Many Issues - HELP NEEDED

Good Day-I am in a bit of a pickle with some virus issues. I have all of a sudden have this new desktop wallpaper that says my computer is infected. It lists Win32/Adware.Virtumonde and Win32/PrivacyRemover.M64
IS that what I have? I don’t know. All I know is that I have Superantispyware and Avast! installed on my laptop and I cannot update either one. As a matter of fact, I cannot update any of my softwares. I also get redirected to different sites when I am trying to search on google or yahoo.
I cannot not even go to certain sites. I try going to www.superantispyware.com and I get a blank page saying the site is down. But I can access it on my other laptop (which I am using right now).
SAS and Avast! both found viruses but nothing is cured. Some of the names were, lanmanwrk.exe, lanmanwrk.sys, oembios.exe and other items deemed as Rootkits.
Furthermore, when I boot up my pc automatically goes to my documents. I tries correcting this in the registry but it keeps coming back.
I could go on forever.
I have included a hijack this log for your review. Any help is appreciated.

:slight_smile: Hi :

Best to start, and hopefully end, with running a "Full Scan of the FREE
“Malwarebytes’ Anti-Malware”, best downloaded from www.malwarebytes.org/mbam.php . I also noticed an out-of-date Adobe and
Sun’s Java, which are serious security risks . Also having “Wild Tangent” stuff
is not recommended .

I am trying to run a full scan with the Malwarebytes but I wanted to get an updated version of the latest database. I went to the link listed on their website, and when I go to the page I get an exception report. I have tried this on several pc’s.
Any suggestions where I can get this file? I have searched high and low on the web.

Thanks for your reply and help.

On the update tab of MBAM settings you can choose a different mirror site to download… did you test it?

Hi RoyM,
Fix with HJT:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll - LinkScanner, hxxp://linkscanner.explabs.com/linkscann er/default.asp

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.

018 - Filter hijack: text/html - (no CLSID) - (no file)

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe Nasty (2.99 / 5.00)

Your question -
MBAM download site:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
(later post the logfile of it)
Then run the following program =-SmitfraudFix=-

  1. Download SmitfraudFix from here: http://siri.geekstogo.com/SmitfraudFix.exe
    2. Then restart Windows in SafeMode. http://www.pchell.com/support/safemode.shtml
    It is important that you first start in SafeMode, while if starting SmitfraudFix in normal mode it will make your PC crash.
    3. When loaded in SafeMode open the file you have downloaded.
    You see a blue window with text.

    1. Click a random key to get a menu:

    2. Click 2 to start the killing process.

    3. When the killing process has finished, the program will prompt you if you allow it to cleanse the registry, for that click Y.

    4. After this has finished, the program will ask for a restart.

That’s all, don’t panic, all will be well, after the restarts needed, fill us in with a new hjt log.txt attached.

polonus

First off, thank you so much for the help. I really appreciate it.
I think things are good now. I seem to have regained control…LOL
I did what you siad above and I attached a new HJT log. Please let me know how it looks.
A few more questions if I may.

  1. The folder that Smitfraudix created on my desktop, to I need to sane it for anything?
  2. What software is recommended to have installed on my laptop to avoid situations like this? Currently I have Avast!, Malwarebytes and Ad Aware. Is this overkill, enough or not enough? Or, are there better programs I should have installed.

Thanks again for all your help.
RoyM

I’ll let Pol look at the HJT log- I gotta run

IS your MBAM updated and clean now?
run an onlione AV scan Kaspersky, Dr Web Cure it etc- gotta see if anything is hiding

Now prevention
a Hosts file- perhaps YOKENNY has a suggestion :slight_smile:
spywareblaster by JAvacool

those two team up to cut off the bad guys communications

Spybot Search and Destroy install SD-Helper and Immunize- do this tomorrow Wed to get latest detections
run a scan and see if anything is found

for prevention you need AVAST and either
Windows Defender (old MS antispyware x Giant anti spyware)
Or
Spybot T-Timer
or
Spyware Terminator free (not the AV or BHO toolbar)

ONLY ONE (there are other -please ask if your favorite is not mentioned)

How much memory do you have and how fast a processor could determine your choice here
WIN PATROL will also protect your host file and other settings- highly recommended

did your run smitfraud before or after your latest HJT

on your HJT
O4 - HKLM..\RunOnce: C:\WINDOWS\System32\cmd.exe /C del /Q C:\WINDOWS\system32\rdssrv.exe
C:\WINDOWS\system32\rdshost.dll
C:\WINDOWS\system32\hdfkt.dll

this run once is to delete these files
rdssrv.exe is a backdoor trojan Backdoor AZX , Backdoor.Kyrdor.a

if you have already rebooted these should be gone

O18 - Filter hijack: text/html - (no CLSID) - (no file) ???

post a new hjt after the reboot and after the smitfraudfix and a smitfraudfix log

and after the MBAM scan if you got it working remember to check any baddies and click REMOVE
and after an ON line AV scan

Poponus
Ewido on line scan may work on this if MBAM does not get it
see http://forums.majorgeeks.com/showthread.php?p=1203431
where combo fix was used
http://forums.whatthetech.com/BackDoor_AZX_Persistent_t41968.html&st=15

"You may be interested to know that McAfee determined the virus was loading from the dll file, rdshost.dll with Explorer.exe (my desktop/start menu). They noted that HiJackThis was reporting this file as missing (therefore, analysts looking at the log would logically think the file was already removed and not a problem), but rdshost.dll had injected its code into explorer.exe – McAfee surmised that caused the downloading or reinstalling of the file whenever it was removed. SO, it was a more complex issue than it first appeared. "

ZLOB family?

Here is a new HJT report. Yes, I updated Malwarebytes and ran a full system scan. I also ran a Kapersky online AV scan. I attached that files also. It found several threats.
Why didn’t Avast catch this? Is there truly a solid AV software that will catch all these items? Why do you need many different softwares to catch these infections?
Guess I’m just frusrated. But I truly do appreciate your help and will do what you instruct.

Thanks. :slight_smile:

Because of several reasons:

1 - no software is perfect and this is true of all av programs & other malware removal programs.

2 - these threats change daily and sometimes more than once daily. Each malware change sometimes
means a change (or many changes) also in the various malware removal programs to detect these changes.

3 - there are different types of malware and so there are different types of malware removal programs.

4 - when one program tries to do everything (that is, detect & protect from all type of malware), it
becomes less effective and also uses too much memory & cpu cycles. You would not be happy with this.


Hi RoyM,

Yout HJT log seems clean, exept you should fix this:
O18 - Filter hijack: text/html - (no CLSID) - (no file)

pol

I tried fixing that line in HJT, but it comes back. Any ideas?
Thanks to all for your help!

Hi RoyM,

It can be totally empty, so you have to disable first System Restore, delete it then and again enable System Restore. But as it is being restored by Office you could uninstall and reinstall Office with the same effect.

Tell me if any of that works,

polonus

that blank 018 can be symptomatic of a big problem
see the “quoted text” in my last post

do a search for
rdshost.dll
and
5AC053C2-C149-43D5-9D96-670D7A87ACA7

Search for & delete … using Start> Search… the following file(s), if present:
* rdshost.dll

if you find them please give the complete path

Backdoor.Win32.IRCBot.aaq worm

did we ever have this in 021? (or similar???)
O21 - SSODL: rdshost - {AE2FCCFF-C5C2-4A15-B88B-D112D2C8EAEE} - rdshost.dll (file missing)

can you run an EWIDO online scan?
www.ewido.net/en/onlinescan/

Run Ewido: (older instructions- EWIDO has been bought by AVG so if this does not work we’ll try plan b)

* Click Scanner
* Click Complete System Scan to begin scanning.
* Click OK when prompted to clean files
* With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
* Once finished, click the Save report button
* Save the report to your desktop

Close Ewido

  • Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

post the Ewido scan and a new HJT
thanks

Does SuperAntiSpyware fit in the same category as the Win Defender, Spybot or Spyware Terminator? I currectly have the SAS but if it is not needed I will remove.

I did not find any of those files…Thank God. I will do the Ewido scan and advise

I tried the Ewido scan but it did not work. I dowloaded the file needed to do the online scan but nothing appeared.
Will keep trying

Ewido got bought by AVG
their fine on line scan may no longer be available
I would not run on y usual os anyway and I do not connect to the internet with my secure W2k server

we have been using MBAM instead

Just saw the post on the previous page
there is a new version of SuperAntiSpy out
give that a whirl- just download it and am going to give it a try
Super Anti SPy free has not real time protection- but keep it around as a on demand scanner-
Spyware terminator has real time protection as does SPyware Doctor Free- see below, SPybot t-timer
With SPyware terminator do not load the AV or the Toolbar
Windows Defender also has real time
I think everyone should run one of these (depending on resources which one)
Those with low memory would at leat run WinPatrol

Thank God- you got that right- good riddance I say

I had that damn 200x phoney spyware thing pop up on this machine - scripting is blocked so this must be flash- I did not even think I had flash installed
dodged the bullet

I just installed Spyware Doctor to provide some additional real time protection
I have the horsepower so why not?
Spyware doctor is free with the google toolbar- just do not download the rest of the unneeded stuff

I also have Spybot installed as an on demand scanner and I Immunize weekly and have SD-Helper installed
also have A-squared installed and keep updated

anyway if you Have SAS or SPybot and have not run a scan lately do so and post up the logs
all of these find things the others do not

It is in the same category, but I would consider it better than all of the others, the difference being two of the others are resident scanners windows defender and spyware terminator (if you haven disabled the resident protection.

It is best to have only one resident program in the anti-spyware category, whilst spybot s&d has the tea-timer (if enabled) I wouldn’t class that as in the same resident anti-spyware category.

DAvidR is correct t-timer is not in the same category but it USED to require less resources
The new version also includes a more BO-Clean style database and boot scan - which some say takes to long and/ or takes to many resources
So spybot just put in a switch more memory but fast- less memory but slower
I still do not find any recent comparison
My Spyware Doctor experiment failed possibly because I did not Reboot after un-installing Counterspy
nothing would start, nothing would open, disabling Spyware Doctor restored
I’m going to check my registry this weekend and give Spyware Doctor another Shot- if not I’ll try Spyware Terminator - if NG I can go to Pest Patrol- I know it works
my point is
I do think you should have one

also today I tried to run HJT and it crashed on 015
I ran the Houscall65.trendmicro.com came up clean, avast clean, spybot clean- damn antivirus popup