Browser/desktop hijacks/Cant open programs/Rogueantispyware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lillywilde, Aug 18, 2009.

  1. lillywilde

    lillywilde Private E-2

    Hello all, another person in need of help!

    A few days ago i started getting browser redirects to all sorts of sites and then a menacing desktop message. I have windows xp.
    I looked through the *READ ME FIRST* thread and downloaded everything it told me to, however, i am unable to execute any of these programs or any programs at all (except internet explorer) and access to task manager is denied.

    My computer very briefly resumed normal service when i turned it on at some point and there was no sign of the rogue anti spyware (but the browser hijacks continued). Upon rebooting a different anti spyware thing (win antivirus pro) has showed up and the computer has returned to that sorry state.

    I feel i should mention that i used to own avg and spyware doctor but my subscriptions ran out and i had no money to renew them, so i started using the free version of antivir but a year on this has happened

    Can anybody here share their wisdom? Itd obviously be really appreciated if anybody could!!

    lillywilde
     
    lillywilde, Aug 18, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you sure neither ComboFix nor MGTool.exe can not run? The only way to assist you is to see what is happening in your system.

    Did you try running any of the scans in safe mode? Did you try renaming them?
     
    TimW, Aug 21, 2009
    #2
  3. lillywilde

    lillywilde Private E-2

    Hi tim, thanks for the reply. I was eventually able to run SUPERantispyware, MGTools and RootRepeal, but ComboFix and malwarebites just didn't run?

    Should i try to run these programs in safemode? Ive attached the logs i got, i think i've done it all correctly...

    thanks once again

    lillywilde
     

    Attached Files:

    lillywilde, Aug 23, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We have some work to do.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
C:\Documents and Settings\All Users\Application Data\11583124   
C:\Documents and Settings\paul\LOCALS~1\Temp\n.exe
C:\WINDOWS\system32\bennuar.old
C:\WINDOWS\system32\bincd32.dat 
C:\WINDOWS\system32\net.net
C:\WINDOWS\system32\onhelp.htm
C:\WINDOWS\system32\sonhelp.htm
C:\WINDOWS\system32\sysnet.dat 

Folder::
C:\Documents and Settings\paul\Local Settings\Temp\MSA

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Monopod"=-
"msctrl.exe"=-
"msavsc.exe"=-
"msscan.exe"=-
"msiemon.exe"=-
"msfw.exe"=-
"mssadv.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"net"=-
"msctrl.exe"=-
"msavsc.exe"=-
"msscan.exe"=-
"msiemon.exe"=-
"msfw.exe"=-
"mssadv.exe"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!
    Then make sure this folder is empty:
    C:\Documents and Settings\paul\Local Settings\temp\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 26, 2009
    #4
  5. lillywilde

    lillywilde Private E-2

    Hello again,

    i followed your instructions up to the point of dragging and dropping the notepad file into Combofix and nothing happened, i made sure to copy and paste all the lines into it but still nothing? What have i done wrong?

    Thanks for replying

    lillywilde
     
    lillywilde, Aug 27, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know what may have happened. But at least attach the new MGTools log.
     
    TimW, Aug 31, 2009
    #6
  7. lillywilde

    lillywilde Private E-2

    Hey, here is the MGtools log, thanks!

    lilly wilde
     

    Attached Files:

    lillywilde, Sep 1, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nothing was fixed., including the HJT fix.

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 5, 2009
    #8
  9. lillywilde

    lillywilde Private E-2

    Hi tim, thanks so much for this,

    When checking the boxes in hijack this, the only line that was displayed out of the ones you listed was:

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

    None of the others showed up?

    I continued, thinking that result may throw a spanner in the works (which it did!)

    When clicking execute to run avenger the following error code appeared:

    Error: Invalid registry syntax command: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run¦msctrl.exe" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry Value deletion mode)

    This happened for all the other lines that were missed from the hijack this box checking so i thought it best not to continue and ask you as something is probably very wrong or not wrong at all?

    On the bright side, combofix eventually decided to work (once) and ive included the log.. but it is a couple of days old now.

    Thankyou unreservedly for helping me out with this

    lilly wilde
     

    Attached Files:

    lillywilde, Sep 7, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Lets continue with what we have.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
SKYNEThxrpqduv
str

File::
c:\windows\system32\lpocg.dll
C:\WINDOWS\system32\sdra64.exe
c:\documents and settings\paul\local settings\application data\reykvrbg.exe
C:\WINDOWS\system32\drivers\SKYNEThxrpqduv.sys
C:\Documents and Settings\paul\Local Settings\Application Data\reykvrbg.dat
C:\Documents and Settings\paul\Local Settings\Application Data\reykvrbg_nav.dat
C:\Documents and Settings\paul\Local Settings\Application Data\reykvrbg_navps.dat
C:\WINDOWS\system32\bennuar.old
C:\WINDOWS\system32\bincd32.dat
C:\WINDOWS\system32\c2d.dat
C:\WINDOWS\system32\ca.dat
C:\WINDOWS\system32\ck.dat
C:\WINDOWS\system32\hdhg
C:\WINDOWS\system32\hjfe          
C:\WINDOWS\system32\idm.dat       
C:\WINDOWS\system32\jc.dat
C:\WINDOWS\system32\ngmn1.dll
C:\WINDOWS\system32\q1.dat
C:\WINDOWS\system32\SET280.tmp
C:\WINDOWS\system32\set281.tmp     
C:\WINDOWS\system32\set283.tmp   
C:\WINDOWS\system32\set284.tmp    
C:\WINDOWS\system32\set285.tmp     
C:\WINDOWS\system32\set288.tmp    
C:\WINDOWS\system32\set28a.tmp   
C:\WINDOWS\system32\sonhelp.htm  
C:\WINDOWS\system32\sysnet.dat    
C:\WINDOWS\system32\UACfgoivnnqvr.dll
C:\WINDOWS\system32\UACgokrlbmwku.dll
C:\WINDOWS\system32\UACqelexgoiru.dll
C:\WINDOWS\system32\UACrgprowyrnk.db
C:\WINDOWS\system32\UACtpjyiusgnp.log
C:\WINDOWS\system32\UACtycscpnjpa.dat
C:\WINDOWS\system32\xa.tmp
C:\WINDOWS\system32\xd.dat
C:\WINDOWS\system32\drivers\str.sys
C:\WINDOWS\system32\drivers\UACdmppxoykyv.sys
C:\WINDOWS\temp\nsrbgxod.bak
C:\WINDOWS\temp\rundll32.dll 
C:\WINDOWS\system32\dllcache\SET296.tmp
C:\Documents and Settings\paul\Local Settings\temp\nsrbgxod.bak
C:\Documents and Settings\paul\Local Settings\temp\wlsetup-cvr.exe

Folder::
C:\WINDOWS\system32\hdhg
C:\WINDOWS\system32\hjfe   

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETjrxexoqq]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNEThxrpqduv.sys"

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETjrxexoqq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\SYSTEM32\Userinit.exe,"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reykvrbg"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A99122-4C8C-4317-811E-54B5DAD44B52}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe file.

    See if you can run RootRepeal and attach the log if you can.

    Also attach the new logs for:


    • C:\MGLogs.zip
    • C:\ComboFix.txt
     
    Last edited: Sep 11, 2009
    TimW, Sep 11, 2009
    #10
  11. lillywilde

    lillywilde Private E-2

    Hi tim,

    The line you asked me to fix in hijack this did not appear, is that because i removed it last time, in a similar fashion to those others that did not appear last time?

    Combofix stopped about halfway through and told me to write down these files are they were a rootkit, so i saved and attached their names.

    Id better tell you that my desktop has been returned to normal a little while ago, but i still experience browser hijacks and i suspect my pooter is still very infected with stubborn malwares etc.

    cheers!!!!!!!!!!

    lillywilde
     

    Attached Files:

    lillywilde, Sep 13, 2009
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    More work to do.

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 9"
    Java(TM) 6 Update 2"
    Java(TM) 6 Update 3"
    Java(TM) 6 Update 5"
    Java(TM) 6 Update 7"
    Java(TM) SE Runtime Environment 6 Update 1

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner and make sure everything other than the language files are removed from this folder:
    C:\Documents and Settings\paul\Local Settings\temp\

    Now download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe.

    Now download and install:
    Java Runtime 6

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 19, 2009
    #12
  13. lillywilde

    lillywilde Private E-2

    Sorry for the late reply tim! I followed your instructions.

    I had to run avenger twice as a log didnt seem to appear on the first reboot but did on the second.

    The temp folder wasn't completely empty so i print screened it to show you what was in there..

    <a href="http://s209.photobucket.com/albums/bb318/brapattack01/?action=view&current=tempprintscreen.jpg" target="_blank"><img src="http://i209.photobucket.com/albums/bb318/brapattack01/tempprintscreen.jpg" border="0" alt="printscreen"></a>

    Firefox and internet explorer appear to be running normally, there are no more browser hijacks and the desktop has returned to normal. There are nomore menacing warnings anywhere, computer is just very sluggish.
    I think a defrag is in order?

    Am i out of the woods yet?

    Thanks so much for your help so far, you're a saviour!

    lillywilde
     

    Attached Files:

    lillywilde, Sep 26, 2009
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your getting there.

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 9"

    Now use windows explorer to find and delete:
    C:\Documents and Settings\paul\Local Settings\temp\09c8f.tmp
    C:\Documents and Settings\paul\Local Settings\temp\aja25.tmp
    C:\Documents and Settings\paul\Local Settings\temp\k6z90.tmp
    C:\Documents and Settings\paul\Local Settings\temp\sh494.tmp
    C:\Documents and Settings\paul\Local Settings\temp\temp.ani

    You should probably not have BitTorrent running at start up.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Sep 30, 2009
    #14
  15. lillywilde

    lillywilde Private E-2

    Hello! Sorry for the delayed reply once again!

    I looked in the folder you asked me to but none of files were there, however, after CCcleaner it was empty.

    Here are the logs, thankyou unreservedly.

    lillywilde
     

    Attached Files:

    lillywilde, Oct 6, 2009
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem....tell me what issues you may still have.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Oct 11, 2009
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds