Infected Computer - Please Advise

RWThrun · Dec 30, 2006

I need some additional help. I have followed all instructions on the "READ & RUN ME FIRST" thread.

My computer has the following symptoms: very slow (high CPU usage), access random websites, downloads and attempts to install trojans/viruses (stopped by Norton), other various malfunctions.

Below are the scans that I have run with comments.

- CCleaner - no problems
- Spybot Search & Destroy (w/Immunize) - no problems
- CounterSpy - detected problems, but ignored them; log attached (CounterSpy.txt)
- AVG Anti-Virus - deleted trojan horse; log attached (AVG AV Report.txt)
- AVG Anti-Spyware - fixed problems; log attached (AVG AS Report.txt)
- BitDefender - log attached (BitDefender.txt)
- Panda ActiveScan - detected problems, bit did not delete; deleted manualy; log attached (Activescan.txt)
- GetRunKey - log attached (runkeys.txt)
- ShowNew - log attached (newfiles.txt)
- SmitFraud Removal Tool - log attached (smitfiles.txt)
- HijackThis - log attached (hijackthis.log)

I have also run Norton AntiVirus. The "activity log" continously says "An instance of "C:\Program Files\Messenger\msmsgs.exe" is preparing to access the Internet". However, I have uninstalled the MS Messenger. Is this process ok?

Please let me know what to do.

Thanks,
Ryan

RWThrun · Dec 30, 2006

see attached...

RWThrun · Dec 30, 2006

see attached...

chaslang · Jan 1, 2007

Welcome to Majrogeeks!

Run CounterSpy again and this time Delete all the malware it finds. You can ignore Weatherbug but remember it will serve ad popups to you; however you must fix everything else. Attach a new log from this run showing what you fixed. Run this now and attach the log.

After re-running CounterSpy and attaching the log, uninstall CounterSpy now since you have Windows Defender installed.

You need to cleanup all the infected Outlook emails that BitDefender reported and could not fix.

You totally ignored step 3 of the READ ME. This is a major reason for you PC being slow! Uninstall one of the antivirus programs now. It's your choice but the one that is the biggest resource hog is Symantec.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)
O2 - BHO: (no name) - {40D4A862-4E31-F7C8-110A-0B8011E1504E} - C:\WINDOWS\system32\geqvskm.dll (file missing)
O2 - BHO: (no name) - {BEA59AE7-BA9C-44FB-8E04-56DE5C94A6F6} - C:\WINDOWS\system32\fccyv.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\gbcitmhg.dll",setvm
O20 - Winlogon Notify: fccyv - C:\WINDOWS\system32\fccyv.dll (file missing)
O20 - Winlogon Notify: wingbl32 - wingbl32.dll (file missing)

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Ryan Thrun\Favorites\Antivirus Test Online.url
C:\WINDOWS\system32\mixaqwet.exe
C:\WINDOWS\system32\wtssvtr.exe
C:\WINDOWS\system32\fccyv.dll
C:\WINDOWS\system32\gbcitmhg.dll
C:\WINDOWS\system32\lxkfqyvd.dll
C:\WINDOWS\system32\ncfmvkdt.dll
C:\WINDOWS\system32\nknqdiom.dll
C:\WINDOWS\system32\vyccf.tmp
C:\WINDOWS\system32\ghmticbg.ini
C:\Program Files\vyccf.ini
C:\Program Files\vyccf.ini2

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Ryan Thrun\Application Data\a?sembly <--- this folder name will probably look like assembly
C:\Program Files\VSAdd-in
C:\Program Files\VSToolbar

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Ryan Thrun\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

RWThrun · Jan 6, 2007

CounterSpy log attached. See below post for problems...

RWThrun · Jan 6, 2007

Thanks for your help! Here is what I did...

I ran CounterSpy again. It does not give me an option to fix the problems. As it is scannng it reports problems, but in the summary screen, it shows no problems. The attachedlog shows the problems. I manually deleted the files, but wasn't sure what to do with the registry entries. I did not install Weatherbug (knowingly), and do not see it anywhere on my system. Please let me know how to fix these problems.

I uninstalled CounterSpy and attached the log in above post (CounterSpy2.txt). Windows Defender is running.

Outlook e-mails have been cleaned.

My intention was to only have one anti-virus (Symantec). The read-me had me install all of the additional ones. Symantec was disabled during all other scans. However, after learning about it being a resource hog, I uninstalled all Symantec software (Anti-virus, Anti-Spy, Ghost, GoBack, SystemWorks, Firewall, etc.) My computer is running somewhat faster. AVG will be un-installed once the trial is over. Can you recommend a good anti-virus?

Java software was uninstalled, system rebooted, and current software installed.

Fixed registry entries using HJT. Should I remove all entries that say "file missing" or "no file"?

Downloaded and used Pocket KillBox sucessfully; nothing abnormal.

Deleted files and folders you listed.

Attached GetRunKey, StartNew, and HJT.

It seems when my computer is connected to the internet for a length of time it is constantly churning (CPU usage above 80%). The task manager shows different programs at different times using it. Usually svchost, winlogon, or explorer. I am a little nervous uninstalling Norton, as it was constantly detecting the trojans and deleting them; but obviously it did not catch whatever was spawning them.

Please let me know how I am looking and what to do with above issues/questions. Thanks!

chaslang · Jan 7, 2007

RWThrun said: ↑

I ran CounterSpy again. It does not give me an option to fix the problems. As it is scannng it reports problems, but in the summary screen, it shows no problems. The attachedlog shows the problems. I manually deleted the files, but wasn't sure what to do with the registry entries. I did not install Weatherbug (knowingly), and do not see it anywhere on my system. Please let me know how to fix these problems.
Click to expand...

I only wanted you to uninstall after it fixed everything. The below link shows steps used to get logs. See message 5 thru 8

http://forums.majorgeeks.com/showthread.php?t=111581

RWThrun said: ↑

My intention was to only have one anti-virus (Symantec). The read-me had me install all of the additional ones.
Click to expand...

The READ ME does not have you install any antivirus programs.

RWThrun said: ↑

AVG will be un-installed once the trial is over. Can you recommend a good anti-virus?
Click to expand...

AVG will work indefinitely and is one of the free tools we recommend.

RWThrun said: ↑

Should I remove all entries that say "file missing" or "no file"?
Click to expand...

NO! HijackThis has bugs and it reports things to be missing when they are not. Only fix what we ask you to fix.

RWThrun said: ↑

The task manager shows different programs at different times using it. Usually svchost, winlogon, or explorer. I am a little nervous uninstalling Norton, as it was constantly detecting the trojans and deleting them; but obviously it did not catch whatever was spawning them.
Click to expand...

If Norton is so good, why did you get infected to begin with.

You are using OLD version of GetRunKey and ShowNew. Please update to the current versions from the links in the READ ME.

chaslang · Jan 7, 2007

A few things did not get fixed. Let's try this again! Make sure that ALL unnecessary applications are closed before continuing.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
"NoColorChoice"=-
"NoSizeChoice"=-
"NoDispScrSavPage"=-
"NoDispCPL"=-
"NoVisualStyleChoice"=-
"NoDispSettingsPage"=-
"NoDispAppearancePage"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-
"ForceActiveDesktopOn"=-
"NoDrives"=-
"NoViewOnDrive"=-
"NoDriveAutoRun"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

[-HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}]
[-HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Araf15]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FD6B99C-A275-46EA-8FD1-3D63986E51E4}
Click to expand...

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vyccf.ini
C:\WINDOWS\system32\vyccf.ini2

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot run CCleaner
Also delete all files and subfolders (if any still exist) in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Ryan Thrun\Local Settings\Temp\

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

RWThrun · Jan 12, 2007

I have re-installed CounterSpy and re-scanned my computer. Again, it does not let me fix any of the problems it finds. See the below images for proof. I have attached the log which details the problems detected. I downloaded CounterSpy directly from the Read Me post, and have not changed any options (nor could I find any). Maybe the malware is causing this problem?

Before Clicking Scan Now

After Scan Completes

After Clicking View Results - (shows problems were detected)

How do I fix this???confused

RWThrun · Jan 13, 2007

All went well, except for CounterSpy as mentioned before. Attached are the logs.

chaslang · Jan 13, 2007

RWThrun said: ↑

I have re-installed CounterSpy and re-scanned my computer. Again, it does not let me fix any of the problems it finds.
Click to expand...

Strange!!! The middle image indicates nothing was found yet the log agrees with the last image that says 3 items were found.

Uninstall CounterSpy now! We will remove anything necessary manually. Also delete the below two folders that CounterSpy's uninstall leaves behind:
C:\Documents and Settings\Ryan Thrun\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

You are starting to clutter up your Desktop with too much junk! Delete the below which are all on your Desktop!
Code:
"C:\Documents and Settings\Ryan Thrun\Desktop\"
active~1.txt  Dec 24 2006       15092  "Activescan.txt"
avgasr~1.txt  Dec 30 2006        1040  "AVG AS Report.txt"
avgavr~1.txt  Dec 30 2006         112  "AVG AV Report.txt"
bitdef~1.htm  Dec 24 2006       34102  "BitDefender.html"
bitdef~1.txt  Dec 24 2006       34102  "BitDefender.txt"
counte~1.rtf  Dec 22 2006        8393  "CounterSpy.rtf"
counte~1.txt  Dec 30 2006        3493  "CounterSpy.txt"
counte~2.txt  Jan  2 2007        3891  "CounterSpy2.txt"
counte~3.txt  Jan 12 2007        2284  "CounterSpy3.txt"
fixme.reg     Jan 12 2007        1366  "fixme.reg"
hijack~1.log  Dec 30 2006       11743  "hijackthis.log"
hijack~2.log  Jan  6 2007        6596  "hijackthis2.log"
newfiles.txt  Dec 29 2006       31385  "newfiles.txt"
newfil~1.txt  Jan  6 2007       32408  "newfiles2.txt"
runkeys.txt   Dec 29 2006       18077  "runkeys.txt"
runkeys2.txt  Jan  6 2007       18646  "runkeys2.txt"
runkeys3.txt  Jan 13 2007       17540  "runkeys3.txt"
smitfi~1.txt  Dec 30 2006        4975  "smitfiles.txt"
smitfr~1.rtf  Dec 29 2006       10885  "Smitfraud Removal Inst.rtf"
SMITREM       Dec 30 2006              "smitRem"
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}]
[-HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}]

Click to expand...

Attach a new log from ShowNew!

Are you having any other malware problems now!

RWThrun · Jan 16, 2007

Alright...things seem much better now! Thank you so much for your expert help!

chaslang · Jan 16, 2007

You're welcome. Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Infected Computer - Please Advise

RWThrun Private E-2

Attached Files:

RWThrun Private E-2

Attached Files:

RWThrun Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

RWThrun Private E-2

Attached Files:

RWThrun Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

RWThrun Private E-2

Attached Files:

RWThrun Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

RWThrun Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches