Hello we followed all your steps.. still have popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by journeys2, Feb 1, 2006.

  1. journeys2

    journeys2 Private E-2

    Here are the three logfiles. I did not try any of the alternative searchs.
     

    Attached Files:

    journeys2, Feb 1, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    You have several problems. One is a VX2 infections.

    Follow the steps in the below link and attach the Spy Sweeper log.

    Running Spy Sweeper...

    Attach a new HJT log afterwards too.
     
    chaslang, Feb 1, 2006
    #2
  3. journeys2

    journeys2 Private E-2

    Thanks for the quick reply. Heres the new logs.
     

    Attached Files:

    journeys2, Feb 1, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\??plorer.exe
    C:\Program Files\sprr\etrt.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {3844C60A-52CB-7E00-1C2D-C45A600F5B00} - C:\WINDOWS\System32\cdmweb\pbbdtogpij.dll (file missing)
    O4 - HKLM\..\Run: [Ddoze8So] C:\documents and settings\preferred customer\local settings\temp\Ddoze8So.exe
    O4 - HKLM\..\Run: [Np7DvL] C:\documents and settings\preferred customer\local settings\temp\Np7DvL.exe
    O4 - HKLM\..\Run: [QMg7mJ] C:\documents and settings\preferred customer\local settings\temp\QMg7mJ.exe
    O4 - HKLM\..\Run: [FMv] C:\documents and settings\preferred customer\local settings\temp\FMv.exe
    O4 - HKLM\..\Run: [PGgg2] C:\documents and settings\preferred customer\local settings\temp\PGgg2.exe
    O4 - HKLM\..\Run: [q4rKeaMrs] C:\windows\system32\q4rKeaMrs.exe
    O4 - HKLM\..\Run: [GjFayBd.exe] c:\windows\system32\GjFayBd.exe
    O4 - HKLM\..\Run: [mpvlbf] c:\windows\system32\uufqxjc.exe
    O4 - HKCU\..\Run: [txflog] C:\WINDOWS\System32\txflog.exe
    O4 - HKCU\..\Run: [Tck] C:\WINDOWS\System32\??plorer.exe
    O4 - HKCU\..\Run: [Owae] C:\Program Files\sprr\etrt.exe
    O9 - Extra button: (no name) - {32423D66-EC04-49C4-A335-978B5D22BFB5} - C:\WINDOWS\System32\dhcpmon455c.dll (file missing) (HKCU)
    O9 - Extra button: (no name) - {8A59043C-D150-4785-B5E6-1EBB9708EFD9} - C:\WINDOWS\System32\dsuiext389l.dll (file missing) (HKCU)
    O9 - Extra button: (no name) - {CB7E4465-8D8B-4CEB-B3D0-8AA67A309F5E} - C:\WINDOWS\System32\dbghelp693b.dll (file missing) (HKCU)
    O9 - Extra button: (no name) - {ED8A3220-3CA9-421E-AAB4-E6B44E8C6941} - C:\WINDOWS\System32\MSRTEDIT272j.dll (file missing) (HKCU)
    O20 - AppInit_DLLs: C:\WINDOWS\System32\streamci781b.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\sprr <-- the whole sprr folder
    C:\documents and settings\preferred customer\local settings\temp\Ddoze8So.exe <--- notice a bunch of baddies in this temp folder
    C:\documents and settings\preferred customer\local settings\temp\Np7DvL.exe <--- just delete all files in this temp folder
    C:\documents and settings\preferred customer\local settings\temp\QMg7mJ.exe
    C:\documents and settings\preferred customer\local settings\temp\FMv.exe
    C:\documents and settings\preferred customer\local settings\temp\PGgg2.exe
    C:\WINDOWS\System32\cdmweb\pbbdtogpij.dll
    C:\windows\system32\q4rKeaMrs.exe
    c:\windows\system32\GjFayBd.exe
    c:\windows\system32\uufqxjc.exe
    C:\WINDOWS\System32\txflog.exe
    C:\Program Files\sprr\etrt.exe
    C:\WINDOWS\System32\dhcpmon455c.dll
    C:\WINDOWS\System32\dsuiext389l.dll
    C:\WINDOWS\System32\dbghelp693b.dll
    C:\WINDOWS\System32\MSRTEDIT272j.dll
    C:\WINDOWS\System32\streamci781b.dll
    C:\WINDOWS\System32\??plorer.exe <-- the questions marks could be anything, but they probably are 'ex' to make the file explorer.exe. Only delete the one in the system32 folder.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 1, 2006
    #4
  5. journeys2

    journeys2 Private E-2

    I have not seen any problems yet.. but I just got back online.

    When deleting files in safe mode all the temps from the log were missing (though I deleted the others that were in that folder)

    c:\windows\system32\uufqxjc.exe was missing as well

    and the following were present without the numbers that follow the filename (i.e. dhcpmon.dll but not dhcpmon4555c.dll) so I did not delete them - Should I have?

    C:\WINDOWS\System32\dhcpmon455c.dll
    C:\WINDOWS\System32\dsuiext389l.dll
    C:\WINDOWS\System32\dbghelp693b.dll
    C:\WINDOWS\System32\MSRTEDIT272j.dll
    C:\WINDOWS\System32\streamci781b.dll

    The rest worked fine.
    Here is a new log
    Thanks
     

    Attached Files:

    journeys2, Feb 2, 2006
    #5
  6. journeys2

    journeys2 Private E-2

    I forgot to include this HJT error report. It occurred while "fixing" things before switching to safe mode.
     

    Attached Files:

    journeys2, Feb 3, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Those are valid Windows files!

    Did you decide not to fix the below because your want it to be blank.htm?
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    Your log is clean! Are things still working okay?
     
    chaslang, Feb 3, 2006
    #7
  8. journeys2

    journeys2 Private E-2

    yeah Everything still works good. Thanks alot! I'm not sure why that line reads blank... IE loads google at start up. Should I set that restore point now?
     
    journeys2, Feb 3, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you fix the line using HJT and did you Reset Web Settings as requested? If so, that line should not exist unless you did not allow the change to your settings when MS Antispyware or similar popped up a warning about a change to your settings.

    You could try again! Disable any protection software if necessary while making the change.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Feb 3, 2006
    #9
  10. journeys2

    journeys2 Private E-2

    OK, got rid of that top line, Installed avast, and set a restore point.

    Thanks again for all the help!!
     
    journeys2, Feb 3, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 4, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds