My Inlaws computer gots Virus problems.

[WasTech]

Please help. He has an emachine with XP home. My brother inlaw must have been doing some heavy surfing. Then after he got the virus it told him to dl some software to fix it. He doesn't know enough about comps not to make this mistake and it hammered the computer. I'm trying to fix it but it's real slow and it disabled just about every tool that could help me fix it.

I tried Combofix on it but it didn't work. It gave an error Detected rootkit must reboot. Rebooted and still didn't work same error in SfM or regular. Used Malware and it detected 30 infects which I Qrnted but it still doesn't work. Also tried Smitfraud still working on that but have log for that HJ, MalW and CF. This **** thing even disabled the CD drive. I can't get to it. It says Data on this is the main computer S: which is really D: WTF? The desk top is a link if I click on it FFox comes up. Desktop Screen in Red says Your Privacy Is In Danger! DL Priv Prot Sware Now. Also can't get to Dev mangr. I'm using a file splitter and floppy to load these fix softwares. This Blows.

I'm not able to get updates won't connect.. The culprits are named Error cleaner, Spyw and MalW protect, and some guard. Yea my A**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52: VIRUS ALERT!, on 9/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = UltimateCleaner 2007
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Comcast.net Home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {1EC53354-188E-45C8-8796-34E0DDA44A64} - C:\WINDOWS\System32\credu.dll (file missing)
O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll
O2 - BHO: QXK Olive - {F85920DB-0233-4BFA-8780-6E9F2E19E93A} - C:\WINDOWS\rodqgpvldlr.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {04439F44-3704-418B-B2EC-EF3A945BD6E9} - Comcast Help & Support (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {71CFA76A-D67F-4739-B67A-1ECD1C64F731} - Comcast.net Home (file missing) (HKCU)
O9 - Extra button: Help - {9D9479C8-1C97-4CE3-A4E6-9586E8E9AB16} - Comcast.net Security (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O21 - SSODL: rqbmvpso - {998201D6-C3E3-4D5A-B48F-82BD3D7F916B} - C:\WINDOWS\rqbmvpso.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 3066 bytes

 

[WasTech]

SmitFraudFix v2.328

Scan done at 22:00:29.21, Tue 09/23/2008
Run from C:\Documents and Settings\E-Machine\My Documents\v suck\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\E-Machine


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\E-Machine\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\E-MACH~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\E-MACH~1\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\E-MACH~1\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\E-MACH~1\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: rodqgpvldlr.dll
BHO: QXK Olive - {F85920DB-0233-4BFA-8780-6E9F2E19E93A}
TypeLib: {20F805A7-D665-4A68-83D1-344F8F10EE34}
Interface: {111AE552-9255-4C78-8385-3FD32EA1E2B9}
Interface: {D6E6D6E2-CF73-4313-B914-455A7F3A256C}

[!] Suspicious: rqbmvpso.dll
SSODL: rqbmvpso - {998201D6-C3E3-4D5A-B48F-82BD3D7F916B}


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Osiris]

http://www.techist.com/forums/f70/spyware-removal-guide-osiris-updated-8-18-2008-a-165848/

go thru that and post a new log

 

[WasTech]

Thanks but I already have that and I already used MSconfig and Vundofix on this comp I forgot to mention them. This is not easy to do this with this computer I have to jump thru hoops for anything to happen. Can't you please give me a fix for Combo or one of the other ones that I already put on this non cooperating computer. This isn't easy to install anything when you don't have internet or cd working.

Thanks

 

[Osiris]

Remove these entries

O2 - BHO: (no name) - {1EC53354-188E-45C8-8796-34E0DDA44A64} - C:\WINDOWS\System32\credu.dll (file missing)

O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll

O2 - BHO: QXK Olive - {F85920DB-0233-4BFA-8780-6E9F2E19E93A} - C:\WINDOWS\rodqgpvldlr.dll

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1


O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Support - {04439F44-3704-418B-B2EC-EF3A945BD6E9} - Comcast Help & Support (file missing) (HKCU)

O9 - Extra button: ComcastHSI - {71CFA76A-D67F-4739-B67A-1ECD1C64F731} - Comcast.net Home (file missing) (HKCU)

O9 - Extra button: Help - {9D9479C8-1C97-4CE3-A4E6-9586E8E9AB16} - Comcast.net Security (file missing) (HKCU)


O21 - SSODL: rqbmvpso - {998201D6-C3E3-4D5A-B48F-82BD3D7F916B} - C:\WINDOWS\rqbmvpso.dll

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Then post a new log

 

[WasTech]

Ok, Thanks for the help. I think it's almost gone things are looking normal again. As you can see I can't get rid of the avica.dll. I still can't use the cd drive any ideas?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:42 AM, on 9/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

--
End of file - 1293 bytes

 

[Osiris]

This is the complete log?

remove

O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll

 

[WasTech]

Yes that is complete. Like I said I can't remove avica.dll. It will not let me. What program can I use to remove it? How do I get my cd drive to work again and why are some tools like Dev Mangr still not there Other tools say they are disabled by Admin but that is false because I go in to Adm thru Sf Mode and still can't see it (Meaning there is nothing in it at all). Also the log I made in Sf Mode with MalW program is no where to be found.

 

[Osiris]

Sicne you ran combofix before you removed those entries I gave you, run combofix again and then run malwarebyte

A guide and tutorial on using ComboFix

Malwarebytes.org

and then open hijackthis, scan and if you still see avica.dll. open hijackthis, click use Misc tools, delete a file on reboot, copy C:\WINDOWS\System32\avica.dll and paste in the windows and yes to reboot. Post a new log when finished.

 

[WasTech]

I'll try that. I tried CMD delete, no good. I just used Pckt Killbox to delete it and even on reboot it said it can't remove the file. I just dl - Remove on Reboot Shell Extension.