Big mess, now clean - read log files

Hi, I joined the forum yesterday in order to get help recovering my XP system from a major attack by trojans and viruses - thought Trend Micro was switch on, but has been off for three months.

I have followed the Read and Run Me guide for XP and I believe the system is clean now.

Most things work fine apart from internet explorer which can only run "with add-ons disabled". I have requested help on this in your Software forum.

I have attached the three logs as directed.

Would anyone be able to help me view the log files from the clean-up? John

 

Hi jonny,
Welcome to MajorGeeks!

You did a goodly amount of damage to the infection. I will post a set of instructions back to you as soon as I've been through all your logs. This can take some time so please be patient. Also, it would be better if you use your computer as little as possible while you are waiting.
Thanks.
abri

 

Hi jonny!

What are the below files? Do you need these? Did you install them? Further along I'm going to ask you to run CCleaner which deletes all the temp files. These included. If they are files you think you want, you need to move them to a directory which is not a temporary directory.

Now please do the following: (Note that some of the files may be missing if they've already been moved. Just continue on.)

1) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 2.5 (Symantec Corporation)

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Next we need to remove some bad services, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft cache control
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now Click OK until you get back to Windows.
• Next, go to the MGTools folder under C and find analyse.exe (this is really HijackThis). Double click on analyse.exe to run the program, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste MSControlService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

4) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: {8bf4f0af-78f4-9558-c4a4-4890aaee3bfd} - {dfb3eeaa-0984-4a4c-8559-4f87fa0f4fb8} - C:\WINDOWS\system32\ovlvwlqc.dll (file missing)
O3 - Toolbar: optionsXpress Toolbar - {63CC63C6-1AE1-491C-B96A-812A7950A1EC} - C:\Program Files\optionsXpress\optionsXpress Toolbar\OptionsXpressToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O20 - Winlogon Notify: ccbwgtru - ccbwgtru.dll (file missing)
O20 - Winlogon Notify: erqzuebe - erqzuebe.dll (file missing)
O20 - Winlogon Notify: kkfzqtao - kkfzqtao.dll (file missing)
O20 - Winlogon Notify: kuvkywbi - kuvkywbi.dll (file missing)
O20 - Winlogon Notify: ljjhefe - ljjhefe.dll (file missing)
O20 - Winlogon Notify: pqvegshs - pqvegshs.dll (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
----a-w         5,674,352 2008-01-20 06:28:05  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w         1,393,928 2008-03-03 20:26:43  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w            15,360 2008-03-03 17:01:39  C:\WINDOWS\system32\ctfmon .exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

8) Now run Ccleaner!

9) Reboot after doing the above.

10) Install the current version of Sun Java from: Sun Java Runtime Environment

11) Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

abri

 

Hi again, thanks for your quick response.

I have followed the steps in detail.

A couple of issues: not able to un-install Windows Messenger - it does not appear in Add/Remove Programmes and in the programme folder it does not have a uninstall icon. The Windows Live Messenger did however appear in Add/Remove Programmes and I uninstalled that.

I can start Windows Messenger as normal from the Start/Programme menu.

During boot-up the folowing error message popped up:

MsnMsgr.Exe - Unable to Locate Component

This application has failed to start because MSNCore.dll was not found. Re-installing the application may fix this problem.

When running MGtools (analyse.exe) then in the HijackThis menue I clicked "Do a system scan and save a logfile". This produced a text document in Notepad which is attached below - no zip folder was generated this time. Did something go wrong?

Am I now clean? john

Otherwise things are appearing to be normal. John

 

Hi jonny,
Several things.

1) Please answer my questions at the beginning of my last post about the files in the temp folder. It may be irrelevant now if you ran CCleaner as I expect they are no longer there.

2) There are a number of microsoft messengers and the similiarity of their names leads to a great deal of confusion. The Windows Messenger is an internal messenger which people can use in a network. It's rarely used by anyone and is an avenue for malware to enter people's computers. That's why we ask you to remove it. It cannot simply be deleted, because it's in the backup files somewhere and simply comes back, so we give you a removal tool for it.
There are also the Windows Live messenger and the MSN Messenger, both of which are good messengers and used by a lot of people. The MSN Messenger and the Windows Messenger both use the same icon in the system try, so this leads to further confusion.
Additionally, there is Windows Live Plus! which also has problems with adware being attached to it, so when we see that on someone's system, we generally recommend they remove it via add/remove programs.

To properly remove the MSN Messenger, there is a button in add/remove programs called add/remove Windows Components. This disables microsoft programs without actually taking them out of your computer. You can re-enable them again by going back to this button and finding the program you need and putting it back in.

If you simply delete these programs, it will cause problems. See if you can reinstall the MSN Messenger by going to add/remove programs and looking for the add/remove Windows components button. See if there is an MSN Messenger in there that you can check on and have it installed. It may pick up the missing file from another area of your computer so you won't continue to get this warning.

3) I'm not sure if you ran Combofix correctly. To run it correctly you have to make a notepad file. You open Notepad and then copy the contents of the box in step 7 of my last post and paste them into the Notepad. Then you save the file to the desktop. You close everything or minimize it so you can see your desktop and then using your mouse, you drag the new notepad file you just made over and dump it into the combofix icon which is the red circle with the white X. It's like dragging it into the garbage, only in this case you are dragging it into the Combofix icon. This will cause Combofix to run. Please try that over and refer to step 7 of my last post for how to find the log.

4) I need to see the logs which are produced by running GetLogs.bat. This particular file is located in the MGTools folder in C: Go to C and find the MGTools folder and open it. Look for GetLogs.bat and double click on it to run it. Allow it to run all the way to completion. When it's finished, come back here to post to us and using the attachments button, browse in your computer to C: and look through the files (not folders) for the file called MGlogs.zip which is located just above the superman icon. Upload that and submit it here with your next post.

Thanks.
abri

 

Dear Abri, thanks again for your advice.

I installed myself the Web Accelerator that promises to speed up internet activity (Google tool), the “Warden” and “client” files I do nothing about. None of these four file are needed.

Windows Messenger is now removed.

To repair the earlier Messenger removal I downloaded from the Microsoft site the Windows Live Messenger 8.1 and installed.

The Combofix procedure you described in point 3 was followed to the letter prior to my second post. Should I do this once more? I am afraid to just go ahead and repeat the procedure without you advice?

Sorry I screwed up on MGtools ahead of my previous post, I clicked the MGtools folder and the analyse.exe icon, instead of the superman icon under C: - would you want me to run MGtools now by clicking the superman icon?

John

 

Hi jonny,

You're right, the combofix worked. I couldn't see it until I got the new set of logs. There's one more bad file that needs to be removed in the same way. I'll give you the instructions here and you can do them again, only with a different file this time:

1) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::

----a-w         5,674,352 ----a-w         1,393,928 2008-03-03 20:26:43  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2) Now run Ccleaner!

3) And hopefully this will be the last time: Run the C:\MGtools\GetLogs.bat file by double clicking on it and attach the MGlogs.zip (found directly under C just above the superman icon) along with the Combofix log.

I think the above is the last bad file. If that gets deleted and your logs don't show any further malware, I will have you run our final cleanup instructions.

abri

 

Dear Abri, I am really impressed.

Everything appear normal apartfrom the same error message during boot-up:

MsnMsgr.Exe - Unable to Locate Component

This application has failed to start because MSNCore.dll was not found. Re-installing the application may fix this problem.

I followed your instructions to the letter and logs are attached. John

 

Hi Jonny,

The one infected file that we tried to remove with Combofix is still there. I would like for you to disconnect your computer from the internet and uninstall Trend Micro and then reinstall it. I think this might be the fastest way to get rid of this infected file, since the Combofix logs are not indicating deletions.

As for the message about MSNCore.dll, please see the following website for information but not for repairing the MSNCore.dll file: http://dll-repair-tools.com/dll-files/msncoredll-and-msn-messenger-error

It's recommended to uninstall all your msn messengers and reinstall them, including MSN Messenger and Windows Live Messenger, since it's a component of both. After uninstalling the messengers, try booting up to see if you get the error message before you reinstall the messengers. This information would be useful.

After doing both of the above, please run C:\MGTools\GetLogs.bat and attach a new MGlogs.zip (found directly under C:\) and let me know how things go.

abri

 

Dear Abri, things appear normal and no error messages after re-booting with Live Messenger. I therefore did not install MSN Messenger.

Logs attached - cross finger. John

 

Hi jonny,
That one file is gone! That's good! Now I will give you the final cleanup instructions. Be sure to use CCleaner a lot for awhile, because you can only delete things up to but not including the current day and I would like to see you get rid of all files that CCleaner deletes. It's not a bad habit to run it whenever you get out of your browsers. Here are the instructions for getting rid of all the tools and logs and setting a clean restore point:

abri

 

Dear Abri

You are amazing, and what a terrific forum this is - will recommend to my friends.

My ultimate weapon against malware has been to buy a MacBook Air.

Many thanks for your fantastic and expedient help - without it I would have been totally lost and would have had to re-format the hard disk.

john

 

Jonny,
You're welcome and thanks for speaking well of the site. The best of luck to you and your computer!
abri