PLEASE HELP ME!!! I have a virus/malware

I have a virus/adware/malware problem on my pc - im running Windows XP Pro. I ran the following virus and adware scans and repaired what I could but it STILL has a problem.

This is what I did, in this order
1- Ran MaCafee and cleaned what it found
2- Ran Spyware Doctor and cleaned what it found
3- Ran CCLEANER
4- Ran SPYBOT Search and Destroy and cleaned what it found
5- Ran Lavasoft AdAware 2007 and cleaned what it found
6- Ran Avast Anti Virus and cleaned what it found
7- Turned off System Restore
7- Reboot the pc in SAFE MODE-- still in safe mode...
8- Ran MS Config and took out stuff from my startup tab that i didnt need
9- Reran SPYBOT, ADAWARE, and Avast ANTIVIRUS
10- Everything seemed clean. I reboot the pc in regular mode and it STILL HAS A PROBLEM!!!!


I also have hijack this and ran a log, but I wont post it unless you tell me

Thanks for any help that you could give.
Dulce
:cry :cry


PS> I also wanted to let you know that this "adware/virus" doesnt seem to present itself unless im on the internet -- with a stupid # of popups even tho i have my pop up blocker on and it interrupts my typing.

 

im going thru the DO THESE STEPS FIRST -- PLEASE DONT REPLY

 

Hi disler,
Welcome to Major Geeks!
I know, you said not to reply

Depending on the nature of the symptoms, there may be different tools that could be used with the READ & RUN ME. I'll wait to see your attachments so we can see more directly what's going on.

abri

 

I ran thru all of the 'steps' as given by u guys. It seems to be ok. I have all the logs, but last night I watched a tv show on the Internet and there didn't seem to be any probs. Im up to the turning restore back on but I want to check all of ur steps to ensure that my laptop is protected going forward.

Should I submit my logs anyway?

One question; my pc and laptop are connected via a wireless router running network magic, if my kid runs limewire on the pc and gets a virus/malware could that travel thru the shared folders? I plan on making sure that the pc is protected also before allowing him back onto limewire which caused this problem in the first place(he installed limewire -the free version-onto my laptop,downloaded a couple of songs and then I found the malware/virus.

Thanks for all ur help

 

Hi disler,

Please attach the logs and don't do anything with System Restore until I've gotten back to you.

Are you both running the internet off the same router or have you set up a home network as well where you can actually work off of each other's computers?

abri

 

Abri; Thanks for your help!! U GUYS ROCK!!!

There are 3 logs attached here and a subsequent email will contain the 4th log and a screen shot of the network. The network is internet to wireless router to hard connected pc to wireless router.

 

Here is the screen shot and the MGLog.zip file

 

Hi disler,

The logs you attached show that the various scans removed a lot of malware and that there is still some left. Since the malware I'm going to ask you to remove came into your computer around the 13th to the 15th of April, I wondered if you installed RegRun as the result of symptoms you were already having, or if the symptoms came after that. You also have a folder called Converted Videos from around that time.

Please do the following:


1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\WINDOWS\system32\BWKDLogs


2) Please disable your guest account if this hasn't already been done.


3) Next I would like for you to disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

4) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 4

5) Reboot after uninstalling the above.

6) Install the current version of Sun Java from: Sun Java Runtime Environment

7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {E2727071-F926-40B9-8D21-D1F580FD7E95} - C:\WINDOWS\system32\urqPfGWm.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: xxyaaXRH - xxyaaXRH.dll (file missing)

After you click fix, just close hijackthis.


8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Before I ask you to get a fresh set of logs, please check to make sure your computer is in normal startup mode. Go to Start / Run, type in msconfig and click on okay. In the window that opens up, click on normal system start and then on accept and okay.

11) After your computer is in normal startup mode, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I may have installed RegRun on my laptop when I had originally tried to clean it.

Converted Videos is a folder I created to convert MPG videos to MP4 for my iphone.

1- an empty BWTargetInf.log file

I will let u know how things are after I go through these steps.

Thanks again

 

Abri;

It seems to be ok to me; attached are the two logs. I didnt do the Spybot S&D since its not installed on my laptop. SuperAntiSpyware and McAfee are both running on my laptop currently.

Should I go through the steps "How to protect yourself from malware"?? for both the laptop and the PC?

SHould I put Restore back on?

Also, I submitted in a prior thread to this posting a screen shot of my home network because I want to know if my son uses Limewire on the pc, if any malware gets onto the pc can it travel via the network to my laptop?

thanks alot for all of your help. I really appreciate it.

Dulce

 

Hi disler,

With regard to your son's use of Limewire, it depends on whether you only share the router as a connection to the internet or whether you have a home network set up. With a home network, you can access each other's files from the other's computer. In this situation, it would be possible to share files which have viruses. If you are only sharing the router to get a connection to the internet and don't have a home network set up (i.e. can't share files on each other's computers except by sending them to each other as emails etc.) then his files and yours will not be in contact and cannot infect each other's computers. One way that computers can get infected is if a flash drive is used between the two computers to transfer data.

There is some evidence of Spybot S&D on your computer. If you want to uninstall it correctly, please download the installation program and reinstall it over the old version. Then if you want to remove it you can use add/remove programs to uninstall it properly.

Please remove these three remaining remaining files of which two are malware and the other is a file belonging to Spybot S&D. Use analyse.exe as you did in Post 8, Step 7:

O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64m.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

After you click fix, just close hijackthis.

Now run CCleaner with your browser windows closed and REBOOT your computer.

If you decide you don't want Spybot on your computer and don't want to uninstall it in the way suggested above, please go to C:\Program Files\Spybot - Search & Destroy and delete the whole folder.

After you complete the above, run analyse.exe one last time and make sure all the 04 entries have actually been removed. If not, stop here and tell me. If they are gone, then you may proceed with the final cleanup instructions in the box. For the future and just as a note, we do not recommend turning off system restore during the removal of malware. It can occur that having an infected restore point to return to is a necessary option to get around some special condition that arises unexpectedly.

abri

 

Abri; I did everything that you said and when I went to check for system restore, I saw that it was never turned off!!! I hope thats not a problem.

Also, I want to install one of the virus software apps that you guys suggest but the MacAfee on my laptop wont uninstall.... I deleted the folder, tried to uninstall it but its still on my pc. I also went into regedit and deleted it from the registry, but its still showing up on the bottom of my screen.

Also, what would you recommend; I would like to use an application that I can run on one or a selected number of files (like if files have been downloaded), to check for viruses, malware, etc. I saw that you guys recommend having a virus scanner that clears viruses, and a scanner for malware, but I need something that stays active all the time checking for malware, etc...or if not always active, then to select the suspected file and run a check on that one?

thanks

 

Hi disler,

System restore should not have been turned off until we gave you the final instructions so that was lucky. Be sure you toggle it as per the instructions.

To uninstall most of the security suites, you have to have a removal tool. Try running this and see if it works: McAfee Consumer Product Removal Tool (SymNRT)

If that doesn't work, you may have to reinstall it and make sure it is disabled before you run the same tool again. I believe that may have been the problem.

In the "How to protect yourself from malware" thread listed in the final cleanup instructions, there are three free resident antivirus programs listed. You need to have one of these installed or a paid version or a resident antivirus program. These have different settings. You can have them scan your email or not. You can have them do system scans on a schedule or you can start them manually. They have a list of updates and these will update everyday with the newest known files they need to be looking for. One of the problems with every tool is that they simply don't have a comprehensive list of everything bad that's out there. In the above recommendations, you'll see that we ask you to have a set of anti-malware programs to give yourself the best protection from a lot of different types of malware that can be installed using different entry mechanisms.

For specific types of files, like email attachments, the resident antivirus programs, your browser settings and your email settings are mostly set up to give you a warning when you try to open something that is a known file type to carry viruses. In some cases, when you attempt to run something which is infected, your antivirus program will kick in, tell you there's a virus in it and ask you how to proceed with it, whether to quarantine it, fix it or delete it. However no anti-malware program alone can catch everything.

In AVG there's a Scan My Computer button, but there's also a Scan Selected Areas button where you can point the antivirus program at a specific drive or folder that you want to have scanned.

For specific files or drives or for something external, I like to supplemant my resident antivirus program with BitDefender's online scan which uses Intenet Explorer with Acitve X enabled. It is useful for looking at restore points and archived data like zip and rar files.

I don't think this completely answers your question, but I hope gives you more information.

abri