Various Mawares found and I can't get it clean! Help ME please!

Hello and thank you to anyone who can help me.
My pc has recently come to a crawl, along with notifications from NIS that my passwords & credit card #'s were trying to escape my computer! I've run so many scans and now am stuck I ran SpywareDoctor and it first came out dirty saying I have Trojan-PWS.Tanspy and I've read that it's a keylogger and password/account stealer. I then ran DrWeb-Cureit and found something and apparently fixed it because it came clean on the second scan. Because so many scans are involved, this is what I've done (and btw, I did follow the Read & Run Me First instructions here at MajorGeeks as well)...

spybot = clean
spyware doctor = dirty (trojan-pws.tanspy)
drweb-cureit = dirty (adware.SpywareStorm (in system restore, so I deleted it)
counter Spy = clean
spysweeper = dirty (dp trojan and brilliant digital adware) apparently fixed?
kaspersky online scan = clean
smitfraud = dirty
combofix = dirty
haxfix = dirty (matching services for Haxdoor)

All of these scans were done in safe mode except for kaspersky online scan and hijack this. I have a hijack this log that I can attach, I'm not sure how many logs I should put here, but I'll give it a whirl and hope I didn't do anything wrong. Oh yes and I forgot to save some of the logs (or didn't know how) but wrote most everything down. I couldn't upload the spyware dr file because it's html, htm or xml formats which I guess are not allowed. Help would be soooo much appreciated!

 

Hi chaslang and thank you for replying! Panda active scan and bitdefender online scan will not run, that's why I ran Kaspersky online scan. I only use one anti-virus (norton internet security), not Kaspersky...that was from the kaspersky online scan that I listed in the thread.
Ooops, I missed the link about installing HJT differently, I've always read to have it in it's own folder on the C: drive which I did, let me make some corrections and I'll post back with the logs. (I didn't post CounterSpy log because it came out clean, but I guess I should have posted it anyway).

Regarding this...
Note: Your logs from SmitFraudFix and ComboFIx were clean not dirty.
Yesterday 14:13

Is it because smitfraud fixed it? because it said it found hklm\system\ccs\services\tcpip\...and 2 other registry entries?
And Combofix found mountpoints2? or are these legitimate? And what does combofix-quarantined-files.txt mean when it lists items? I'm confused about that. Thank you so much for helping me

 

Ok I'm pretty sure I have everything...the CounterSpy...I was wrong about it being clean, I must have gotten lost in all the scans and also I couldn't quarantine or do any options with all it found, unless I just couldn't find it. So the log says Ignored. How do you set it to quarantine??
I looked up the Kaspersky 023 service (from the hjt) and it pointed to kaspersky anti-virus 6 which I had uninstalled over a year ago, but apparently it only partly uninstalled, so I had to use the KisKav6 removal tool today which took care of it (couldn't manually delete anything because of access denied).

 

more logs...(sorry)

I forgot to mention that some logs, I think counterspy show bearshare and party poker but I got rid of those programs a long time ago however I see they are still partially hanging around...

 

Yes I use IE7, and the panda activescan used to run on it. It now stops at Scan Now (after it loads the engine and definitions database).

Sorry, I was referring to the Smitfraudfix scan...it gave me two logs from the one scan but I didn't know which one to post. I'll post the second log of smitfraud and I'll rescan with the CounterSpy but hopefully I can get it to quarantine or delete.

That is good but why then, did Spyware Doctor tell me I had the Trojan-pws.tanspy located here: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load

Does the trial version of Spyware Doctor fix it? Sorry, my scans found so many things wrong, but some of the scans fixed them along the way, before I posted here. Thanks again, and I'll post back with scan results.

 

Alright, now I know why I can't quarantine the CounterSpy...I run it in safe mode as instructed in the ReadMe, but when it's done scanning after about 3 hours, it finds lots of things to be fixed, I click on the Results button and the window comes up empty, so I click on Set a Single Action for All Items, and then choose Quarantine all, but there are no items in the window to select and quarantine or delete :confused. So my only choice after that is to Exit (there is a Clean button but it's useless since I can't select any malware to be cleaned).

So now I will be gone most of the weekend, so will have to post in two or three days, and I assume I will have to run CounterSpy in normal mode instead of safe mode. I will also retry bitdefender and panda online scans after the counterspy, maybe they will run then.

 

Have fun on your vacation chaslang. Hopefully someone can finish with me.

CounterSpy ran successfully in normal boot mode and I quarantined/deleted the malware and attached the log file.

I was able to get Bitdefender online scan to run but unfortunately my hubby closed it without telling me first..arghh. He said it reported no infections and apologized for the inconvenience...way to go hubby! So no report from that.

I also attached the other log from smitfraudfix just in case you need to see it.

I will try panda activescan tonight.

Thank you

 

Please attach fresh logs from ShowNew, GetRunKey & HijackThis and we will continue.

 

I wanted to say that my credit card info is still trying to escape almost every time I send an email and also when I uploaded my log files the last time I was here. Also, I found 2 very suspicious files on the root C:\

c:\9AA.tmp (properites are 1.90GB, 7/20/07 10:27 a.m.
c:\19F7.tmp (1.90GB, 7/20/07 11:39 a.m.

I do have a question...when I ran HijackThis just now, the CounterSpy alerted me that HijackThis (analyse.exe) was was changing the System INI file, should I "allow or deny" so I denied it several times. I've never come across this before (CounterSpy is new to me), is this a normal action for HijackThis?

I am going to give Panda ActiveScan another try today, but it takes hours to complete so I'll post back when I get the results.

Thanks for your help

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I am stuck on step 4. Avenger process isn't working...it's fine until after reboot then I get a cmd window open and says
c:\avenger\1.reg

c:\avenger\2.reg

the system cannot find the file specified.
zip warning: c:\backup.reg not found or empty
adding: avenger/backup.reg

The other message is a windows error message

windows error message *Windows-No Disk* Exception Processing Message c0000013 Parameters 75b6bf9c 4 >5b6bf9c< 75b6bf9c
*Cancel* *Try Again* *Continue*
I chose continue

I looked in c:\backup.zip and it has *backup.reg* in it.Should I run this?

After I chose Continue, cmd window closed, notepad opened and said cannot find the avenger.txt file Do you want to create one? I chose Yes, but the file was empty.

I looked for those files that were to be deleted using Avenger and they are still there. Should I use Killbox or where do we go from here because I have not continued past this step of your instructions. SpywareGuard is still disabled from the Avenger. And I did follow this procedure twice, with the same results. And my antivirus was disabled.

I scanned with Panda ActiveScan yesterday but all it found was the Smitfraudfix files which I would like to uninstall somehow.

**Note: I uninstalled the CounterSpy but I don't know what happened to all the quarantined things in it? I didn't think to delete them before uninstalling, so are those malware files deleted?

 

I forgot to mention that in the ComboFix quarantine folder is a file and should I delete it?

C:\QooBox\Quarantine\Registry_backups\services_nm.reg.cf

Thanks for your help and your responses

 

Run the below as an alternative route to step 4 from my previous fix. Once complete, proceed with the rest of the steps and attach fresh logs.

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Read the below very carefully!

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

 

It seems to be running smoother...haven't had the credit card info trying to sneak out yet, but it's only been a couple hours, hopefully it's good.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks soooo much bjgarrick and chaslang for your help...you guys rock!!

 

Your Welcome!

Surf Safely!:major

 

bjgarrick, if it's not too late to ask, what infections did my pc have?

It's running great now, so again...

THANK YOU
THANK YOU
THANK YOU

 

Just your typical adware/spyware infections, nothing serious.

 

ok thanks :wave

 

Your Welcome!:major