still seem to have viruses

hi
i went through the entire list of instructions on the malware removal guide step by step.though i could not get bitdefender to work on my pc.anyway,after all dat i still seem to have some strange web page that opens up on its own every once in a while..although if i scan my pc with avg antivirus it seems to show no more viruses.i'm attaching the logs as per your instructions.hope to hear from u all soon.

 

hi again..i'm attaching the remaining log on this one..

 

oops!

sorry,forgot to attach the hijackthis log in the previous posts.also the name of the website that keeps popping up on its own is http://www.zhongguogongyi.com/index.php it comes wid the 'page cannot be displayed(cannot find server)' message.

 

Hi veola!
Welcome to Major Geeks!

I've asked that your threads be merged and the duplicate be removed. Please use the Post Reply button at the top of your thread rather than going to the Malware Forum listing of all the threads and using the New Thread button. When you need to post more than three attachments, just use the Post Reply button twice.

Your computer is infected. I need both your newfiles.txt log and your hijackthis log. I managed to see your newfiles log before it got replaced with the hijackthis log. HijackThis was run from a temp folder. This is not the correct place to install it. Please go back to Step 7 of the READ & RUN ME FIRST and install HijackThis as per the instructions. It needs to be installed under C:\Program Files in a folder you create called HJT. After you've installed it into this folder, please go to this folder and find the program called hijackthis.exe. Right-click on this program and select "Rename" and rename it analyse.exe. Then rerun it (Scan with Log) and post the new log to us.

You have malware problems. I can already see that. While you're redoing HijackThis, I'll look at the other logs which seem to be correct.

abri

 

Hi Abri,

Thanks for replying...
First off, sorry for not gettin all the instructions on ur giude right.I must admit i was slightly overwhelmed by the tedious and complicated nature of the whole procedure.Anyway i did go back and re-install hijackthis as you asked me to,hope this time you'll get what you want.I also think i'll mention that while i was trying to attch the newfiles log, it kept giving me an error message saying i have already attached it in my previous post.So i went through step 4 of the giude and re-installed the shownew.zip file.i'm not sure if i should have done this but atleast i can atteach the newfiles.txt file to this post now.i really hope i didnt mess things up with though.
As for learning to post threads properly,i guess it'll take me a while to get the hang of it.I'm still quite confused about it as i have never posted on any forums before.

Hope to hear from you again soon..
Veola.

 

Hi veola!

Thanks for perservering. I need some information from you and then I need for you to do some things. I know the READ & RUN ME instructions are not easy the first time you do them. There are some problems with your logs. In a moment I will ask you to install them in a different way and see if it makes things easier.

1) For the moment, I need the following information. You have some strange-looking files on your computer and I don't know what they are, so I need for you to click on either or both of the following links and upload these single files one at a time to websites where they can be scanned for viruses.

The names and pathways of the files are these:

Click on either of these links jotti or VirusTotal and upload the above files into the little window on that webpage with the "Browse" button next to it. By clicking on the Browse button, it will allow you to find this file in your computer and once you've found it and highlighted it by clicking on it, click on the submit button.. (At the moment the VirusTotal website doesn't seem to be quite as busy as the Jotti website so you don't have to wait as long for your turn.)

Please let me know if they contain any viruses, and if so, please copy the results if you can or tell me the specific names of the viruses and which companies identified them. When you finish, you should be able to give me 4 results, one for each of these files.

2) When you finish with that I would like for you to run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions!! including the one you are reading in right now:

After clicking Fix, exit HJT.

3) After you finish the above I will ask you to uninstall some things, but first, I would like for you to install the tools we're using in a different way, because I don't think you have them installed correctly. Please go to this link and find the tools that are the correct ones for your operating system which is Windows XP: USING MG TOOLS

This will download a set of tools with the name MGTools.exe. To run all the tools, you only have to double click on this MGTools.exe file which will be in the root directory (the directory where your operating system is). They don't take long to run and they will produce a zipped file of all the logs called MGTools.zip. Please upload this one zip file with your next post along with the results of the virus scan. I'm sorry that you were caught in the transition between the old way of doing things which is more time-consuming and difficult and the new way, which is still being worked on. The new tools will allow me to get a better look at your uninstalls list which is not showing properly in your ShowNew log.

Please ask if you have any questions. The next information should be included in your next post or posts:

4 reports on the above files
1 log for MGTools.zip

abri

 

Hey Abri..

Thanks for gettin back to me so soon.well here's the report..

1)For the file 49400WL.dll in C:\Windows\..the website VirusTotal showed a message saying 'The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.'
I re-tried a couple of times,making sure my firewall was turned off but every time it kept showing the same message.:confused

2)As for the file 49400MM.dll , strangely enough i did not find it anywhere despite searching over and over again.i even ran the search engine on my PC but with no results.:confused. Are you sure it's in C:\Windows\ and no other sub-directory?

3)The third file C:\WINDOWS\system32\drivers\cdralw.sys gave me the following results on VirusTotal
AntiVir - TR/Rootkit.Gen
Avast - Win32:Agent-BQC
BitDefender - Win32.Almanahe.D
eTrust-Vet - Win32/Almanahe!generic
Ikarus - Virus.Win32.Agent.BQC
NOD32v2 - Win32/Alman.NAD
Webwasher-Gateway - Win32.NewMalware.EW!15872!3

4)And the fourth file you mentioned (C:\WINDOWS\system32\eth8023.sys ) thankfully seemed to show no viruses on the VirusTotal scan

Pheww...!So that's that.Plus you'll find the attached .zip file u asked for in this message.

Thanks for helping so far,
Veola.

 

Hi Veola,
It would be good if you don't use your computer for any downloads including music files until we can identify the new files being installed on your computer.
Thanks!
abri

 

Hi veola,
I have a set of instructions for you, but I want to make sure about the files before I post them to you. Please do the following.

1) Please go into Windows Live messenger and turn off the Customer Experience Improvement Program. To do this, go to Help -> Customer Experience Improvement Program then turn it off. This will prevent a lot of unnecessary logs being generated and taking up space on your computer.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Have you recently used or downloaded something called CDCreator? Or some type of cd or music downloading software?

Thanks for this information.
abri

 

hey abri,

i've done the things you've asked for.i'm pretty sure i never downloaded any software called CDCreator.the only music downloading software i use is limewire.i used to have something called soulseek which i removed recently.And Nero is the only software i use for writing /burning cds.
Also thought i'll mention that when i ran AVG today it was able to detect all those files u told me to scan on virustotal.it was able to delete those files automatically.is that a positive sign?i'm sure i might still have some unwanted stuff on my PC neway and will appreciate whatever u can do to help get rid of them.

thanks.

 

Hi Veola!
Yes! Definitely good news about AVG. Something must have been blocking the fixes. Please do the below and then run the MGTools.exe file again to get a fresh MGTools.zip file to post to us. Don't worry that I still have the files listed. I want confirmation that Avenger doesn't find them.

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

3) After you have completed the above, please attach the following logs and let me know how your computer is doing..

• Avenger log
• MGTools.zip

abri

 

hey Abri,

Attaching the files u asked for.Avenger seemed to give some error message.Anyway let me know what you think.My computer is doing a lot better now.It's a lot faster than it used to be and that website that used to open up by itself doesnt appear to do so anymore..Hope you have good news to give me next.

 

oops..oops..oops!!!
sorry,ignore the last post..i didnt run avenger properly.skipped copying 'delete files' from the quote box.anyway ran it all over again along with MGtools.i'm attaching both logs once again...

 

Hi veola,

I'm glad to hear your computer is working better. The eth8023.sys file came back, but since the report from VirusTotal didn't find any viruses in it, I'm not going to worry about it. I can't see anything further in your logs that looks like malware. One thing I've noticed is that your list of windows updates in the uninstalls list is shorter than usual. If you're missing updates, please install them after you finish our final cleaning instructions and After you've set a clean restore point. I'll give you instructions for how to do this in just a moment. First you will need to uninstall the tools we used here from two different places, because you got caught between our old way of doing things and the new way.


1) Please go to add/remove programs and uninstall the following

- Counterspy <-------- we no longer need this
- HijackThis <---------- (if this is not in add/remove programs, please uninstall it as per the instructions in the following box)

2) After you've done this, please go to Windows Explorer and delete any of the following you find:
C:\MGTools.exe
C:\MGlogs.zip
C:\avenger.txt
C:\newfiles.txt
C:\runkeys.txt
C:\avenger.zip
C:\MGTOOLS (the whole folder)
C:\Documents and Settings\ishani\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

If you get any error messages regarding changes in the registry, this will be in connection with deleting HijackThis if it isn't uninstalled first. It should complete, but please let me know how that goes.

3) After you've completed the above, I would like for you to REBOOT your computer and tell me how it's running. If the deinstallation of the tools gave you any error messages, just wait for me to post to you before you continue.

4) After this, if everything seems to be in order, I need for you to set a clean restore point by doing the following:

For Windows XP:

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

5) Once you've set a new restore point, please read through How to Protect Yourself from Malware

6) And finally, get any Windows updates you might be missing. You can have them installed automatically or you can do them yourself manually and select those which are important for your system. There are articles on each one.

abri

 

Hi Abri...

Thanks for all ur help.I went through ur final cleaning instructions and also through the 'How to protect ur system from malware' guide.I have installed a new firewall and also the reccomended spyware protection scanners.Anyway, there is one more thing that i'd like to clear with you...
the firewall(comodo) i installed gave this message when i rebooted my system.." C:\Program Files\Msn Messenger\msnmsgr.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation,which can be used to hijack other applications" .I remembered the svchost.exe file was mentioned in one of ur posts so i thought i'll jst let you know abt it.Is that a reason for for me to worry?Also i had noticed everytime i was booting my computer recently when i get the user accout log-in screen..it'll display how many messages i have in my hotmail inbox below my name.It'll say something like..'35 unread messages' or whatever number of messages i have in my inbox,and i would wonder how my computer knows that even before logging on to the computer or signing into hotmail.

other than that, everything else seems ok.lemme know what u think.
bye.

 

This will give you more information about that. If it is a legitimate program like the msn messenger trying to connect, then you can safely allow it. Here is more information:
http://forums.comodo.com/frequently...ceiving_comole_automation_alerts-t9521.0.html

No. svchost.exe will appear a number of times among your other running processes. It is needed.

Oh dear. This is Microsoft. Windows in Microsoft. MSN is Microsoft. Hotmail is MSN. I would ask you to post this question in the software forum. There is probably a way to set your computer to quit doing this.

abri

 

lol...anyway thanks once again for all ur help.i'm glad my computer is finally doing good and there's nothing to worry about.

veola :major

 

Be sure you go thru the How to Protect yourself from malware! thread to prevent future infections.

Surf Safely!:major