I followed "Read & Run First" directions...NOW LETS TOAST THIS MALWARE!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gottagitdemjs, Apr 5, 2006.

  1. gottagitdemjs

    gottagitdemjs Private E-2

    Ok, first off, I'm running XP service pack 2. I visited www.rajahwwf.com the other day (a wrestling site) where I believe I received the malware that is on my machine. There was an executable on my desktop that I mistook for another .exe that I normally use. I wasn't even looking when I clicked it. I believe it installed a series of different malware programs such as SurfSidekick 3 and Zeno Search assistant among others. Having used HJT before, I used the normal process of deleting the bad programs from Add/Remove programs, then I ran HJT and deleted the files associated with the malware (got them from various message boards such as this one). That did not help though, so I ended up here because I absolutely want to be rid of these popups (heck, I even get a popup every 30 or so seconds as I type this). I get a series of popups every 5 minutes with others that popup when I visit websites (geeks.com shows up when I visit here). I have gone through the read and run section here and only ran into a few problems. Here they are:

    I couldn't run Ccleaner in safe mode because I kept getting the message "Runtime error '0'"
    Ad-Aware SE couldn't remove the file "k0nola53.dll"
    Spybost Search & Destroy couldn't fix the entry "Command Service"
    I had a Look 2 Me parasite, but I ran Kill2Me and it claims it removed it.
    I also couldn't download Windows Defender. It said something like I didn't have a verified version of Windows on my machine (something like that). I guarantee you the Windows on my machine is mine in every sense of the word. It is not stolen or pirated. I don't know why it wouldn't work. The Malicious Software Removal Tool did work though.
    I also couldn't connect to the internet in safe mode, so I had to run the online scans from normal mode.

    Ok...so that's my story. Any help would be greatly appreciated. This process has been very time consuming, but I'm determined to get rid of this crap. My logs are attached. I will keep checking this thread every 5 minutes or so throughout the evening....thanks for any help.
     

    Attached Files:

    gottagitdemjs, Apr 5, 2006
    #1
  2. gottagitdemjs

    gottagitdemjs Private E-2

    PLEAAAAAASE!!!! Anybody? I'm about to pull my hair out. This is the worst I've ever had malware.
     
    gottagitdemjs, Apr 5, 2006
    #2
  3. gottagitdemjs

    gottagitdemjs Private E-2

    If you need to know, some of the pop-ups include:

    cnec
    ad.firstadsolution
    freepay
    myriad market
    various different online casinos and betting sites
    various ads saying they'll clean spyware off my machine

    Like I said, I didn't know if this even matters. I just want to get this over with. I'll keep checking this post until 2:00 am central time April 6.
     
    gottagitdemjs, Apr 5, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You have the newest Qoologic infection along with a bunch of other problems!


    Now download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • Post the contents of the txt.log which will open wen the scan is finished.
    This is not a fix! It is only a scan the gives us info so we can write up a fix for you.
     
    chaslang, Apr 6, 2006
    #4
  5. gottagitdemjs

    gottagitdemjs Private E-2

    Ok...ran it. Here's that log.
     

    Attached Files:

    gottagitdemjs, Apr 6, 2006
    #5
  6. gottagitdemjs

    gottagitdemjs Private E-2

    I might also add that I downloaded and ran Look 2 Me destroyer a little while ago, which actually helped out a bit, but I'm still getting a few popups (just not as many as before I ran L2M destroyer).
     
    gottagitdemjs, Apr 6, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You skipped at least part of step 0 in the READ & RUN ME. You did not empty your Quarantine folder for Yahoo Antispyware. Please empty it now! You appear to be a pretty big collector of malware.

    Please also delete the this folder C:\WINDOWS\bundles which should delete everything in it (all malware). If you cannot delete it in normal boot mode try safe mode.

    Now since you have so many bad things hiding on your system, we need to run a couple more tools.
    1. Download AproposFix by Swandog46
      • Save it to your desktop or to another folder of its own, but do NOT run it yet!
      • Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)
      • Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.
      • When the tool is finished, reboot back into normal mode, and attach the log.txt file that has been created in the aproposfix folder.
    2. Now please run the steps in the below link:
    3. Now please download win32delfkil.exe
      • Save it to the Desktop.
      • Double click on win32delfkil and install it (Installeren button)
      • A new folder is created on the Desktop: win32delfkil
      • Close all windows!
      • Open the win32delfkil folder
      • Double click on the fix MS-DOS Batch File
      • The program runs and the computer reboots automatically.
      • After the reboot, and back in Windows, search for the file: C:\windelf.txt
      • Post the contents of the windelf.txt,
    Also since you already ran Destroyer to fix the Look 2 Me infection (one of the things I was referring to when I said you had a bunch more problems), please attach a new HJT log so I can see what remains.


    Let's get an installed programs list from HijackThis too! You will have to start a new message to attach this fifth log.
    • Run HijackThis, click Open the Misc Tools section
    • Click Open Uninstall Manager
    • Click Save List (generates uninstall_list.txt)
    • Click Save, to save it to a file where you can find it.
    • Attach the uninstall_list.txt file to your next message.
     
    Last edited: Apr 6, 2006
    chaslang, Apr 6, 2006
    #7
  8. gottagitdemjs

    gottagitdemjs Private E-2

    1. Deleted contents of Yahoo Antispyware folder.
    2. Deleted bundles folder.
    3. Here are all the logs you've asked for:
    apropsfix
    Ewido
    windelf
    HiJack This

    HiJack This Programs Installed list on next post!
     

    Attached Files:

    gottagitdemjs, Apr 6, 2006
    #8
  9. gottagitdemjs

    gottagitdemjs Private E-2

    HJT Installed Programs List attached!
     

    Attached Files:

    gottagitdemjs, Apr 6, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First goto Add/Remove programs and uninstall the below as indicated in step 0 of the READ & RUN ME.
    DMVlite
    Yazzle Sudoku by OIN

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\wd434f15.dll
    C:\WINDOWS\sys010816406722.exe
    C:\WINDOWS\CheckS02.exe
    C:\windows\mousepad8.exe
    C:\WINDOWS\ms054067220816.exe
    C:\WINDOWS\ms031640672208.exe
    C:\WINDOWS\win32092208164067.exe
    C:\WINDOWS\sys028164067220.exe
    C:\WINDOWS\sys102081640672.exe
    C:\WINDOWS\win32076722081640.exe
    C:\WINDOWS\ms060672208164.exe
    C:\WINDOWS\win32087220816406.exe
    C:\WINDOWS\sys031640672208.exe
    C:\WINDOWS\ms046406722081.exe
    C:\WINDOWS\win32060672208164.exe
    C:\WINDOWS\system32\pwndkhy.exe
    C:\WINDOWS\UNWN.EXE


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pwndkhy.exe
    O2 - BHO: (no name) - {204901EA-3E6B-9BA4-445D-ECAAD940F49C} - (no file)
    O2 - BHO: (no name) - {BA9AAF85-6D52-87D4-1D04-D53E66846E8C} - (no file)
    O4 - HKLM\..\Run: [sys010816406722] C:\WINDOWS\sys010816406722.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
    O4 - HKLM\..\Run: [wd434f15.dll] RUNDLL32.EXE wd434f15.dll,I2 0001a5af0d434f15
    O4 - HKLM\..\Run: [ms054067220816] C:\WINDOWS\ms054067220816.exe
    O4 - HKLM\..\Run: [ms031640672208] C:\WINDOWS\ms031640672208.exe
    O4 - HKLM\..\Run: [win32092208164067] C:\WINDOWS\win32092208164067.exe
    O4 - HKLM\..\Run: [sys028164067220] C:\WINDOWS\sys028164067220.exe
    O4 - HKLM\..\Run: [sys102081640672] C:\WINDOWS\sys102081640672.exe
    O4 - HKLM\..\Run: [win32076722081640] C:\WINDOWS\win32076722081640.exe
    O4 - HKLM\..\Run: [ms060672208164] C:\WINDOWS\ms060672208164.exe
    O4 - HKLM\..\Run: [win32087220816406] C:\WINDOWS\win32087220816406.exe
    O4 - HKLM\..\Run: [sys031640672208] C:\WINDOWS\sys031640672208.exe
    O4 - HKLM\..\Run: [ms046406722081] C:\WINDOWS\ms046406722081.exe
    O4 - HKLM\..\Run: [win32060672208164] C:\WINDOWS\win32060672208164.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\ZICORN002.exe
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O23 - Service: bnhzehxbeivz (MsUpdate5) - Unknown owner - C:\WINDOWS\System32\msupd5.exe (file missing)


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\Program Files\comedy-planet <--- the whole folder
    C:\WINDOWS\system32\vmss <--- the whole folder
    C:\WINDOWS\system32\wsxsvc <--- the whole folder
    C:\WINDOWS\S3lsZQ <--- the whole folder
    C:\WINDOWS\EliteSideBar <--- the whole folder or file
    C:\WINDOWS\inst <--- the whole folder or file
    C:\WINDOWS\isrvs <--- the whole folder or file
    C:\keys.ini
    C:\Veracruz.exe
    C:\w.exe
    C:\ZICORN001.exe
    C:\WINDOWS\UNWN.EXE
    C:\WINDOWS\CheckS02.exe
    C:\windows\mousepad8.exe
    C:\windows\keyboard8.exe
    C:\WINDOWS\icont.exe
    C:\WINDOWS\kwv2.dat
    C:\WINDOWS\ms054067220816.exe
    C:\WINDOWS\ms031640672208.exe
    C:\WINDOWS\win32092208164067.exe
    C:\WINDOWS\sys010816406722.exe
    C:\WINDOWS\sys028164067220.exe
    C:\WINDOWS\sys102081640672.exe
    C:\WINDOWS\win32076722081640.exe
    C:\WINDOWS\ms060672208164.exe
    C:\WINDOWS\win32087220816406.exe
    C:\WINDOWS\sys031640672208.exe
    C:\WINDOWS\ms046406722081.exe
    C:\WINDOWS\win32060672208164.exe
    C:\WINDOWS\system32\ZICORN002.exe
    C:\WINDOWS\system32\pwndkhy.exe
    C:\WINDOWS\system32\wd434f15.dll
    C:\WINDOWS\SYSTEM32\dsktrf.dll
    C:\WINDOWS\SYSTEM32\winupdt.bin
    C:\WINDOWS\system32\Setup94.exe

    Then reboot into normal mode and attach a new HJT log and a new log from FindQool
     
    chaslang, Apr 7, 2006
    #10
  11. gottagitdemjs

    gottagitdemjs Private E-2

    That's something I forgot to put in my original post. When I try to uninstall DMVlite, it sends me to this webpage http://www.dmvlite.com/uninstall.html It looks like they're trying to sell their URL or something. I don't see anything about uninstalling on there. Maybe you could point me in the right direction. I'll get to work on the other stuff though.
     
    gottagitdemjs, Apr 7, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's use the below to remove DMVlite.

    Now copy the bold text below to notepad. Save it as fixdmv.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    chaslang, Apr 7, 2006
    #12
  13. gottagitdemjs

    gottagitdemjs Private E-2

    I followed all the steps above as well as the registry fix you just posted. My HJT log is below. Haven't had a popup since I've logged on...which has only been for a few min. I was going to ask you one other thing. On my desktop are two icons that showed upwhen all these problems started a couple days ago. One icon says it's a Microsoft Office Configuration file titled "zxcd.cfg" and the other icon is the word TAG in a large red bubble font and it's titled "TagASaurus.exe" Thanks man.
     

    Attached Files:

    gottagitdemjs, Apr 7, 2006
    #13
  14. gottagitdemjs

    gottagitdemjs Private E-2

    I was also wondering if it would be OK to uninstall any of these programs you've been having me download over the past few days...as well as the log files I've been saving. Thanks again.
     
    gottagitdemjs, Apr 7, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just right click on those two items on your Desktop and select delete.

    You can also delete the two registry patches (fixme.reg and fixdmv.reg) that are on your Desktop.

    Yes you can also delete FindQool, AproposFix, and Win32delkill. Also Ewido can be uninstalled unless you plan on buying it.

    When you fixed the two below O2 lines in your HJT log last time, are you 100% sure no browsers were opened:

    O2 - BHO: (no name) - {204901EA-3E6B-9BA4-445D-ECAAD940F49C} - (no file)
    O2 - BHO: (no name) - {BA9AAF85-6D52-87D4-1D04-D53E66846E8C} - (no file)

    Try fixing them again with no browsers running. If they do not go away, we will need to use a special procedure to remove them. Let me know.

    Your log is much cleaner now!
     
    chaslang, Apr 7, 2006
    #15
  16. gottagitdemjs

    gottagitdemjs Private E-2

    I tried deleting these two in both Safe and Normal boot mode with no windows what-so-ever running and after I delete them, I run HJT again and they're right back in there.

    O2 - BHO: (no name) - {204901EA-3E6B-9BA4-445D-ECAAD940F49C} - (no file)
    O2 - BHO: (no name) - {BA9AAF85-6D52-87D4-1D04-D53E66846E8C} - (no file)

    So I guess you're going to have to show me how to delete them manually. BTW...I don't know if this site takes donations or anything, but I wouldn't mind donating a few dollars, this has been well worth it. Thanks for all of your time and help man.
     
    gottagitdemjs, Apr 7, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download and install Registrar Lite

    Copy and paste the below into the Address box of registrar lit and hit the Enter key.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

    Then click the Security pull down on the top menu and choose Take Ownership. Click OK in the next window to approve it.

    Now copy and paste the below into the Address box of Registrar Lite and hit the Enter key.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{204901EA-3E6B-9BA4-445D-ECAAD940F49C}

    Now right click on the above key and select delete.

    Now copy and paste the below into the Address box of Registrar Lite and hit the Enter key.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {BA9AAF85-6D52-87D4-1D04-D53E66846E8C}

    Now right click on the above key and select delete.

    Now exit Registrar Lite

    Did this work? Check to see if those two lines are now gone from your HJT log.
     
    chaslang, Apr 7, 2006
    #17
  18. gottagitdemjs

    gottagitdemjs Private E-2

    They're gone! Here's my log now. My machine has been running GREAT! You are the man!
     

    Attached Files:

    gottagitdemjs, Apr 8, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 8, 2006
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds