Malware help request - (all 6 logs)

Welcome to Majorgeeks!

You have a load of bad stuff on this PC. Let's get started.

You have a Network_Monitor infection which is going to take a bunch of work editing the registry! We will do this later after getting a bunch of other problems fixed.

Please run this WareOut Removal and attach the requested log!

1. Now download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now Uninstall the below:
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant <-- should have been removed in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run this ViewpointKiller to remove Viewpoint Media software.

Now run this Disable/Remove Windows Messenger to remove Windows Messenger.

Now redo step 2 of the READ & RUN ME. You did not do it properly. You still have system files and file extensions being hidden.

Now move on to my next message!

 

After completing what I gave in message # 3 (including attach the requested logs from FixWareOut and ComboFix) continue on to the below.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ewbcac.dll once and then click the kill button. After you have killed all of the ewbcac.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ewbcac.dll and kill it. (If you do not find the dll, just continue on.)
Next double click on iexplore.exe and again click once on each instance of ewbcac.dll and kill it. (If you do not find the dll, just continue on.)


Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,ogtlppr.exe
O2 - BHO: (no name) - {25F75BFC-4DF2-429A-8A2D-5DC5539B65Cd} - C:\WINDOWS\system32\xlksossd.dll
O2 - BHO: (no name) - {2AC54B86-4BA4-4F1D-8073-A92F6284EC58} - C:\WINDOWS\system32\xlksossd.dll
O2 - BHO: (no name) - {2FCF8094-361B-4658-BAD7-0DF96F4295AC} - C:\WINDOWS\Fonts\ewbcac.dll
O2 - BHO: (no name) - {3834A217-FE26-47AB-886F-9DB27C399E5F} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\dgwbqirc.dll
O2 - BHO: (no name) - {AAFB7078-3EEA-45B8-8537-B7D4C3DFC0Fd} - C:\WINDOWS\system32\xlksossd.dll
O2 - BHO: (no name) - {F1F786D9-74CC-4F70-BD7B-CF010B8AB16b} - C:\WINDOWS\system32\xlksossd.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrcIdle] xsetup.exe
O4 - HKLM\..\Run: [lhtfywbA] C:\WINDOWS\lhtfywbA.exe
O4 - HKLM\..\Run: [msaufi] C:\WINDOWS\system32\ncvdfk.exe reg_run
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tyajqsyj.dll",setvm
O4 - HKCU\..\Run: [dePloy] TemplateDongle.exe
O4 - HKCU\..\Run: [driver32] NSYSCPLSTR.exe
O4 - HKCU\..\Run: [jphvg] C:\WINDOWS\system32\ncvdfk.exe reg_run
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EDC267C-E044-4B74-A0CD-EC278B56621F}: NameServer = 85.255.114.68,85.255.112.150
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ewbcac - C:\WINDOWS\Fonts\ewbcac.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\lwckw.dll
C:\WINDOWS\Fonts\ewbcac.dll
c:\windows\system32\idesk.conf
c:\windows\system32\WinNB58.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\SYSTEM32\acvkcgnf.exe
C:\WINDOWS\SYSTEM32\aejcbaud.exe
C:\WINDOWS\SYSTEM32\areujrvs.exe
C:\WINDOWS\SYSTEM32\bcpqkkyu.exe
C:\WINDOWS\SYSTEM32\bqvioejb.exe
C:\WINDOWS\SYSTEM32\brvuxvhm.exe
C:\WINDOWS\system32\dgwbqirc.dll
C:\WINDOWS\SYSTEM32\ffmcmvaj.dll
C:\WINDOWS\system32\ogtlppr.exe
C:\WINDOWS\SYSTEM32\jysqjayt.ini
C:\WINDOWS\system32\xlksossd.dll
C:\WINDOWS\system32\TemplateDongle.exe
C:\WINDOWS\system32\NSYSCPLSTR.exe
C:\WINDOWS\system32\ncvdfk.exe
C:\WINDOWS\system32\xsetup.exe
C:\WINDOWS\lhtfywbA.exe
C:\WINDOWS\system32\ncvdfk.exe
C:\WINDOWS\system32\tyajqsyj.dll
C:\WINDOWS\SYSTEM32\yuhdnbvs.dll
C:\WINDOWS\SYSTEM32\xlbqkikp.exe
C:\WINDOWS\SYSTEM32\wxshixtr.exe
C:\WINDOWS\SYSTEM32\wssmfnak.exe
C:\WINDOWS\SYSTEM32\wsbxwfsk.exe
C:\WINDOWS\SYSTEM32\wqyoacqt.exe
C:\WINDOWS\SYSTEM32\vgfyxjag.dll
C:\WINDOWS\SYSTEM32\vciapypr.exe
C:\WINDOWS\SYSTEM32\uiglyhid.exe
C:\WINDOWS\SYSTEM32\tnjsltxm.exe
C:\WINDOWS\SYSTEM32\tmggbnxw.exe
C:\WINDOWS\SYSTEM32\stwcfbhf.dll
C:\WINDOWS\SYSTEM32\shqdmvyh.exe
C:\WINDOWS\SYSTEM32\ryhhxjco.exe
C:\WINDOWS\SYSTEM32\rqjmyvof.dll
C:\WINDOWS\SYSTEM32\rpdjiset.exe
C:\WINDOWS\SYSTEM32\rodjqsfr.exe
C:\WINDOWS\SYSTEM32\rcopambv.exe
C:\WINDOWS\SYSTEM32\pnorkdmu.exe
C:\WINDOWS\SYSTEM32\pdaobpjo.dll
C:\WINDOWS\SYSTEM32\ouvalxqq.exe
C:\WINDOWS\SYSTEM32\okgkrjqo.dll
C:\WINDOWS\SYSTEM32\oiwygduy.exe
C:\WINDOWS\SYSTEM32\nwuaipek.dll
C:\WINDOWS\SYSTEM32\nrltyqiq.exe
C:\WINDOWS\SYSTEM32\nbhjffau.dll
C:\WINDOWS\SYSTEM32\mxtwgxsi.dll
C:\WINDOWS\SYSTEM32\mxqlbqfu.exe
C:\WINDOWS\SYSTEM32\mcthheba.exe
C:\WINDOWS\SYSTEM32\lxpxunmc.exe
C:\WINDOWS\SYSTEM32\kxtiynmr.exe
C:\WINDOWS\SYSTEM32\kcbgamne.exe
C:\WINDOWS\SYSTEM32\jsewhdcv.exe
C:\WINDOWS\SYSTEM32\jgyfafsp.dll
C:\WINDOWS\SYSTEM32\jascweju.exe
C:\WINDOWS\SYSTEM32\imjfahot.exe
C:\WINDOWS\SYSTEM32\iiujopll.exe
C:\WINDOWS\SYSTEM32\ibohqdhu.exe
C:\WINDOWS\SYSTEM32\hxkpfavs.dll
C:\WINDOWS\SYSTEM32\hxctrqpx.exe
C:\WINDOWS\SYSTEM32\hkcxbdgg.dll
C:\WINDOWS\SYSTEM32\gueyegut.exe
C:\WINDOWS\SYSTEM32\gottvcgw.dll
C:\WINDOWS\SYSTEM32\frleenvn.dll
C:\WINDOWS\SYSTEM32\fpksurvs.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\VSAdd-in
c:\documents and settings\all users\favorites\Sex and Dating

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You're welcome! Okay we made a lot of progress, but we still have more malware to remove.

First uninstall the CounterSpy trial program since we are finished with it. Do this now before continuing as I want to make sure it does not get in the way of additional cleaning steps.

Also look in Add/Remove programs for My Way Search Assistant and uninstall if found. If not found or it refuses to uninstall, please tell me.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Nowrun HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {619DDFBA-C0C0-4F39-9ADD-C2D18CF80468} - C:\WINDOWS\Fonts\ewbcac.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\bvscktxc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• Select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\bvscktxc.dll
C:\WINDOWS\SYSTEM32\ffvnxxer.dll
C:\WINDOWS\SYSTEM32\iqjadvic.dll
C:\WINDOWS\SYSTEM32\vtsumpsn.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do receive this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Jacob\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! We may still have some work to do to remove the rest of the infection from Network Monitor!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or

 

You're welcome!

It still shows in your newfiles.txt log as being in the registry. The below should fix it!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Also some items we fixed back in message number 4 came back! Was this HJT current? The below came back:

You need to fix them again!

Now let's try to get the Network Monitor infection removed completely.

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the &quot;Save as&quot; type is set to &quot;all files&quot; Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!