Request for Malware Removal Help

My laptop may well be beyond help, so this is my last-ditch effort before reformatting. I've been running all sorts of scans, from ewido to trend micro to the standard ad-aware, spybot, etc. They all find things, but my computer keeps getting worse. I've been infected for a few weeks now. Today my boot drive was corrupted, so I found my XP CD and reinstalled that, and I (just as I was coming to this website) lost my internet access. I'm working from my PC now, since the laptop won't connect to the internet.

I went to the "Read Me" website (http://forums.majorgeeks.com/showthread.php?t=35407) but I couldn't do a lot of the steps. I'll go through what I did in order though:

Step 0 - Completed
Step 1 - N/A
Step 2 - Completed
Step 3 - Uninstalled McAfee and installed AVG a couple weeks ago
Step 4/5 - I lost my internet access, and all my CD-Rs, so I only have parts of this step done. I don't have CC Cleaner, so I didn't run that. Ad-Aware cannot finish a scan. It freezes deep scanning at the same place each time. Spybot ran successfully. Windows Defender won't run, although I'm pretty sure I have SP2 installed. The Windows Malicious Software Removal Tool - I'm pretty sure I ran.
Step 5 - I am currently in safe mode on my laptop.
Step 6 - With no internet, I could not complete this.

My HijackThis log is attached.

Basically my problem started with my computer running VERY slowly. It took Windows about 4x as long to load, and my IM windows would randomly freeze for a good 30 seconds. Videos would freeze too, until the computer caught up. Only lately have things started to crash. I ran some diagnostics thing and got the following error codes (I have a Dell):
00F0:0240
00F0:1A40
00F0:1A44
and it seems like I had another one too, but I can't find the paper

Any direction/help/bashing would be greatly appreciated.

Thanks a bunch,
Tree63

 

Any ideas?

 

Please don't bump your thread. Threads are answered oldest to newest and by replying to your own thread it just moves it further up the que.

This forum is staffed by volunteers, how often and when we are here depends on how much free time we have.

You are going to need to download and install tools on your computer. Download the tools from the computer you are using, and copy them to a USB thumb drive. Then install the tools on teh infected computer.

HijackThis is not properly installed as per Step 7 of the procedure. Move HijackThis to C:\Program Files\HJT.

Post a fresh HijackThis log.

 

Alright, I did my best here.

Got CCcleaner to run, got the malicious software tool to run, got spybot to run.

Ad-aware still failed, and neither defender nor counterspy would install in safe mode. Strangely enough, the computer won't let me boot in regular mode - it won't give me the option It still won't connect to the internet (even if I could go choose safemode with networking, which I can't), so the online tools can't be run.

I moved my HJT to the correct location, and I'm posting my updated log.

Thanks!

 

It appears that MSCONFIG is responsible for forcing you into Safe Mode.

Do the following:
Start -> Run
type msconfig
Click 'OK'

Make sure that Normal Startup is enabled.

REBOOT

Did the computer reboot in Normal Mode?

 

It did reboot in normal mode. Tried to run Counterspy but it installed, then froze on the loading screen. Still can't get internet on it - so no online scans.

Probably don't need a new log. Any idea what might be killing my computer?

 

Post a fresh HijackThis log from Normal Mode. That will give me a better idea of what we are dealing with.

 

Sure thing mate. Here it is.

 

Download
- Pocket Killbox

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

A .dll file called tcshellex.dll could not be deleted from TheCleaner folder. I manually deleted everything else in the folder.

Also, I had no idea where the rundll32.exe file was supposed to be.

I searched the computer and found 4 of them. Their locations follow:
C:\1386
C:\Windows\System32
C:\Program Files\Musicmatch\Musicmatch Jukebox
C:\Windows\ServicePackFiles\i386

I didn't want to delete the wrong one, so none are deleted. An updated log is attached.

 

Killbox, deleted the correct file; rundlI32.exe. The last l ins't an l but an I. Anyway, it's no longer showing in HijackThis.

You can use Pocketr Killbox to remove tcshellex.dll.

Then in Safe Mode delete C:\Program Files\The Cleaner.

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

It's extremely important to keep the version of Java you are using current. There are many forms of malware that take advantage of flaws in older versions. Including the version you are running.

How is your computer running?

 

Sorry, must've just glanced past the java thing in the previous post. All old java files are uninstalled and the new one is in. Tcshellex.dll is gone, as is The Cleaner folder.

The comptuer is still booting very slowly. It used to lock up for ~20 seconds at a time, but it hasn't done that since the changes. However, I should note that it usually locks up while I'm online - and I am still unable to get online. I typically use wireless, but I can go through the LAN too. It's not recognizing my wireless at all; it will recognize the connection when I plug it in directly, but it'll just send about 68k packets and receive zero.

I use Intel PROSet/Wireless and Windows to connect to my wireless. Intel's program says, "No supported wireless adapters available in the system." Windows says, "No wireless networks were found in range. Make sure the wireless switch on your computer is on." I don't know if I have a switch, but my card is inside the laptop, so I doubt I could turn it on (or off, for that matter).

If you have any more advice, I'd love to hear it. I'm going to see if I can finish my ad-aware scan now, and I'll run a few other scans to see if I can give you a little more to work with.

-T63-

 

Yeah, it's still being pretty slow in operating. Definitely not acting like it's got that gig of RAM.

 

OK, let's take a deeper look at your system.

Follow the directions for Using GetRunKey and Using ShowNew.

Post both runkey.txt and newfiles.txt, as attachments, when finished.

 

As I thought, Ad-aware didn't want to finish its scan. Logs for the two above are attached.

 

Post a fresh HijackThis log. I want to double check something.

 

No problem boss.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

How is your computer Running?

 

Um. I think I did something bad. I've been running killbox out of my thumb drive. Well, I made a typo in killbox the first time and deleted
C:\Windows\system32\svchost.exe
instead of
C:\Windows\system32\svchosts.exe

I didn't copy/paste since I'm working off a different computer, so I've been entering everything manually. I made a typo and the computer started to shut down. Now I can't run killbox from my thumb drive, or copy it from the drive to the laptop.

The error I'm getting is:
System Error &H800706BA (-2147023174). The RPC server is unavailable.

I'm sorry - I feel really stupid. I didn't even get through all the *actual* stuff I was supposed to kill in killbox.

 

Oh, and out of curiousity, I tried to open a windows media file and got the error: Can't perform operation, low memory.

Not sure if that helps or not. I have my XP CD in the drive right now, so if I need a file out of there - it's easy.

 

Start -> Run
type sfc /scannow
click 'OK'

 

Ran it twice but it didn't say anything. Tried to boot killbox again, and got the same message.

 

Look in C:\!KillBox for the backup of svchost.exe. Copy to C:\Windows\system32

 

It won't let me drag anything from the folder.

Can I copy it through the dos commands?

 

Figured out how to copy through DOS. Backtracking now and doing what you said to do in that long post.

I think this virus is uninstalling my drivers. Windows media is saying that there's a problem with the "sound device" now. Bleh.

 

Got my sound working again by installing my Dell drivers. Tried to do the same with my Broadcom and Intel PROSet drivers, but my internet still won't work. Seems like the computer is still running slowly, but for sure it's better than it was.


Here's the log:

 

I'm pretty much an idiot, but I really don't think my internet problem has to do with my system. I think my card is fried. I emailed Dell (I'm still under hardware warranty) and I'm having them replace it.

Of course, I'm still not sure why my computer is slower, or Ad-aware won't finish a scan. *shrug*

 

Your HijackThis log appears to be clean.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt when finished.

 

Here she is.

It's hot. Ugh.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Rebbot to Safe Mode.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot to Normal Mode.

How is your computer running?

 

Still locking up and taking forever to load stuff.

 

There is nothing in your logs that indicate this is malware.

Let's start at teh beginning, and get all new logs.

Run through the Read Me First again, and post the logs.