help with virus?

[wshwind]

Ok, I followed your directions... when smit started, each one of the processes it checked a bad-image pop-up came up in order for it to complete i would have to hit Ok for each pop-up, then it continued until complete.I received the " Do you want to clean the registry?" like 40 times... it finally accepted my "Y" and enter..... I did not receive a red screen stating computer will reboot. I did receive a notepad screen. so here it is.

[oldman]

Post a new HJt log and let me know what's going on.

[wshwind]

Hi again,
Here's the new hjlog. also the bad image window that pops up follows:
Notepad.Exe- Bad Image
The application or DLL  C:/windows/System32/wowfx.dll is not a valid windows image. Please check this against your installation diskette.
This window that pops up is for everything and anything I do on the computer. ie- find.exe, cmd.exe, iexporer.exe, vacfix.exe, swreg.exe, aol.exe....  ect ect
never had this problem before? But I no longer have the security balloon saying I have a virus. But i do have an issue when I am typing this post. the window I am on randomly goes in and out- as in i will get half of this text typed and it is like I am toggling between two windows tho I am not. i have to wait for this window to be the active one , so i pause my typing until the top of the window goes back to blue from graythen contipe...   (that was me typing "from gray then continue to type...)
strange?

[wshwind]

this seems to be one of the problems, listed on my hjk file.
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

any assistance is always greatly appreciated

[oldman]

Let's go after some more of this.

Print these instructions out as you will be doing the first half from safe mode. Download both programs first.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log






Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

[wshwind]

oh boy oh boy... lol      I really have to thank yo for keeping with me on this mess. i truly cannot tell you how glad i am. Here's what I have: Hijack, combo fix  logs and i think i have the sd one... tho i could nt easily locate that one. heres the hjk

[wshwind]

here's combo

[wshwind]

here's what i think is sdfix one. tho if its not let me know

[wshwind]

hopefully this all works. I alo have tried numerous times to remove mcafee. I don't thnk I got it all. but will try again once these issues are done. Thanks again

[polonus]

Hi wshwind,

Here you find info to completely remove mcafee:
http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&message.id=51017

pol

[oldman]

The Sd log wasn't comlete, did you miss some, or was that it? You seeing any improvement yet?

Let's see if we can get some more.

Go to add/remove programs and uninstall, if present, the following

Microsoft Security Adviser
AntiVirusPro


Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\toawbhfc\shtbfwba.dll (file missing)
O2 - BHO: (no name) - {F767A1F8-6BBC-4531-AEDD-DE9553D57000} - C:\WINDOWS\System32\credu.dll
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O21 - SSODL: SrvAlrt - {abb85924-42b2-45a1-99d7-6776e8051568} - C:\WINDOWS\Installer\{abb85924-42b2-45a1-99d7-6776e8051568}\SrvAlrt.dll
O21 - SSODL: AvpPrx - {ac30c57f-c8fb-48f5-93fd-c9a6577e64f8} - C:\WINDOWS\Installer\{ac30c57f-c8fb-48f5-93fd-c9a6577e64f8}\AvpPrx.dll
O21 - SSODL: VolumeRam - {1d35c5dd-9f8f-49a2-8c04-4db84357e10d} - C:\WINDOWS\Installer\{1d35c5dd-9f8f-49a2-8c04-4db84357e10d}\VolumeRam.dll
O21 - SSODL: zip - {b1240015-2f58-49bc-9a93-0ef9ffec7ee9} - C:\WINDOWS\Installer\{b1240015-2f58-49bc-9a93-0ef9ffec7ee9}\zip.dll
O21 - SSODL: KbdPrx - {01ad806b-3219-4aa4-be5e-39c18911e809} - C:\WINDOWS\Installer\{01ad806b-3219-4aa4-be5e-39c18911e809}\KbdPrx.dll
O21 - SSODL: DrvMon - {65aa727e-edd2-4396-966d-3a05112b739f} - C:\WINDOWS\Installer\{65aa727e-edd2-4396-966d-3a05112b739f}\DrvMon.dll
O21 - SSODL: DbdPrx - {65aa727e-edd2-4396-966d-3a05112b739f} - C:\WINDOWS\Installer\{65aa727e-edd2-4396-966d-3a05112b739f}\DrvMon.dll


Close all other browsers/windows, click fix, close HJT.






Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\System32\credu.dll
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\WINDOWS\Installer\{abb85924-42b2-45a1-99d7-6776e8051568}\SrvAlrt.dll
C:\WINDOWS\Installer\{ac30c57f-c8fb-48f5-93fd-c9a6577e64f8}\AvpPrx.dll
C:\WINDOWS\Installer\{1d35c5dd-9f8f-49a2-8c04-4db84357e10d}\VolumeRam.dll
C:\WINDOWS\Installer\{b1240015-2f58-49bc-9a93-0ef9ffec7ee9}\zip.dll
C:\WINDOWS\Installer\{01ad806b-3219-4aa4-be5e-39c18911e809}\KbdPrx.dll
C:\WINDOWS\Installer\{65aa727e-edd2-4396-966d-3a05112b739f}\DrvMon.dll


Folder::
C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
C:\Program Files\AntiVirusPro

DirLook::
C:\Program Files\toawbhfc

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.


Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\tmp48125.exe
C:\Program Files\tmp48703.exe
C:\Program Files\tmp48687.exe
C:\Program Files\tmp46265.exe
C:\Program Files\tmp532265.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.

[wshwind]

Hi I know this may sound dumb, but what temp files am I sending to virustotal.

[wshwind]

heres other log

[wshwind]

These?
C:\Program Files\tmp48125.exe
C:\Program Files\tmp48703.exe
C:\Program Files\tmp48687.exe
C:\Program Files\tmp46265.exe
C:\Program Files\tmp532265.exe

[oldman]

These?
C:\Program Files\tmp48125.exe
C:\Program Files\tmp48703.exe
C:\Program Files\tmp48687.exe
C:\Program Files\tmp46265.exe
C:\Program Files\tmp532265.exe

Yes just copy and past the lines in bold, one at a time, into the upload a file on the virustotal site and click "send file", wait for the results Then repeat.