QUOTE

Also any direction or advice you can provide on how I may remove malware myself would be appreciated. Is it possible to delete the offending part of the file and restore it? Is there a process I can follow to repair such infected files as those found on my original scan by Avast?

I suggest you apply to BleepingComputer's Malware Removal Training Program, Learn how to use HijackThis to remove malware!.

Hi Susiebaby,
Thanks - will do when slots are available. In the meantime are you going to do anything with all the scans and information I have sent or you have requested from me so far? I hope it has not been all for naught?
Regards,
Nimshie29

I am retired on Social Security Disability. Please be patient with me as I am a senior citizen. I am working on your log and should have it ready for you tomorrow.

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.

1. Detects and removes malware ( viruses, worms, trojans, etc. )
2. Detects and removes grayware and spyware
3. Restores damage caused by malware to your system.
4. Notifies about vulnerabilities in installed programs and connected network services.
5. Multi-platform support for: Windows, Linux, Solaris.
6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 2

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 3

Please download Ad-Aware 2008.
Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 4

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:

1. Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
2. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
3. Restrict the actions of potentially unwanted sites in Internet Explorer.

Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 5

The ATF-Cleaner program is for XP and Windows 2000 only.
ATF-Cleaner features include:

• Cleaning of all user temp folders, administrator only can use this feature.
• Cleaning of the Java cache, which seems to be harboring more and more malware.
• Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.

Please download the ATF-Cleaner by Atribune.
Instructions:

• Double-click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch (Windows XP) only
  • Java Cache
• The rest are optional - if you want to remove them all, check Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.

If you use the Firefox browser:

• Click Firefox at the top and choose: Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser:

• Click Opera at the top and choose: Select All.
• Click the Empty Selected button.
• When you get the Done Cleaning message, click OK.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 6

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Step 7

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.

Please disable the following programs:

Windows Defender

1. Click Start > Programs > Windows Defender or launch from the system tray icon.
2. Click on Tools
3. Click on General Settings
4. Scroll down to Real-time protection options
5. Uncheck Turn on Real-time protection (recommended)
6. Click Save
7. Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defender's page, uncheck under Administrator Options, use Windows Defender and then Save.
8. Exit the program.

Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again. box.

Step 8

Is this your Internet Service Provider (ISP)? If this is not your ISP, you need to use HijackThis to fix item(s).

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

Step 9

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan Place checks next to the following entries (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: XBTBPos00 - {A50B6E91-4081-4B37-BEA1-AD98A3CD51BA} - (no file)
O3 - Toolbar: eMusic Toolbar - {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - (no file)

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 10

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would not be removing the program itself, just removing them from your startup.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would not be removing the program itself, just removing them from your startup.

Step 11

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 12

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.

Thanks for that Suebaby,

I have copied it and will work through it when I get over the flu. I am on an aged pension that was a disability so please excuse my slow take-up and lack of concentration at times. I am in no hurry for the results. How does one get a password to enter the Training Program without having to wait please?

Have a peaceful day,
Nimshie29

Take your time. I have good days and bad days so I know how it feels to be slow. I do not know of any passwords to get into training. After you are clean and if you have not begun training here at BleepingComputer Malware Removal Training program, if you want to know about other training sites, let me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.