Adware, malware, changing dll on reboot and more

You did not empty your Norton Nprotect and Quarantine folders as requested in step 0 of the READ ME. PLEASE DO THIS NOW BEFORE continuing.

Download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Afterwards run Spybot and make sure you re-Immunize immediately.

Now run this: Qoologic Removal Procedure

Now run this: Look2Me VX2 Removal and attach the requested log to your next message.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Network Station Task Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

TKNT

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Now complete the below procedure. Some items may no longer be seen in your HJT log. So if you do not see certain lines, just ignore and continue.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\dfndrad_5.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\gabns.exe
F2 - REG:system.ini: UserInit=userinit.exe,quirdmv.exe
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [ctmc3b33] RUNDLL32.EXE we404798.dll,n 001c3b3200000003e404798b


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\gabns.exe
C:\WINDOWS\system32\quirdmv.exe
C:\WINDOWS\system32\we404798.dll
C:\WINDOWS\tasknt.exe
C:\kybrdad_5.exe
C:\dfndrad_5.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!
Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

Now run your scans that you said were detecting problems! You must attach logs for any scanners that find problems! Just telling me things like below, does not give adequate information to help you:

I will be on vacation until 7/31/06. One of the other Mods or Admins here may be able to pickup where I leave off.

 

The recent scan from Norton only flagged things in your Recycle Bin. You need to keep that clean yourself.

For what Spybot is finding, it cannot be fixed using Spybot because something modified who is the owner of the registry keys. The below should fix this:

Download and Install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService


To take ownership of teh key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the regitry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the registry key and select delete
• Repeat for all the above registry keys
• Tell me the results. Any errors?

Check a Spybot scan afterwards!

If you are not having any other malware problems after doing the above, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!


I will be on vacation until 7/31/06. One of the other Mods or Admins here may be able to pickup where I leave off.