Thanks.
abri

 

Installed CCleaner and cleaned stuff in safe mode, under both accounts. I'm fixing what Counterspy found now, and then I'll run a new scan and post the log. I'm having a new issue though, when I double click CounterSpy to run it, Counterspy pops up but also an installer for QuickBooks. I already have Quickbooks installed on my computer from a few months ago, not sure why it would try to reinstall it.

I don't know if it's just me or the CCleaner, but my computer seemed to load within what felt like two seconds. It was amazing!

 

After Counterspy has fixed everything it found (if it's fixed everything, it will say quarantined or deleted in the log), please attach the log to us and then you can uninstall it via add/remove programs. Do not uninstall it if the log only says "detected". That would mean it didn't fix anything. In the add/remove programs list, it's listed under Sunbelt Counterspy. I hope that will get rid of the Quickbooks problem.

Yes! CCleaner is one of the wonder tools of the computer world. Um ... Please ... since you have a tendency to go off on your own and do things with your computer (or other people do) ... please do not use CCleaner in any other way except in this one setting until we are at the point where we can set a new clean restore point. We're not quite there yet. Then if anyone decides to try out other options in CCleaner, you will still have a good reference point to return to.

abri

 

I ran counterspy again and it found nothing, but I don't know how to go back and retrieve the log that said everything was fixed. I kinda wanted to keep CounterSpy, since my McAfee has expired and I can't get up to date virus definitions. I just ran Counterspy and the quickbooks installer didn't run, so maybe it was just a small flaw. So can I keep it, please please can I keep it? lol

 

Regarding anti spyware programs...would an after the fact scanner be one that doesn't notice malware until you've scanned for them? And a realtime blocker notices the malware before it's infected your computer? I'm a bit confused as to the differences between these. And you should have one realtime tool, Spybot, and Spyware blaster along with an antivirus program? I'm not planning on downloading anything now, I will wait until you okay everything.

 

lol Yes, you can keep it, but it costs money and it's pretty big also, so that's why we have people remove it. I think the trial lasts for 30 days, so remove it before then, unless you want to buy it. Spybot has an immunize feature that is good. The program itself you should update every couple of weeks and run it. SpyWareBlaster is simply cool. It's a very good idea to have. Also, using IE only for Windows updates and otherwise keeping to Firefox is good. I want to post this website to you and see if you can get to it: http://p2p.malwareremoval.com/index.html
It's part of Spybot's Malware Removal forum and has a current list of which p2p programs are safe, which are not safe and which are dead. See if you can get to that.

I can't see anything further that needs to be done on your computer. If it is working all right now, please follow the instructions in the box and be sure to set a clean restore point as per the instructions (you have to reboot in between) and read through the "How to protect yourself from malware". It offers you the best combination of antivirus, antispyware and firewall to give you the least bulk on your computer with the most protection. I recommend before the month is up, uninstalling Counterspy and saving it for when you need it again. (hopefully not any time soon)

Let me know how everything goes!
abri

 

Alright, everything is going well. System restore points are clean and I'm on my way to uninstall Counterspy and install the suggestions from the malware protection sticky. It's all back to normal, especially the computer loading like I just whipped it out of the box! Thanks for everything, I can't thank you enough. I want to be just like you when I grow up! Lol. I really appreciate your patience and your time!

 

Many happy computing endeavors! And ... run CCleaner often! And ...
you can defrag now
abri

 

Ok one more thing. I might have overlooked it, but is there a program that gets rid of the leftover files after an uninstall? And um what exactly is the a squared program complimenter thing?

 

a-squared is a program that scans for malware. What complimenter thing do you mean?

You should post in the software forum about a good program for uninstalling leftover files. They may tell you CCleaner, but be sure you do both a restore point and a registry backup before you run any kind of a registry cleaner.


abri