Issues with various parts of READ & RUN ME FIRST. Malware Removal Guide

I have a laptop that is having various issues. It started out when my browser was hijacked and continued on to not being able to get on the internet at all and to not being able to update any programs....virus/spyware or other wise.

Many times these programs would run and then error out with Dr. Watson errors when trying to delete any found issues.

After various iterations of Safe Mode/Regular Mode, I finally got some of the programs to run. The one thing that I must do to get to the Windows GUI is to start explorer via Task Manager after every reboot. Sometimes, I must start explorer more than once before the GUI shows up.

1. SUPERAntiSpyware - ran ok. Log attached
2. Spybot S&D - never could install the latest version. Ran an older version and finally got it to update the definitions. Log attached.
3. Malwarebytes Anti-Malware - Scans ok, but fails when trying to remove found issues.
4. ComboFix - ran ok, rebooted the machine and hung. I killed the ComboFix window and started the GUI. Then I saw the ComboFix window flash by. There is no c:\combofix.txt , but did find one in C:\cf\combofix.txt that gives a warning about not having the Recovery Console installed. Log attached.
5.

 

Last log file.

 

Hi gbrenham,
Welcome to the Malware Forum!

You've got a bunch of problems. Please do the following:

1) You've got some files and directories that aren't the real ones, but look like the real ones. Normally our scan picks this up and gives us the complete name, so we can remove them with the other files, however, the scan did not pick these up. This means you will have to remove them manually.

Please go to the following folders one at a time:

C:\Program Files\??crosoft.NET\??anregw.exe\"" <-- There will be a folder with a name similar to Microsoft.NET but it will NOT be Microsoft.NET. It will begin with 2 other letters where the question marks are. Please note the real name of the file and also open this folder and note the real name of the ??anregw.exe file.

C:\\Program Files\\s?stem\\??plorer.exe\"" <---- then look for a folder that looks like system but which will NOT be called system, but will be called something like sxstem, where the x is some random letter that is not the letter y. Again, please note the real name of this folder and of the file inside it that will look like explorer.exe, but will have two different letters at the beginning rather than ex


C:\\WINDOWS\\system32\\s?curity\\w?crtupd.exe" <--- do the same for this folder and this file. The folder will NOT be called security and the file will NOT be called wucrtupd.exe.

Also these two:

See if there is a folder under C which is not Program Files and which is not a folder you put in yourself. The one containing wowexec won't be Microsoft, because it's missing the letter i. These two, you can most easily find the correct pathway for by doing a search of your C drive for the file names miium.exe and wowexec.exe (Note what the actual pathway of each one is)

C:\\PROGRA~1\\COMMON~1\\miiu\\miium.exe"
C:\\PROGRA~1\\MCROSO~1\\wowexec.exe\" -vt ndrv"

I need the real names of all the above.

If you can't do the above, tell me before you continue.


After you do that, please continue as follows:

2) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AE214AC9-15E7-44CF-93F9-38E2151D3FFD} - \
O2 - BHO: (no name) - {D017EA41-26FA-0D26-FD4D-7AA2E19D4FC0} - C:\WINDOWS\system32\qlio.dll (file missing)
O3 - Toolbar: (no name) - {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF5213.exe /c C:\cf\Combobatch.bat
O4 - HKCU\..\Run: [Eprc] "C:\PROGRA~1\MCROSO~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Hmeovqw] C:\WINDOWS\system32\s?curity\w?crtupd.exe
O4 - HKCU\..\Run: [miiu] C:\PROGRA~1\COMMON~1\miiu\miium.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Jlhox] "C:\Program Files\s?stem\??plorer.exe"
O4 - HKCU\..\Run: [Rjnjzhlk] "C:\Program Files\??crosoft.NET\??anregw.exe"
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

After you click fix, just close hijackthis.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


Let me know the names of the files and any problems you ran into?

abri

 

When doing a search, Explorer GPF's and I have to restart it via task manager. Using good old DOS, I find the following:

Microsoft.NET is correctly in two places - C:\Program Files & C:\Windows. There is no *anregw.exe in the file structure

S?stem does not show up either, nor does *plorer.exe.

S?curity does not show up either, nor does w?crtupd.exe

Wowexec.exe shows up correctly under C:\Windows\System32. Miium.exe does not show up at all, but I did find a Miiu subdirectory with Miium.lck file.

Should I procede with the rest of your instructions?

 

Hi gbrenham,
This is the problem. I don't want you to do a search for Microsoft.NET, because what I'm looking for isn't Microsoft.NET. If you wanted to do a search, you could probably do it by putting a *crosoft.NET
It won't have the name Microsoft.NET. So if you did a search for that name, what you found are legitimate files and that's not what I'm looking for. I'm looking for files and folders with similar names, but not the same names as the original and legitimate files and folders. These will be wrong names, like it might be called AFcrosoft.NET or BEcrosoft or zzcrosoft. We don't know what the letters are where the ?? are, so that's what I want you to find out. Do you think you can do that?

Once you continue with the other instructions, it may be harder to find them, that's why I'd like you to see if you can get the correct names and pathways first. What we're looking for are malware files and folders, not real ones. The malware is trying to trick you into thinking that the word ??crosoft.NET is Microsoft.NET, but it's not. It has a different name. and I need to know that name.

Does that make sense?
abri

 

Yes, I understood the instructions. I just didn't reply to the ??crosoft.net search like I did the others. I did a pretty wide range of searches using both ??crosoft.net and *soft.net.

My reply below still stands. There are no instances of the directories or files you mention.

Thanks

 

Hi gbrenham,

Then go ahead with the rest of the instructions.

abri

 

Everything else went ok. After reboot still had to start the GUI via task manager. Here are the logs.

 

Hi gbrenham,

Please go to
Using Combofix and install it over the old one and see if you can get it to run. Try running it without renaming it this time.

Also, the service didn't get fixed. This will happen if it's still activated or if you didn't want it deleted. To disable it do the following:

Go to start> control panel> administrative tools> services> scroll down to " Plug and Play (RPC)" and double click it. On the right side of the "startp type" box, click the down arrow, click disable> apply> ok. Exit administrative tools.

Then run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

After you click fix, just close hijackthis.

Attach the log for Combofix if it works this time and let me know how your computer is doing.

abri

 

ComboFix worked. After reboot, I had to start GUI again and ComboFix finished.

This didn't show up in Hijack: O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

Fixed: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Hi gbrenham,

There are some folders in your computer which are in the wrong place. Most of them have the date of June 10th. Do you know anything about that? They are these:

C:\WINDOWS\Cookies
C:\WINDOWS\Recent
C:\WINDOWS\Temporary Internet Files
C:\Documents and Settings\All Users\Cookies
C:\Documents and Settings\All Users\Recent

Recent and Cookies should be under the different user names and Temporary Internet Files should be under Local Settings under each user name. Check if there is a copy where they are supposed to be and then open the above and see if there's anything in them. If not, just delete them. If they have anything in them, rather than delete them, I would like to give you instructions for having Combofix show the contents in a log file.

Also, you have a directory called WINDOWS in
C:\Documents and Settings\Administrator\WINDOWS

Do you know how that got there? Is there anything in it. It's been in that location longer.

Also, I found these came on your computer that also came in on June 10th

C:\PE-Files.txt
C:\RootKitty.log
C:\Win-Files.txt

The above don't look like malware problems. They look like someone working on their computer.

I would like for you to run Combofix to remove three files. To do this, please do the following:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\system32\acelpdech.exe
C:\WINDOWS\system32\pwinpsdq.exe
C:\Documents and Settings\Casey McCarthy\Application Data\ddjfg.exe

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run CCleaner at the default setting with the Windows tab as the top one.

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log and the information about the various files and folders I asked about.

Let me know how things are running now?


abri

 

Don't know anything about those folders or why they are there. A copy of the subdirectories that you listed are in the correct place under the various user names

Contents of C:\WINDOWS\Cookies was empty. I deleted it.

Clicking on C:\WINDOWS\Recent gave me an error about accessing the folder and it disappeared.

Contents of C:\WINDOWS\Temporary Internet Files is an empty subfolder labeled Content.IE5

Contents of C:\Documents and Settings\All Users\Cookies was empty. I deleted it.

Contents of C:\Documents and Settings\All Users\Recent was empty. I deleted it.

Contents of C:\Documents and Settings\Administrator\WINDOWS is an empty subfolder labeled System.

I have not deleted:
C:\WINDOWS\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\WINDOWS\system

The files you found below are a result of me working on this issue with other malware killers:
C:\PE-Files.txt
C:\RootKitty.log
C:\Win-Files.txt

Ran ComboFix (with CFscript.txt) After restart, again had to start Explorer via Task Manager, but then ComboFix continued successfully.

CCleaner was run successfully.

When running GetLogs.bat it finished successfully, but I got a GPF on ProcessDLL.exe. "Application has generated an exception that could not be handled. Process id=0x1900 (6400), Thread id=0x1f20 (7968)". I clicked ok to terminate the application.

 

I know. I wondered if they might be connected with the appearance of the folders in the wrong places.

Did you have problems with Explorer opening up normally before you ran these removal tools like Rootkitty? Or did you start having to open Explorer via the Task Manager after you started removing malware?

There's still one file showing up, which I think you can remove with HJT. Please go to the MGTools folder under C:\ and look for analyse.exe. Double-click on it to run it. When it opens, select None of the above, just start the program. In the page that opens up, click on Config and on the next page on Misc. Tools. Then click on Delete an NT Service. Copy and paste in PlugPlayRPC and then click on ok.

Then just close the program.

Then, please install the current version of Sun Java from: Sun Java Runtime Environment

Remove these from Windows Explorer:

C:\WINDOWS\portsv.exe (this one may not be there)
C:\WINDOWS\History
C:\WINDOWS\Temporary Internet Files

Run CCleaner.

After you complete the above, please go to Start / Run and copy/paste in sfc /scannow
and click on okay. You may need your Windows CD for this. If it asks you for the cd, follow the prompts.


Let me know how everything goes?
abri

 

Not sure about the answer on the appearance of the other folders.

Ran analyse.exe to delete PlugPlayRPC and rebooted.

Tried to install Sun Java Runtime Environment directly from a browser on that computer (everything else has been downloaded on another computer and transfered over via flash drive), and get a GPF error and wants to send an error report to Microsoft (details are the app name, app ver., modname, mod version, and offset). Also tried downloading it to the flash drive..same result.

Successfully deleted :
C:\WINDOWS\portsv.exe
C:\WINDOWS\History
C:\WINDOWS\Temporary Internet Files

CCleaner was run.

sfc /scannow was run with no issues.

I'm not sure about the main GUI issue. This isn't my computer, but a neighbors. There are 3 users on this computer and I have just been using the main user's account. I'll try the others and see what the result is on getting a GUI after reboot.

 

Hi gbrenham,

Have you been unable to download anything? Both this problem and the GUI sound like software problems, so I would like for you to go through the final cleanup instructions to remove our programs and logs and create a new restore point and then start a new thread in the Software Forum. I would wait with erasing the previous restore points until you know what's wrong, but it would be useful to create a new one and call it something like After Malware, so you can come back to it if you need to.

Here are the instructions:
After you complete the above, you can follow the instructions for the final cleanup which will remove the logs and tools we had you put on your computer. You'll also be asked to wipe all your previous restore points and set a clean one. (I recommend you do this)

If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri

 

Originally, I could not download anything because of the hijacked browser. I can now download programs.

The downloading isn't the issue, it's the installing. At least for the Sun JRE (both 6.6 or the beta you pointed me too), the program fails on install. Other programs installed ok (i.e. CCleaner, SAS, etc.)

Also, the GUI issue seems to be isolated to one users account. Maybe an active desktop issue.

Other things keep crashing too like McAfee & MMC.

I'll do the cleanup now and start another thread for the GUI and software crashes.

Thanks for all your help!

 

Okay. Good luck with that and if you feel like it, post a link here to the one you start in Software, so visitors can follow your progrress, or simply let us know how things turn out. I'll try to get over to Software and see how you're getting on there.

abri