cant connect to the interent after XP Malware removal

[Starbuck]

Hi Yockie,

you can only receive help at one site.

Getting help from more than one will only confuse matters and will also waste one 'helpers' time:

cant go online after XP malware : Spyware Removal | My Antispyware Forums

[Yockie]

Starbuck,originaly I asked on 2 forums, but on the other one they couldnt help me, you probably saw that they are asking me to install Windows Service pack 3,and I am very thankful for their help, but I didnt do it and Im not planing to. I read the requirement for installing Windows Service pack 3 and I evaluate my abilities, and I prefer not to do it. Thats why I stop asking in the other forum, because their solution is not good for me. Hope this is not weasting anybodies time and indeed I deside not to confuse the fixing you could offer me- if I can do it, of course.

[Yockie]

Talking about my abilities- you have asked which antivirus programs I use- and I didnt mention McAfee...so, yes, I did have this on the computer, sorry that I forgot about this one, Im really confused here...I did remove it now, from add-remove programs. I didnt know that I shouldnt have avira and McAfee.

Like I said before- there is nothing on add-remove programs which suggest to be Securus Client. That is why I cannot remove it for so long, never knew what exctly is this.

[Starbuck]

Hi yockie,

 

Ok, the best thing to do is to return to the other forum and let them know that you are receiving help here.

 

As you have removed McAfee, let me have an up to date OTL report using the following instructions and let me have the reports using the email i gave you in the PM.

I'll then be able to see if there's any leftovers from McAfee and we'll fix those at the same time.

 

Double click on OTL.exe to run it.

• Under Extra Registry section, select Use SafeList.
  
• Don't check the boxes beside 'LOP Check' and 'Purity Check' this time.
  
• Make sure that the 'File Age' is set to 30 days.
  and 'Files Created Within' and 'Files Modified Within' is set to 'File Age'.
  
• Click on Run Scan at the top left hand corner.
  
• When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply.

 

Thanks

[RandyL]

Sorry you don't have the Windows disks but I do understand why. I too wondered about your antiviruses.

 

A wise choice you made with choosing Starbuck to assist you. You're in good hands.

 

Good luck everyone.

[Yockie]

Thank you, RandyL, luckily Starbuck chose me, not the other way around. I just jump on the rare chance. Who wouldnt??

[Starbuck]

Hi Yockie,

 

Edit:

Thanks for the PM about the new system.

as it's xp, still use the same instructions for the MBAM part.

but first you will need to install mbam on the new system:

 

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Don't worry about a report from the new system.

 

With this 1st fix, we'll clean up some registry items and remove that 'Securus' program.

There's a lot of missing files from Avira, so we'll remove that as well.

We'll get a fresh AV sorted once the system is back on online.

We'll also get MBAM updated (using the laptop) and get a fresh scan done for any leftovers.

 

Step 1

Double click on OTL.exe to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:Otl
PRC - C:\Program Files\securus\SecurusClient\securusn.exe ()
MOD - C:\Program Files\securus\SecurusClient\support.dll ()
SRV - (AntiVirService) --  File not found
SRV - (AntiVirSchedulerService) --  File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
O4 - HKLM..\Run: [avgnt] H:\Personal Data\Avira\AntiVir Desktop\avgnt.exe File not found
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe File not found
O4 - HKLM..\Run: [securus Network Client] C:\Program Files\securus\SecurusClient\securusn.exe ()
O4 - HKLM..\Run: [uSBScan.exe] H:\Personal Data\USBScan\USBScan.exe File not found
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38173.1592361111 (Reg Error: Key error.)
O33 - MountPoints2\{d1473aa9-1fd4-11dc-9ead-4d6564696130}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
[2010/04/03 13:43:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.GMS-3IBDCJ3IZYP\Application Data\Avira
[2009/12/17 20:43:34 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/12/17 20:43:33 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/12/17 20:43:33 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/12/17 20:43:33 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/12/17 20:43:24 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/12/17 20:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
[2009/12/03 13:56:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2008/04/16 17:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared

:Files
C:\Program Files\securus

:commands
[emptytemp]
[purity]
[EMPTYFLASH]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

if you lose the report, there will be a copy here:

C:\_OTL\MovedFiles

 

Step 2

Run the MBAM update on the laptop and get the latest definitions.( my update today shows database version 4059)

Then close MBAM

 

Now we need to transfer the 'rules.ref' file from the laptop to the other m/c. (either by usb stick or cd)

 

Step 3

Perform this step on each system:

 

Make sure that you can see hidden files.

1. Click Start.
   
2. Click My Computer.
   
3. Select the Tools menu and click Folder Options.
   
4. Select the View Tab.
   
5. Under the Hidden files and folders heading select Show hidden files and folders.
   
6. Uncheck the Hide protected operating system files (recommended) option.
   
7. Click Yes to confirm.
   
8. Uncheck the Hide file extensions for known file types.
   
9. Click OK.

 

Step 4

Perform this step on the laptop:

 

We need to navigate to:

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Rules.ref

 

• Click Start.
  
• Click My Computer.
  
• Click on the C drive
  
• Click Documents and Settings folder
  
• Click All Users folder
  
• Click Application Data folder
  
• Click Malwarebytes folder
  
• Click Malwarebytes' Anti-Malware folder
  You will now see the 'rules.ref' file
  
• Right click on the 'rules.ref' file ... hold the right button in on the mouse and drag the file to the 'Desktop'
  
• When you release the button a menu will appear.... select 'Copy Here'.
  
• You will now have a copy of the 'Rules.ref' file on your Desktop.

 

Insert your USB stick and transfer the file to the USB stick.

 

Step 5

Perform this step on the 'infected system':

 

Insert the USB stick.

open the USB stick contents and transfer the 'rules.ref' to the desktop. (using the same right click method as before)

 

Now navigate to:

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

using the same method as before.

After you open the last folder you will see the old rules.ref file.

 

Now using the right click method as before.... transfer the file from your Desktop to the same folder that the old rules.ref is in. (only this time select... Move here)

You will get a message asking if you want to replace the old file with the new one.... click yes to overwrite the old file.

 

Now close all the windows and start MBAM and run a scan.

It will now scan using the new definitions.

 

Don't forget:

• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Step 6

Perform this step on each system:

 

Hide System Files

1. Click Start.
   
2. Open My Computer.
   
3. Select Tools menu
   
4. Click Folder Options.
   
5. Select the View Tab.
   
6. Uncheck Show hidden files and foldersin the Hidden files and folders section.
   
7. Select Hide protected operating system files (recommended) option.
   
8. Check the Hide file extensions for known file types option.
   
9. Click Yes.
   
10. Click OK.

 

In your next reply, please submit:

OTL fix report

new MBAM report

 

 

Thanks.

Edited May 2, 2010 by Starbuck

[Yockie]

Starbuck, wow...if you wanted to make my head spin - you succeed.

 

Ok, in a more work mode- I have Norton 360 4.0 which prevents me from downloading Malware. What do I do? Turn if off? Can I just put the Norton disk in the faulty computer:loco:...probably not...and than after everything- should I delete the Malaware before restore the work of Norton? From you here I have learned that programs sometimes clash?

Edited May 2, 2010 by Yockie

[Yockie]

Ok, I did it anyway, with the Norton working:)

[Starbuck]

Sometimes anti virus programs see a program and because of how it works... thinks it's malware, when in fact it isn't.

Norton 360 isn't one of my favorite programs, but that's just my opinion.

If an AV gives a warning to any program we ask you to download, it's best to temporary close down the AV.

We never ask you to install anything that we wouldn't use ourselves ( we always try out all of these programs and give them our full recommendation)

[Yockie]

Dear Starbuck,

 

not even for a milisecond did I doubt your good intentions, neither I am trying to chalange your oppinions. I am actually doubting my evaluation abilities and sound desisions about computers. I dont like Norten more that all the rest, as they are all the same to me...this is what the man offered me today- this is what I bought. If I knew any better- I wouldnt be in such a mess in the first place, eehhh...:(

 

Ok, I will do the heroic thing and try to follow what you asking me to do.

[Yockie]

Starbuck,

all right, latest news- Malwarebytes Anti-Malware simply doesnt want to go as newer version on the faulty commputer, after several attemts. I deleted all old versions of the program from the computer and downloaded the latest version from the laptop few times on USB (desktop as well few times), even remebering earlier readed suggestion to change the name of the files to finish on .com. Even tryed to download the program with different name on the USB - whatever I do- it doesnt permit me to run the latest version for scan. Always finds a way to give the latest permited date of the program to be 29.3., nothing newer.I think it understands that its this particular program, whatever I do.

 

what it gives me is:

database version 4052

MBAM_ERROR UPDATING 12007, 0, WinHHttpSendRequest - is the error message.

 

The latest version I found online is actually 4060, but cant run it on the computer.

 

From here I cant go on the next steps. Waiting for instructions,

thank you,

Y.

[Starbuck]

Ok, have you run the OTL fix yet?

obviously you will have to transfer the fix to the bad system so that you can paste the fix in to the program.

Once we know if the fix ran ok, i'll give you the next part.

We always have a backup plan lol

[Yockie]

Good morning,Starbuck,

 

Thank you again. I have done the following and the result is the following:

copy the fix, went on the bad comp, run the xin in OTL, it restarted, but after that there is no log at all, I went and searched under C:, like you told me, but there was no log nowhere. I click search under start menu, paste C:\_OTL\MovedFiles, it searched 5 min and say- no such file. I tryed to refresh Malware, but it still gives me March edition, doesnt want to upgrade.

Hope you are not fed up of this rubish computer, Im starting to feel guilty that nothing works... :(

If you had enough, plese, do not hesitate to tell me...

[Starbuck]

Hi Yockie,

 

ok, have taken this from your report:

PRC - G:\OTL.exe (OldTimer Tools)

This actually shows that you placed OTL on the 'G' drive instead of the 'C' drive.

Take a look there for the report.

 

Btw: security tools always run better when placed on the main drive (the one that the OS is located on).

[Yockie]

Hi, Starbuck,

 

I have try that and the result is the same.I put the |OTL on the C drive, run again the fix, the computer restarted, as it did before. In the Moved Files have 4 folders, but none of them have anything in them. Its just icon of folder, and then numbers, like 01012002_035630, but nothing inside.

 

My son came to help me, and saw some Recycler folder and said that they had this at school and its a virus. I have tryed to delet it, but it doesnt want to. Do you think it could be relevant? Can I clean it somehow? As we agreed before, I dont want to do anything without your approval, in order not to confuse the operation.

 

Sorry for missing letters sometimes, or making mistakes, but the new laptop is actually really small, Im not use to it yet.

[Starbuck]

Hi Yockie,

 

Let's move on to 'plan b' then.

 

My son came to help me, and saw some Recycler folder and said that they had this at school and its a virus

This next program is very good at removing this.

You will have to download it to the other system and then transfer it using a usb stick. (but rename it before downloading).

 

It will ask about the recovery console, if you have it installed... then no problem.

If you don't, the program won't be able to install it ( as it needs an active internet connection) but the program should still run without it.

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
   
  Then:
   
  Double click on Combo-Fix.exe & follow the prompts.
   
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  If running Vista, you may not see this screen
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Yockie]

Done both Links, gave 2 different names, plug the USB, ran 2-s the program and its show me a small window- like DOS window, but blue and than another small bos, saying Check your settings. Made a picture with the laptop's cam, hope its visible.

[Starbuck]

Can you check the clock settings and make sure that the correct date and time are set.

 

Edit:

I've just checked the OTL report you sent, yes the clock settings are set wrong.

The system is set to 2002 .... this isn't helping at all.

Please reset to the correct date and time and run the CF scan again.

 

Thanks.

Edited May 3, 2010 by Starbuck

[Yockie]

right...didnt I warn you about some of my sound decisions about computers, khhmmm...surely this time I forgot the clock, how silly, eh...the devil is in details.

 

The search for the log is going on still, long time now...I dont think there will be anything. The program asked for connection to the net in order to perform, but thats what I cant do- go on the net. Still, it performed some actions and restarted the computer without even asking me. I saved the re-named program on the desktop, so the log should be where you say, but lets see... what if nothing comes up?

[Starbuck]

what if nothing comes up?

Then we move on to 'plan c' :)

[Yockie]

Which is? Gently take the machine, pick it up, slowly go to the front door, ask someone to open it and steady walk to the bin...? This will be interesting log afterwards....Think of plan D, please, as this search is going for ever here ( still, can you believe it, like this is bank or airport machine, not home one) and the machine is to heavy to pick up, so neither there will be log from plan B ( I sense) , neither would I be able to act on plan C...

[Starbuck]

http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif a sense of humour always helps when working with pc's.

A CF scan can take anything from a couple of minutes to about half an hour.... depending on the system.

I have confidence that we'll get some sort of report.

[Yockie]

It is 2.h.14 min now, I think its going round and round with the same files, not really planning to stop. How long should I wait?

[Starbuck]

On very rare occasions it has taken about 3 - 4 hours.... but this is very rare.

What is the screen saying?

Has it scanned and rebooted the system?

Is it saying that it's preparing the log report?