Nasty Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by washdc-fb, Apr 12, 2007.

  1. washdc-fb

    washdc-fb Private E-2

    Hello:

    I have been dealing with some Nasty spyware that I have not been able to remove. I have tried everything I know how to do, and cant fix it, I would be extremely appreciative if someone could provide some assitance. Thank you so much!

    I initially found it via the Symantec Realtime scan which reported:

    Scan Type: Auto.Protect scan
    Event: Threat found
    Threat: Trojan.Adclicker
    File: C:\Program Files \ Common Files \ {F083D1D7-0764-1033-0706-050506300001} \ Update.exe
    Location: C:\Program Files \ Common Files \ {F083D1D7-0764-1033-0706-050506300001} \ Update.exe
    User: System
    Action Taken: Clear Failed: Quarantine Failed: Delete succeeded: Access denied

    Following this, I tried running the Symantec and trend micro full system scans in regular as well as safemode, and it did not work. I then ran spysweeper, which got rid of a bunch of stuff but not this probelm, the spysweeper came up with this:
    Spy Sweeper has blocked access to a potentially threatening web site. The Internet Communication Shield had blocked access to:
    82.98.235.61 –
    The same message came hours later with the following website:
    WHITESCAST.com Also I had a window error message: NSIS ERROR
    Error launching installer

    Next after reading all I could about this, I updated my Java runtime to the latest, rebooted and performed all the above again-- no luck, just seems to be getting worse with a bunch of pop up ads now.

    I rebooted and then installed the VundoFix. Which I run several times

    It reported the following messages after it scanned for Vundo that it detected the following files for removal:
    C:\WINDOWS\System32\ghhkj.bak1
    C:\WINDOWS\System32\ghhkj.bak2
    C:\WINDOWS\System32\ghhkj.ini
    C:\WINDOWS\System32\ghhkj.ini2
    C:\WINDOWS\System32\ghhkj.tmp
    C:\WINDOWS\System32\ghhkj.dll
    C:\WINDOWS\System32\jkhhg.dll
    It was able to delete all of them except the last one which gave the following message:
    C:\WINDOWS\System32\jkhhg.dll could not be deleted, VundoFix will load on reboot to attempt removal. Please click Remove Vundo once your machine has rebooted. Action available: OK
    I did reboot several times and run Vundo but this file could not be removed.
    The two files that Vundo could not remove are:
    - C:\WINDOWS\System32\ghhkj.ini
    C:\WINDOWS\System32\jkhhg.dll

    So finnally I have run HijackThis and am pasting the log below in hopes of recciving some assistance from someone better at this than I. Again thank you!

    Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.
     
    Last edited by a moderator: Apr 12, 2007
    washdc-fb, Apr 12, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Apr 12, 2007
    #2
  3. washdc-fb

    washdc-fb Private E-2

    Thanks for your quick response! I actually had read somewhere that someone had the same Malware (due to the IP address it was trying to go to), and they were able to remove using spyware dr. I purchased and ran spyware doctor and it seems like it worked! thank you again for responding to my post.
     
    washdc-fb, Apr 13, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I seriously doubt that Spyware Doctor removed all of your malware. Based on what you posted there could be remaining issues. Spyware Doctor may have only removed some of it which was enough for your outward symptoms to change. Consider completing the procedure I gave to you so we can be sure. At a minimum, at least follow the steps for getting a GetRunKey, ShowNew, and HJT log. From that I can at least make a better guess whether you still have problems.
     
    Last edited: Apr 16, 2007
    chaslang, Apr 13, 2007
    #4
  5. washdc-fb

    washdc-fb Private E-2

    You are absoultely correct- I will do that and post very soon. Thank you again for the wise advice!
     
    washdc-fb, Apr 15, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just attach all the logs in this thread when you finish the whole procedure.
     
    chaslang, Apr 16, 2007
    #6
  7. washdc-fb

    washdc-fb Private E-2

    Hello- Thanks for your help and patience. It took me a looooooong time to get everything because the computer is really bad right now, it runs very very slow and browser windows keep coming up and freezing the computer. I finally got everythign now I believe (attached) (Counter Spy, HJT, and BDScan)

    Thanks so much for your advice.
     

    Attached Files:

    washdc-fb, Apr 19, 2007
    #7
  8. washdc-fb

    washdc-fb Private E-2

    More logs... (active, new files, run keys)
     

    Attached Files:

    washdc-fb, Apr 19, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to manually delete the below Dialer found in your email Archive!
    Dialer:Dialer.Gen Archive Folders\Inbox\MKH\Morning sport\britney_free_pics.zip[britneytitpics.exe]

    Please remember to shutdown Outlook before doing any cleaning procedures (including before running HijackThis).

    Uninstall the below old versions of software:
    IBM 32-bit Runtime Environment for Java 2, v1.4.2
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Continue by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.


    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkhhg.dll once and then click the kill button. After you have killed all of the jkhhg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs
    (If you do not find the dll, just continue on):
    byxuron.dll
    efccaaa.dll
    nnlmnnm.dll

    Next double click on explorer.exe and again click once on each instance of jkhhg.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs
    (If you do not find the dll, just continue on):
    byxuron.dll
    efccaaa.dll
    nnlmnnm.dll
    Next double click on iexplore.exe and again click once on each instance of jkhhg.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs
    (If you do not find the dll, just continue on):
    byxuron.dll
    efccaaa.dll
    nnlmnnm.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\Program Files\Ipwindows\ipwins.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\fyaqlxfm.dll
    O2 - BHO: (no name) - {36713579-ED09-494D-9BA9-5021C835A42E} - C:\WINDOWS\system32\jkhhg.dll
    O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\nnlmnnm.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\njwjuexu.dll",setvm
    O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.tikgames.com/real/games/goldfever/goldfever.cab
    O20 - Winlogon Notify: byxuron - byxuron.dll (file missing)
    O20 - Winlogon Notify: efccaaa - efccaaa.dll (file missing)
    O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
    O20 - Winlogon Notify: nnlmnnm - C:\WINDOWS\SYSTEM32\nnlmnnm.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\bassel.rabbat\Local Settings\Temp\nsbF.tmp\Services.dll
    C:\Documents and Settings\bassel.rabbat\Local Settings\Temp\b122.exe
    C:\Documents and Settings\bassel.rabbat\Local Settings\Temp\nsbF.tmp\Services.dll
    C:\Documents and Settings\bassel.rabbat\Local Settings\Temporary Internet Files\Content.IE5\QU0JQ5RH\122[1].net
    C:\Documents and Settings\bassel.rabbat\Local Settings\Temporary Internet Files\Content.IE5\XVU2WZ5N\WinAntiVirusPro2007FreeInstall[1].cab[UWA7P_0001_N91M0809NetInstaller.exe]
    C:\Program Files\Ipwindows\ipwins.dll
    C:\Program Files\Ipwindows\ipwins.exe
    C:\Program Files\Ipwindows\UnInstall.exe
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\Update.exe
    C:\Program Files\Common Files\{3083D1D7-0746-1033-0706-050506300001}\UnInstall.exe
    C:\WINDOWS\system32\byxuron.dll
    C:\WINDOWS\system32\cbxywtr.dll
    C:\WINDOWS\system32\efccaaa.dll
    C:\WINDOWS\system32\fyaqlxfm.dll
    C:\WINDOWS\system32\hgggdaa.dll
    C:\WINDOWS\system32\jkhhg.dll
    C:\WINDOWS\system32\leokoqsx.dll
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\nnlmnnm.dll
    C:\WINDOWS\system32\njwjuexu.dll
    C:\WINDOWS\system32\OLDA4.tmp
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\vtuvtsr.dll
    C:\WINDOWS\system32\wvutqnl.dll
    C:\WINDOWS\system32\ghhkj.bak1
    C:\WINDOWS\system32\ghhkj.bak2
    C:\WINDOWS\system32\ghhkj.tmp
    C:\WINDOWS\system32\ghhkj.ini
    C:\WINDOWS\system32\ghhkj.ini2
    C:\WINDOWS\system32\uxeujwjn.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete if found:
    C:\Documents and Settings\bassel.rabbat\Favorites\Health
    C:\Program Files\Ipwindows
    C:\Program Files\InetGet2
    C:\Program Files\Common Files\{3083D1D7-0746-1033-0706-050506300001}
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}

    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!
     
    chaslang, Apr 19, 2007
    #9
  10. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    You are very thorough-- thank you very much for your quick and detailed response. I will start working on this right away and will get back to you as soon as I complete--- my computer is running very very slow now so it may take me a while to go through everything-- but I will follow all the steps and report back as soon as I do.

    Thanks again.
     
    washdc-fb, Apr 19, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! I think you will notice it improving as you complete each of those steps! ;)
     
    chaslang, Apr 19, 2007
    #11
  12. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    Thanks again for your help- I folllowed all the steps successfully and so far the computer is no longer freezing up, nor do i keep getting pop-ups... so far soo good :) thank you again.

    I have attached the requested logs.
     

    Attached Files:

    washdc-fb, Apr 20, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome, but you are still quite badly infected and you will probably be noticing that soon. Someplace between your posting your first logs in messages # 7 & 8 and in completing the fix I gave you in message # 9, your infection spread and create a bunch more files. Thus after doing the fix, you still have things remaining and they caused some files we already removed to be recreated. We will need to do another similar procedure. Be sure to follow each step exactly and in the order written. Missing any single minor detail can result in total failure of the fix.

    Before getting started, please download the current version of GetRunKey and use it from now on when I ask for a new log.


    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of awvtq.dll once and then click the kill button. After you have killed all of the awvtq.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    efcdcbc.dll

    Next double click on explorer.exe and again click once on each instance of awvtq.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    efcdcbc.dll

    Next double click on iexplore.exe and again click once on each instance of awvtq.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    efcdcbc.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\ralimjtp.dll
    O2 - BHO: (no name) - {77595D10-B7AF-4FCE-A238-41B3D238EACC} - C:\WINDOWS\system32\awvtq.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll (file missing)
    O2 - BHO: (no name) - {EAD96BB5-5969-439D-B2E4-CFEDADFA0831} - C:\WINDOWS\system32\ryeacrjx.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll (file missing)
    O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll
    O20 - Winlogon Notify: efcdcbc - C:\WINDOWS\SYSTEM32\efcdcbc.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    MAKE SURE you tell me if you received a success message from adding the above fixME.reg patch into the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\Update.exe
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\unsvchosts.exe
    C:\WINDOWS\system32\awtrpnm.dll
    C:\WINDOWS\system32\awvtq.dll
    C:\WINDOWS\system32\efcaawt.dll
    C:\WINDOWS\system32\efcdcbc.dll
    C:\WINDOWS\system32\jkkkjhf.dll
    C:\WINDOWS\system32\mljhfdd.dll
    C:\WINDOWS\system32\qtjnamyo.dll
    C:\WINDOWS\system32\ralimjtp.dll
    C:\WINDOWS\system32\ryeacrjx.dll
    C:\WINDOWS\system32\tuvvtsq.dll
    C:\WINDOWS\system32\xxyvsro.dll
    C:\WINDOWS\system32\qtvwa.bak1
    C:\WINDOWS\system32\qtvwa.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}
    C:\Documents and Settings\bassel.rabbat\Application Data\Viewpoint

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 20, 2007
    #13
  14. washdc-fb

    washdc-fb Private E-2

    I appreciate you sticking with you- you are absoultely correct, soon after posting I did start noticing I was badly infected. I will start on the procedure you expertly laid out above right away. Quick question am I not running the latest version of Get run Key which I downloaded from here: http://forums.majorgeeks.com/showthread.php?t=83087
    Has it been updated since I started last week?

    Thanks!
     
    washdc-fb, Apr 23, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It has been updated twice! That is why I said you need the new version. At the time of my post you had version 1.58 and the current version was 1.59. Now the current version is 1.60
     
    chaslang, Apr 23, 2007
    #15
  16. washdc-fb

    washdc-fb Private E-2

    Thanks for the quick clarification on that.

    Okay, here we go :) to avoid the problem we had last time (infection between posting and your advice), after running the procedures you outlined and gathering the logs, I immediately turned off my machine and will keep it off till I hear back from you.

    I will describe step by step how it went:
    1- I ran Process Explorer but did not find all the files with awvtq.dll but I found all the efcdcbc.dll which I killed.
    2- I ran HijackThis and saved a log before and after the killing process as not all the lines were listed and some other seemed suspicious for me. I found 4 of the 8 listed but I also found one with an O2 with a efcdcbc.dll which I fixed too. (it was not listed)
    3- Fixme patch was successfully performed.
    4- Pocket Killbox was done successfully. No message PendingFileRenameOperations prompt was received. It rebooted by itself.
    5-Located the file C:\Program Files\ Common Files..... Deleted (it was empty)
    Located the file C:\Document and Settings\bassel.rabbat\Application Data\ Viewpoint....Deleted (it was not empty)
    6- Run Ccleaner
    7- Run New GetRunKey, ShowNew and HJT and attached logs (HJT log here is called HijackThis after Ccleaner)

    logs attached
     

    Attached Files:

    washdc-fb, Apr 23, 2007
    #16
  17. washdc-fb

    washdc-fb Private E-2

    more logs attached
     

    Attached Files:

    washdc-fb, Apr 23, 2007
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually it would have been better to have left your PC running and disconnected from the internet by unplugging the cable. These infections typically respawn and spread during shutdowns and reboots. You infection is now different again and the current shutdown may have changed it again. To avoid having me work up a procedure that results in you saying you did not find something, please startup you PC and attach new logs from GetRunKey, ShowNew, and HJT. And then do not shutdown or reboot your PC (it would also be best to not use it to do any other surfing since your symptoms seem to keep changing in between posts). Only reboot/power down as requested. While waiting for me to post, you can unplug your cable to the internet for maximum security.
     
    chaslang, Apr 23, 2007
    #18
  19. washdc-fb

    washdc-fb Private E-2

    Sorry about that.

    I turned on the computer in Normal mode with the network cable plugged in. Opened up a single browser, Ran GetRunKey and ShowNew, saved the logs, closed the browser, unplugged the cable, ran HJT and saved the log. Left notebook running.

    attached are the three logs.

    As usualy, your help is greatly appreciated! Thank you so much.
     

    Attached Files:

    washdc-fb, Apr 24, 2007
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    efcbyaw.dll
    etglbncc.dll
    iedpubso.dll
    pmkhi.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok. (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    efcbyaw.dll
    etglbncc.dll
    iedpubso.dll
    pmkhi.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok. (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    efcbyaw.dll
    etglbncc.dll
    iedpubso.dll
    pmkhi.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok. (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\etglbncc.dll
    O2 - BHO: (no name) - {2BA9292C-6AF1-497C-9226-47B26E75E2B2} - C:\WINDOWS\system32\pmkhi.dll
    O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\iedpubso.dll",setvm
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\efcbyaw.dll
    C:\WINDOWS\system32\etglbncc.dll
    C:\WINDOWS\system32\iedpubso.dll
    C:\WINDOWS\system32\pmkhi.dll
    C:\WINDOWS\system32\ihkmp.bak1
    C:\WINDOWS\system32\ihkmp.bak2
    C:\WINDOWS\system32\ihkmp.ini
    C:\WINDOWS\system32\osbupdei.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 24, 2007
    #20
  21. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    As usual thanks for taking a look at those longs and sharing your expertise with a detailed removal process-- I know this takes time and i really appreciate it-- cant say it enough!

    I ran the protocol mentioned below and here how it went:

    I Ran Process Eplorer and killed the files mentioned which I could find which are the pmkhi.dll in the three instances and the iedpubso.dll in the explorer.exe only. Although I only had one Internet Explorer browser opened I had two lines of iexplore.exe in the list I opened both of them and killed the mentioned processes in both lines.

    Disconnected internet cable

    Run HijackThis no problems find all 5 lines mentioned and fixed them

    Run fixme.reg no problem

    Run Killbox.exe rebooted, No prompt of PendingFileRenameOperations received.

    Run Ccleaner after reboot

    Run GetRunKey, Shownew and HJT and copied logs to USB, transfered to another machine and attached them to this message.

    Notebook running smoothly on appearance- although I am not using it to really know for sure. Internet Cable disconnected and left idle.

    Hoping we got to the end of it!! Will wait for your confiramtion before celebrating :)
     

    Attached Files:

    washdc-fb, Apr 25, 2007
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Your logs are clean; howeer the real test is to reconnect to the internet and do some surfing. Then attach logs from ShowNew and HJT again.
     
    chaslang, Apr 25, 2007
    #22
  23. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    Okay here is the latest:
    I did some surfing without problem or diversion, I rebooted and at that time I received the same messages as prvioulsy from Symantec Antivirus Notification:

    3 Notifications from following type:
    Scan Type: Auto-Protect Scan
    Threat: Trojan-Adclicker
    File:C\ Program Files\ Common Files\ {F083D1D7-0746-1033-0706-050506300001}\Update.exe
    Location: C\ Program Files\ Common Files\ {F083D1D7-0746-1033-0706-050506300001}
    Computer: CGBRT01-L-MBR
    User: =
    Action taken: Clean failed : Quarantine failed: Delete succeeded : Access denied
    Date found: Thursday, April 26, 2007 12.42.12PM

    1 Notification from following type:
    Scan Type: Auto-Protect Scan
    Threat: Infostealer
    File:C\ DOCUME~1\BASSEL~1.RAB\ LOCALS~1\Temp\dpjbfukj.dll
    Location: C\ DOCUME~1\BASSEL~1.RAB\ LOCALS~1\Temp
    Computer: CGBRT01-L-MBR
    User: =
    Action taken: Clean failed : Quarantine failed: Delete succeeded : Access denied
    Date found: Thursday, April 26, 2007 12.51.12PM

    I also received the Windows Security message:
    To help protect your computer, Windows Firewall has blocked some features of this program.
    Do you want to keep blocking this program?
    Name: javaw
    Publisher: Unknown
    Action options: Keep blocking // Unblock // Ask me later
    I replied ask me later

    Could these two issues be related. I mean as you remember we changed the java program as some weakness of it was being used by the spyware. Could the fact that Windows is blocking the javaw program related to Java and is preventing the Java from removing such weakness?

    Also attached are my latest logs.
     

    Attached Files:

    washdc-fb, Apr 26, 2007
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure about the name? Was it javaw or javaws? The Windows Firewall is totally inadequate and must be replaced by a real bidirectional firewall.


    Hopefully you have not rebooted or powered down since you last post (per my previous instructions).
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Client IP-IPX
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteClient IP-IPX into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    ssqrp.dll
    jkhhife.dll
    guhftsuk.dll
    midflklb.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok. (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ssqrp.dll
    jkhhife.dll
    guhftsuk.dll
    midflklb.dll
    After you have killed all instances of any of the above DLLs under Explorer click ok. (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ssqrp.dll
    jkhhife.dll
    guhftsuk.dll
    midflklb.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok. (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\guhftsuk.dll
    O2 - BHO: (no name) - {5FAA27E3-43B9-4050-97C2-F1E92EEDE9B2} - C:\WINDOWS\system32\ssqrp.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\midflklb.dll",realset
    O20 - Winlogon Notify: jkhhife - C:\WINDOWS\SYSTEM32\jkhhife.dll
    O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\Update.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\unsvchosts.exe
    C:\WINDOWS\system32\guhftsuk.dll
    C:\WINDOWS\system32\jkhhife.dll
    C:\WINDOWS\system32\midflklb.dll
    C:\WINDOWS\system32\ssqrp.dll
    C:\WINDOWS\system32\vtstr.dll
    C:\WINDOWS\system32\wvwuuvs.dll
    C:\WINDOWS\system32\yayyxvt.dll
    C:\WINDOWS\system32\prqss.bak1
    C:\WINDOWS\system32\blklfdim.ini
    C:\WINDOWS\system32\prqss.ini
    C:\WINDOWS\system32\rtstv.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{3083D1D7-0746-1033-0706-050506300001}
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Also make sure you leave your PC running!!! Do not reboot or power down after attach the above logs!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 27, 2007
    #24
  25. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    As usual- thanks for the detailed post. I did not reboot inbetween posting the logs and recieving your instructions. I Ran the protocol all went well.
    Attached are the logs did not reconect yet to internet. Crossing my fingers....
     

    Attached Files:

    washdc-fb, Apr 27, 2007
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The current logs are clean but they are not useful if you have not been connected to the internet. You must stay connected unless specified otherwise but just don't reboot or power down unless requested in a procedure. After doing all of the cleaning, if you don't use the PC to at least come here and attach the logs, they logs are not necessarily going to indicate the true status.
     
    Last edited: Apr 28, 2007
    chaslang, Apr 27, 2007
    #26
  27. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    I connected to the internet and surfed with no apparent problems. Then, I ran the scans and am attaching the logs. Do you think I should try rebooting a few times and see what happens? (have not yet rebooted)

    Many thanks.
     

    Attached Files:

    washdc-fb, Apr 28, 2007
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Everything looks good now. Yes you should reboot now. It should be okay, but make sure you tell me if you have problems afte rebooting. If everything still is working okay after rebooting, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 28, 2007
    #28
  29. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    Unfortunately it looks like something is still there!! This is a very stubborn trace it seems.

    Yesterday I surfed on the internet and I rebooted the computer and ran the Spyware Doctor which only found very few cookies for CNN and MSN.
    The only strange thing is that I had a message box to with the following title:
    Old Virus Definition File
    The message body is the following:
    The virus definition file used is more that 10 days old. Updating to a new virus definition file will help catch the most recent virus
    Choices:
    Box to tick: Don't remind me again until next update
    Action Choice: Close or Help

    I did not know for which program this message is related; so I chose close, it did not close, then I chose help, it went into looking something in the internet so I immediately closed it.
    This morning when i started the computer I received three messages from Symantec Antivirus Notification:
    Scan Type: Auto-Protect Scan
    Threat: Trojan-Adclicker
    File:C\ Program Files\ Common Files\ {F083D1D7-0746-1033-0706-050506300001}\Update.exe
    Location: C\ Program Files\ Common Files\ {F083D1D7-0746-1033-0706-050506300001}
    Computer: CGBRT01-L-MBR
    User: bassel
    Action taken: Clean failed : Quarantine failed: Delete succeeded : Access denied
    Date found: Thursday, April 30, 2007 11.13.12AM
    Same message at 11.15 AM and 11.16 AM

    I also had the message described earlier for the old virus definition file. I went into task manager to try and see to which program this message is related and in the application if I right click on it and go to process it takes me Processes: Image name: VPTray.exe User Name: bassel.

    Anyway I found this suspicious and wanted to let you know about it. I have a feeling that this is causing the resurgence of the Spyware

    Also I got another Symantec notice, about something called InfoStealer

    Finnally I looked into services and found that the Client IP-IPX, service that we disabled is now back at automatic!

    I ran the logs of Runkeys Shownew and HJT and attached them to this message.

    Thanks again for sticking with me!
     

    Attached Files:

    washdc-fb, Apr 30, 2007
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have become totally reinfected. You need to reevaluate what websites you are acccessing or what software you are running or downloading. The update.exe file is something we had already completely remove. Look back at previous steps and you will see that. You logs were clean! Now you have new DLL files which means this is a new Vundo infection.

    You never completed the instructions I gave you in message # 28. Please complete ALL of them now except deleting GetRunKey and ShowNew. Also download the current version of GetRunKey which recently updated.

    Does your Norton/Symantec software include a firewall?

    Note: You need to keep your antivirus and antispyware programs up to date. You are not and that is why you had that warning message.


    Now run the following.


    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!
     
    chaslang, Apr 30, 2007
    #30
  31. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    I reviewed in my mind what are the websites I visited they are all main stream CNN, MSN etc.. but I remember clearly that after I went on to do a Spyware Doctor check and when I turned it on it said it needed to update and reboot so I let it do that and it update like 10 files at least as it did not update for the last 5 days at least.
    When it rebooted everything went fine and it did the scan and did not find anything two low level cookies
    .
    After that I shutdown in order to go to the office and when I rebooted in the office I started getting these messages.
    For me this is the only dubious incidents that I encountered together with the ones I recounted earlier for the old virus definitions.
    I did not get a chance to complete the last steps, as when I wanted to do them I got these virus messages back

    Given this information, do you have any ideas of what could be causing the reinfection??

    I will be completing your instructions in the last post and will post the results. Thanks for your help
     
    washdc-fb, May 1, 2007
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not really sure why! It's possible that the items left in the backup folders were somehow accessed and caused the infection to respawn.

    I do have to question whether your Symantec software includes a firewall or are you relying on the Windows firewall which is not adequate.

    Make sure to do all of the final cleanup steps in message # 28. Even deleting ComboFix and and files related to it. I know I have you downloading it again, but it would be best to cleanup first and then redownload to make sure you have the current version and to remove all old information first. Then you can move on to message # 30.
     
    chaslang, May 1, 2007
    #32
  33. washdc-fb

    washdc-fb Private E-2

    unfortunately it is the symantec client with the firewall. I had the firewall version but it kept blocking access to certain apps I needed to run and the only way around was to disable it---even tried making an exception and spent hours with symantec tech support on the phone! I guess I need to try zone alarm or something. Will post back soon with the info. requested. thanks again.
     
    washdc-fb, May 1, 2007
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you MUST get a real firewall installed. My final instructions will include a link that mentions a few free firewalls to try. We will get to that once we finish your cleanup. However if we keep seeing new infections reoccur, I may have you install a firewall even though we are not finished.
     
    chaslang, May 1, 2007
    #34
  35. washdc-fb

    washdc-fb Private E-2

    Thakns Chaslang- sounds like a good plan.

    I deleted the files you asked me to delete and reinstalled the new ones for Combofix and GetRunkeys.

    I have the spyware doctor on and it keeps blocking files from accessing the internet it is a nuisance but at least it is working in protecting the notebook. Especially a file called C:\WINDOWS\system32\ddaya.dll it keeps trying to launch internet explorer.

    Attached are the requested logs.
     

    Attached Files:

    washdc-fb, May 2, 2007
    #35
  36. washdc-fb

    washdc-fb Private E-2

    one more log
     

    Attached Files:

    washdc-fb, May 2, 2007
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually Spyware Doctor is doing a rather poor job!. It is not even close to detecting all the problems. There are alot more problems than the ddaya.dll file as you will see below and ComboFix even removed some file already.. Also Spyware Doctor is not fixing the problems and is probably just making the infection worse. If you do not complete remove all components of a Vundo infection, it will reinfect you and it typically will get worse each time you do an incomplete/incorrect fix. What Spyware Doctor is doing is putting a small bandaid on the problem and it is doing it after you are already infected instead of blocking the infection to begin with.

    If the below fixes do not work properly or the infection comes back again, we may need to uninstall Spyware Doctor so that we can properly fix your problems. It may be getting in our way and since it is not properly fixing all of the Vundo problems, it could also be preventing us from seeing something we may be missing.

    Just in case you deleted Pocket Killbox and/or Process Explorer, my instructions below include redownloading.


    Start by downloading two tools we will need

    - ProcessExplorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe
    properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill
    button.
    ddaya.dll
    cbxvstr.dll
    efccyxu.dll
    ljjjgeb.dll
    mljgggh.dll
    mljgghi.dll
    nrafwmoc.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ddaya.dll
    cbxvstr.dll
    efccyxu.dll
    ljjjgeb.dll
    mljgggh.dll
    mljgghi.dll
    nrafwmoc.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ddaya.dll
    cbxvstr.dll
    efccyxu.dll
    ljjjgeb.dll
    mljgggh.dll
    mljgghi.dll
    nrafwmoc.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {B2BE131D-7A90-48CA-97F3-89598993EB2D} - C:\WINDOWS\system32\ddaya.dll
    O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\oghqywvm.dll (file missing)
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nrafwmoc.dll",realset
    O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
    O20 - Winlogon Notify: efccyxu - efccyxu.dll (file missing)
    O20 - Winlogon Notify: mljgggh - C:\WINDOWS\SYSTEM32\mljgggh.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as"
    type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp
      Files.
    • Then after it deletes the files click the Exit (Save Settings)
      button.
    NOTE: Pocket Killbox will only list the added files it is able to find on
    the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing

    • CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\Update.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\unsvchosts.exe
    C:\WINDOWS\system32\cbxvstr.dll
    C:\WINDOWS\system32\ddaya.dll
    C:\WINDOWS\system32\efccyxu.dll
    C:\WINDOWS\system32\ljjjgeb.dll
    C:\WINDOWS\system32\mljgggh.dll
    C:\WINDOWS\system32\mljgghi.dll
    C:\WINDOWS\system32\nrafwmoc.dll
    C:\WINDOWS\system32\ayadd.bak1
    C:\WINDOWS\system32\ayadd.ini
    C:\WINDOWS\system32\comwfarn.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue
    (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{3083D1D7-0746-1033-0706-050506300001}
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!
     
    chaslang, May 2, 2007
    #37
  38. washdc-fb

    washdc-fb Private E-2

    Thanks Chaslang, I am starting the procedure now and will post soon with the results.
    Do you advise I remove Spyware doctor completely- and if so when? Now? Before starting the procedure or after? I have both Spyware Doctor, and Spyware Sweeper (but Spyware Sweeper is not currently installed)- which I used prior to posting orginally, both could not remove the malware- which is why I came here! Those two are the best rated spyware software according to PCMag-- makes me question what I read now! What do you suggest I use in the future? I am assuming I should wait till we clean up the malware and are ready for final steps to install your suggestion.

    Thanks!
     
    washdc-fb, May 2, 2007
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Leave Spyware Doctor installed for now. If we continue to have removal problems, I will possibly ask that it be uninstalled.

    Both Spy Sweeper and Spyware Doctor are good programs. They just cannot remove alot of malware like this. No commercial software can. I'm not sure why since we can do it manually. However they have never been able to remove these kinds of problems. For a short period of time about a year or more ago, Spy Sweeper was the only program around that could remove some forms of Vundo. But that quickly changed as Vundo evolved. Nothing else has ever properly removed the kinds of malware we see in this forum every day. If they could remove it, this forum would not have to exist.

    As far as believing everything you read......well I suggest that would not be a good idea. I don't think the people evaluating programs understand the kind of malware infections that really exist and what really needs to be removed. Too many scanners spend time creating removals for things that are so easy to remove that you really don't need a special tool for them. Things like cookies, MRUs, emptying cache files, and many dozens of items that could easily be uninstalled. The tuff problems seen here and in other forums, are always left to us malware fighters to remove manually and with the use of a variety of free tools we create to help us in our fight.
     
    chaslang, May 3, 2007
    #39
  40. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    I did all below steps and they all were successful but on reboot I received again the Symantec Notifications and the Spyware Doctor alerts which I attached in a separate log. The Spyware doctor alerts were more related to unsvchost.exe, svchost.exe and Client-IPX.

    The Symantec Notification was saying that it has deleted the file:

    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\update.exe

    I think I am still infected. Due to the intense attacks of the spyware/virus and the fighting back of both Symantec and Spyware doctor the system became unstable, crashed and rebooted by itself.

    I am attaching the new logs after reboot as I am sure now new files and .dll have spawned throughout the system

    Here are the latest logs.
     

    Attached Files:

    washdc-fb, May 3, 2007
    #40
  41. washdc-fb

    washdc-fb Private E-2

    one more log
     

    Attached Files:

    washdc-fb, May 3, 2007
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's do what I was referring to. Please uninstall Spyware Doctor now. Then reboot. (Note: we may have to do the same with Symantec if it continues to get in our way).

    Then after reboot run the below procedure twice (you only have to attach the requested log once after finishing the two runs).

    Virtumonde aka Trojan Vundo Removal

    Note the above will more than likely not totally fix the problems. We will still need manual steps.

    Now run the ComboFix procedure again!

    Some of the below items may or may not be found due to having run VundoFix and ComboFix. If not found, just continue on thru all steps. BE VERY CAREFUL and make sure you really look very hard for every item mention. Missing single detail will allow the infection to respawn. For example in the first part of the below steps I use the words "each instance". These file names may not appear at all in Process Explorer or the could be many instances of them. You must delete ALL instances of them or the procedure will fail!! It's tedious work, but it is very important to make sure you do not miss anything!


    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe
    properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill
    button.
    ddabc.dll
    ddayv.dll
    efcywts.dll
    ernlfaxo.dll
    fccaxxv.dll
    gebcbbx.dll
    gebyv.dll
    iifcabb.dll
    nslvpjxi.dll
    qomkhfc.dll
    urqqnnl.dll
    vtsqr.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ddabc.dll
    ddayv.dll
    efcywts.dll
    ernlfaxo.dll
    fccaxxv.dll
    gebcbbx.dll
    gebyv.dll
    iifcabb.dll
    nslvpjxi.dll
    qomkhfc.dll
    urqqnnl.dll
    vtsqr.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    ddabc.dll
    ddayv.dll
    efcywts.dll
    ernlfaxo.dll
    fccaxxv.dll
    gebcbbx.dll
    gebyv.dll
    iifcabb.dll
    nslvpjxi.dll
    qomkhfc.dll
    urqqnnl.dll
    vtsqr.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {9008A090-6C38-4025-9085-F0CE3862B3EA} - C:\WINDOWS\system32\ddayv.dll
    O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\fccaxxv.dll
    O2 - BHO: (no name) - {B9F3B6A3-2565-4252-A6B1-24A6A96AB04D} - C:\WINDOWS\system32\gebyv.dll
    O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\ernlfaxo.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nslvpjxi.dll",realset
    O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll
    O20 - Winlogon Notify: fccaxxv - C:\WINDOWS\SYSTEM32\fccaxxv.dll
    O20 - Winlogon Notify: gebyv - C:\WINDOWS\

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as"
    type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp
      Files.
    • Then after it deletes the files click the Exit (Save Settings)
      button.
    NOTE: Pocket Killbox will only list the added files it is able to find on
    the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing

    • CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}\Update.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\unsvchosts.exe
    C:\WINDOWS\system32\ddabc.dll
    C:\WINDOWS\system32\ddayv.dll
    C:\WINDOWS\system32\efcywts.dll
    C:\WINDOWS\system32\ernlfaxo.dll
    C:\WINDOWS\system32\fccaxxv.dll
    C:\WINDOWS\system32\gebcbbx.dll
    C:\WINDOWS\system32\gebyv.dll
    C:\WINDOWS\system32\iifcabb.dll
    C:\WINDOWS\system32\nslvpjxi.dll
    C:\WINDOWS\system32\qomkhfc.dll
    C:\WINDOWS\system32\urqqnnl.dll
    C:\WINDOWS\system32\vtsqr.dll
    C:\WINDOWS\system32\vyadd.bak1
    C:\WINDOWS\system32\vybeg.bak1
    C:\WINDOWS\system32\ixjpvlsn.ini
    C:\WINDOWS\system32\vyadd.ini
    C:\WINDOWS\system32\vybeg.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue
    (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{3083D1D7-0746-1033-0706-050506300001}
    C:\Program Files\Common Files\{F083D1D7-0746-1033-0706-050506300001}



    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    Now attach the below new logs:
    1. VundoFix log
    2. ComboFix log
    3. GetRunKey
    4. ShowNew
    5. HijackThis
    NOW VERY IMPORTANT: DO NOT POWER DOWN OR REBOOT AFTER POSTING YOUR LOGS.
    Keep your PC running while waiting for my next steps. You can unplug your cable to the internet for security but do not powere down or otherwise reboot. If still infected, your symptoms could change and make my next steps useless.
     
    Last edited: May 3, 2007
    chaslang, May 3, 2007
    #42
  43. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    Thank you for the detailed instructions. I followed all of them as requested without any problems however now the microsoft firewall message blocking Javaw (not Javaws) and Microsoft messenger came back could these two program be suspicious? Attached are the logs.
     

    Attached Files:

    washdc-fb, May 5, 2007
    #43
  44. washdc-fb

    washdc-fb Private E-2

    two more logs
     

    Attached Files:

    washdc-fb, May 5, 2007
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please totally ignore Microsoft's firewall! First I don't think it is giving you correct information (the file name is C:\WINDOWS\system32\javaws.exe which is Sun Java ) and why would it block Microsoft Messenger which is their own program. We will be disabling this firewall anyway since it does not provide adequate protection.

    Please see if you can delete the below file right now! Let me know!
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\svchosts.exe
    :\WINDOWS\system32\unsvchosts.exe
     
    chaslang, May 5, 2007
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also let's do the below which may help you to delete the C:\WINDOWS\system32\svchosts.exe file if it would not delete!
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Client IP-IPX
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteClient IP-IPX into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to.
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT

    NOW VERY IMPORTANT: DO NOT POWER DOWN OR REBOOT AFTER POSTING YOUR LOGS.
    Keep your PC running while waiting for my next steps. You can unplug your cable to the internet for security but do not powere down or otherwise reboot. If still infected, your symptoms could change and make my next steps useless.

    If everything looks clean in the above logs, I will then probably have you reboot after installing a real firewall! We'll see what is next after I review the logs.
     
    chaslang, May 5, 2007
    #46
  47. washdc-fb

    washdc-fb Private E-2

    Hi Chaslang:

    I did the below steps the only thing that I encountered is that when I wanted to delete Client IP-IPX in Hijack this he replied that the only file he found with that name was related to a file called svchosts.exe and that file is missing. I said ok and he marked the client IP-IPX for deletion.

    All other steps went fine.

    The notebook is still functioning smoothly apparently. It has been connected to the internet for at least 6 hours now with no apparent issues.

    Attached are the latest logs...
     

    Attached Files:

    washdc-fb, May 6, 2007
    #47
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 6, 2007
    #48
  49. washdc-fb

    washdc-fb Private E-2

    Dear Chaslang:

    Thank you so VERY much for ALL your help--- your skills are incredible! You really saved the day-- and I know I took so much time from you.

    I completed all the steps above except for the firewall and Spyware software. Two questions-- which firewall of the choice you listed do you recommend the highest. Also, SpySweeper is listed as one of the good Spyware products on the link, we had uninstalled Spyware Doctor so as not to interfere with our cleaning. Also last time after we were clean, very close to the time that I ran a Spy Doctor scan, I immediately became reinfected. Should I try to install either spySweeper or Spy Doctor (both I have) and run a scan, or should I just install a less processor intensive one and keep it that way?

    BTW Windows firewall keeps coming up with the warning on the windows messenger and javaw (not javaws) which per your instructions I am continuing to ignore-- and will be getting a real firewall... in the mean time it sounds like it is okay to just click on Allow- the wiered thing is that I have done this before, and after the disinfection process it comes back (the warnings).

    Again thank you very much!

    I would really love to give you a gift via paypal or google checkout- I would like to buy you a dinner in appreciation. I hope you will accept (feel free to PM me with details on getting this to you).
     
    washdc-fb, May 10, 2007
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ZoneAlarm! But if you are going to use the free version, be sure to download from the MajorGeeks link and not the authors site. And while installing make sure you do no allow it to install the full security suite. Only install the free firewall.

    Are you copies of Spy Sweeper and Spyware Doctor both legal paid subscriptions that you keep up to date? All realtime blocking tools will impact PC performance. It cannot be avoided.

    Does it say only javaw and nothing else? Is it javaw.exe? Tell me the full text of what it finds. javaw.exe is also part of Sun Microsystem's Sun Java. So you should allow it as long as it is javaw.exe which I would assume that it is. In your system32 folder you will see java.exe, javaw.exe and javaws.exe which are all part of Sun Java.
     
    chaslang, May 11, 2007
    #50

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds