Need serious help removing malware

Welcome to Major Geeks!

You did not rename HijackThis as required. See step 7 and rename it.

I don't see any reason why you cannot run GetRunKey and ShowNew. Did you get them extracted from the ZIP files? Where did you extract them too? Are you sure you extracted all files? Unplug your cable to the internet and run them, or try running them in safe mode if necessary.

I do see some serious infections in your logs that have been posted. One thing that I can tell you is that we are going to need the logs from ShowNew and GetRunKey inorder to help get you fixed. Without them, it will be very difficult to impossible to give you a fix that will work properly and completely.

However let's try a few things anyway to see if we can make some improvements.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the twgbq.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move twgbq.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.


Now let's remove a malare service!!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to rundll.exe
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasterundll.exe into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {45883783-0905-4ab1-ae6a-b03bf853afec} - C:\WINDOWS\system32\jcdracrf.dll (file missing)
O2 - BHO: (no name) - {a417e58f-312c-43ac-9259-7fed79ba20e3} - C:\WINDOWS\system32\jcdracrf.dll (file missing)
O2 - BHO: (no name) - {d7adbe5a-0f90-4799-a705-fbbf21aa992e} - C:\WINDOWS\system32\jcdracrf.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O4 - HKLM\..\RunServices: [System Manager] phqghu.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk572LDUS
O9 - Extra button: Microsoft AntiSpyware helper - {4ED1A85D-E339-4794-9CB5-9C1333AA3B33} - C:\WINDOWS\system32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4ED1A85D-E339-4794-9CB5-9C1333AA3B33} - C:\WINDOWS\system32\wldr.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\twgbq.dll
O16 - DPF: {1AAA7D82-209E-0085-35FE-59A55E9C228A} - http://69.50.182.94/1/gdnUS1862.exe
O16 - DPF: {322B69B5-B7FC-5D74-73CF-7146768F3008} - http://69.50.173.166/1/gdnUS1862.exe
O16 - DPF: {39308BAA-4A4D-0095-5477-0CAC378B9F92} - http://69.50.182.94/1/gdnUS1862.exe
O16 - DPF: {58EF5D78-8E47-2666-21A6-35871F83FC9B} - http://69.50.182.94/1/gdnUS1862.exe
O16 - DPF: {716A2931-FEE4-4FD0-CC02-02844E0A479A} - http://69.50.182.94/1/gdnUS1862.exe
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\msn93.exe

After clicking Fix, exit HJT.


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\msn93.exe
C:\WINDOWS\system32\wldr.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\jcdracrf.dll
c:\windows\system32\twgbq.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Check your HJT log for lines similar to the below

The above were in your previous log. The infection you have can constantly rename or even add to the files that are part of the infection. If you see new O10 lines in your HJT log with a differen DLL file name, that is the one you now need to fix. This particular problem may come back anyway. Until I get complete logs from ShowNew and GetRunKey I will not be able to locate the source of the infection

 

NO! The log from GetRunKey is runkeys.txt all the other files that are created are only temp files that are used to build the full log. When the program runs properly, runkeys.txt will be created and the other temp files will be deleted.

Are you seeing any error messages in the command prompt window that opens?

ShowNew did not work either.

 

What file name did you put into LSP fix?

Did you notice than now it is: vzxrfsmerdb.dll

Fix it now with LSP-fix. Then after fixing it, tell me all the filenames that remain in the Keep column!

This malware will constantly recreate and rename the bad DLL file at reboots and power downs.

We did make some progress though! Your log is cleaner than it was.

 

Download the attached MGTool.zip file! Extract the two files from it into the folder where you install ShowNew. This will put a new version of ShowNew.bat and GetRunKey.bat into your ShowNew folder. This is okay. They will both run fine from this folder. Try running these new versions to see if you can get complete logs! Run GetRunKey.bat first and wait for it to finish (runkeys.txt text should pop up in notepad). Then close this notepad window. Then run ShowNew.bat.

 

Okay! Those are valid ones. If at anytime you loose you internet connection during this procedure, anything other than those three probably needs to be removed and will probably show in your HJT log on an O10 line.

Sorry about that! Here it is

 

OKay download this version (call MGTools.zip) and extract to the same place as last time. Then try running these new versions! These version subsitute in a replacement command to use since you seem to be missing the Window Registry Editor.

MGTools.zip

 

Give me a list of all files you see in the folder with ShowNew.bat and GetRunKey.bat Previous times even the ShowNew did not run all the way, you had a newfiles.txt log. Please attach it, if another was created when you ran the new version.

Also do you see the below files?
C:\windows\system32\autoexec.nt
C:\windows\system32\command.com
C:\windows\system32\config.nt


Did you notice the O10 lines in your HJT log were back with a new file name? It was now vzxrfsmerdb.dll, you need to use LSP-fix to delete this DLL. Each time you see any of those O10 lines in HJT, it will show the new DLL file name that needs to be fixed. This will keep renaming each time you reboot so while we are fixing things, it would be good if you do not shutdown or reboot your PC after running any fixes and attaching logs.

Try doing the below.

Download the below search.zip file and extract the files from it into the same folder where you have been extracting the MGtools.zip file. Then locate the search.bat file and double click on it. If it runs properly a file names search.txt should popup in notepad when finished. This file should be in the same folder where you ran search.bat from. Attach the search.txt file here.

Search.zip


Now please download FindAWF by noahdfear and save it to your desktop:

Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.

​

 

I'm not sure what you mean! That is where you look for them.


I'm going to have you run a procedure below which will attempt to delete an infected ndis.sys file and replace it with a good copy from a backup on your PC.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached FixND.zip file to your Desktop. (it is attached at the bottom of this message)
• Now double click on FixND.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. FixND.bat and process.exe
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the FixND.bat file to run the fix.
• It will create a log file named: c:\FixND.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• After power up use continue on to the below.

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:
Files to delete:
C:\cp1041.nls
C:\cp1467.nls
C:\WINDOWS\system32\totour.exe
C:\WINDOWS\system32\drivers\ndis.sys.bad

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt please attach that log here.

Come back here and attach the below files

• c:\FixND.txt
• C:\avenger.tx
• see if ShowNew & GetRunKey will work now
• new HJT log

 

You still have not answered my question!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [amncytnc] C:\ncyfqtpb.bat

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\ncyfqtpb.bat

Now run Ccleaner
Now reboot in normal mode

Now attach a new HJT log

Are you still having malware problems?

 

It could be! You had a ton of problems that we have been removing. It could have cause all kinds of issues within your system!

Run this procedure WareOut Removal Then attach the requested log.

Also attach a log from AdAware. It could just be finding a left over registry key from a SmitFraud infection.

 

Okay, WareOutFix should have resolved your Google search issues. Is that true?


Now let's see if we can fix what Ad-Aware should be able to fix on its own!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Is an Ad-Aware scan clean now?

 

I'll tell you when!

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and Set Permissions for Everyone(I explained how to do that further down).

To set permissions for Everyone for each key, do the following

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Edit Permissions so we can change permissions to everyone. Now here is what I expect you to see in the Group or user names area of the form that comes up:
• Everyone
• SYSTEM
• Select Everyone by clicking on it.
• Now at the bottom in the Permissions box click the check box for Full Control.
• Then click Apply and then OK to get back to the main Registrar Lite screen.
• Now right click on the registry key and select Delete.
• Then click View and Refresh. Check to see if the registry key just deleted truly deleted.
• If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run Ad-Aware again and tell me if it is still detected.

 

Try using CREATOR OWNER!
If that does not work, try Users.
If that does not work, Administrators.

 

Is CounterSpy still installed? If so uninstall it now!

Then no matter whether CounterSpy was installed or not, try booting into safe mode and see if you can delete the registry key using any of the User type names.

Question: What names appear in the Group or User names: box? And also tell me which Permission options are checked in the lower box ( Read, Full Control, Special Permissions).

If the registry key still exists, let's try another tool!

1. Download RegASSASSIN.

2. Unzip the file to your desktop. You will have a new desktop icon named RegAssassin.exe.

3. Reboot your computer into SAFE MODE

4. Once in SAFE MODE, double click on the RegAssassin icon to open the program.

5. Checkmark the options "Reset Permissions" and "Delete Registry Keys and all Subkeys".

6. In the registry key window carefully enter:

HKLM\software\psguard.com

8. Click on Delete hot button.

9. Reboot into Normal Mode.

10. Is that registry key gone now?

 

I dont' see how anything from the procedures in messages # 26 & # 28 could cause this. Did you do anything else other than what was written? Did you run any other scans or perform updates for any software?

See the below (which does not match the error number but seems related):

http://support.microsoft.com/kb/310794

And then there is this one, which matches your error number:

http://support.microsoft.com/kb/306081/en-us


After thinking about this a little more, this could be due to what PSGuard has done to your PC. And in trying to remove PSGuard, it has cause this problem.

Hopefully you have your Windows SP2 CD.

 

That is not related to deleting the registry key. That error message is related to Windows procedures, like product activation or Windows Update (which is what the table you linked to is for).

You mean you downloaded it off the internet?? If you don't have a valid licensed CD, then that is probably your problem. If license was never valid to begin with then you will need to get a valid licensed copy of Windows XP SP2 and maybe you can repair it as the links show. Otherwise you may have to reinstall.

 

Yes that is fine. You just need to add the .old extension to the end.

Yes I understand your pain!

 

Yes you typed it correctly. I'm not sure why it said not found. For you, that is the same as doing the below so use the below instead:

cd C:\WINDOWS\system32

make sure you have a space between cd and c:\


I also want to advise you of some information that Adrynalyne (a moderator here on MGs who used to work for Microsoft Tech Support) gave to me.

So be prepared for this since this may be what you will have to do.

 

A repair install or a rebuild ( see this: http://www.informationweek.com/windows/showArticle.jhtml?articleID=189400897 ) Does not remove any personal data, however it will impact various things in your Windows setup and will normally require redownloading of Windows updates and possible other software on your system. Even so, it is always advisible to back data anyway to avoid potential loss of data.

 

What happened? Does the file exist to begin with?

That is not what they asked you to do. They said

expand licwmi.dl_ %systemroot%\system32

Look at what you said you typed. You did not even put a space between the underscore and the System32, but System32 is not going to give the desired result even if you have a space. You must either use %systemroot%\system32 or c:\windows\system32


Note: There is space after expand and also after licwmi.dl_

 

Yes as my friend Adrynalyne stated, the fixes for activation issues from Microsoft never seem to work anyway.

 

Can you goto another PC (like a friends) and try to make a copy of your scratched CD? Not sure if it will copy if it is badly scratch, but if it is not too bad, a copy may work. Then you can use this backup copy to continue.

 

Yes that error message has been know to be caused by a defective disk and Microsoft documented that and a work around in the below.

http://support.microsoft.com/default.aspx?scid=kb;en-us;812247

However, if you made a backup copy of your CD it would seem unlikely that both disk were defective. Thus I'm not sure this would help you. Are you sure the copy if good?

You may want to try asking about this in the Software Forum but it is starting to look like you will need to do a full reinstall.

 

I assume the purpose of this was to get your system running so you could copy and files and data you need to a safe place (CDs or DVD...etc) to avoid loosing it. After you do this you can either format reinstall completely from scratch or just continue to run from the new version of Windows you installed.

The new copy of Windows will not know about anything previously installed. Thus you will need to reinstall all programs that you use. And also get all updates and configure everything.