Persistent malware problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lpeter, Jun 15, 2007.

  1. lpeter

    lpeter Private E-2

    McAfee indicates that malware is trying to send emails using my computer. First, I get an alert that says something like "an email is being sent to 5 addresses." Then McAfee ViruScan indicates something like "1 of 4 emails have been sent, 3 emails could not be sent" to different email addresses that I don't recognize. This problem appears to start when I open my browser. (I'm unsure if it happens when opening other apps, too.) Browser is usually delayed in opening for 30-60 seconds, finally opens to my google page, and then within a few minutes, McAfee alerts me of the email problem above.

    Before finding your site I ran Mcafee and deleted the following viruses:
    Trojan – Spam-Mailbot
    Files: three(1).exe
    Bootloader.exe
    Windows\system32\cqkjlxn.exe (deleted)
    Windows\system32\upwjhphj.exe (deleted)


    I have gone thru the steps you've recommended (1 thru 6).

    Spybot finds 2 items under Troj.PrintSpool. These items seem to come back either in the same form

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ uoo9feuzbauxue6 )

    and

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uoo9feuzbauxue6

    or slightly different form (i.e., the file name changes to e.g., fceydats7eeoaeor)

    CounterSpy found a number of viruses but I deleted them and don't remember what they were (one of your steps says to delete quarantined files in A/V folders). When I ran CounterSpy again, no malware showed up.

    I'm attaching findings from
    BitDefender
    PandaActiveScan
    GetRunKey
    ShowNew
    HJT

    Many thanks!
     

    Attached Files:

    lpeter, Jun 15, 2007
    #1
  2. lpeter

    lpeter Private E-2

    Some additional attachments for this post...
     

    Attached Files:

    lpeter, Jun 15, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use windows explorer to find and delete:
    C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
    Then use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9

    Now

    1. Download this file - Combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now...
    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to Print Spooler Service
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
    * Avenger
    * ComboFix
    Be sure to tell us how things are running.
     
    Last edited by a moderator: Jun 15, 2007
    TimW, Jun 15, 2007
    #3
  4. lpeter

    lpeter Private E-2

    I followed instructions. Computer seems to be a bit sluggish now. When I ran the various programs suggested in the instructions, some of the log files did not immediately appear on the desktop. In fact, I had to hit the F5 key to make some of them appear. Also, McAfee does not load the Privacy Service component now. When I tried to manually run it, nothing happens. In fact the cursor does not function when placed within the McAfee Security Center box after I click the Privacy Service tab. Everything else seems to be running. When I opened Firefox for the first time, it took at least 20-30 seconds to load (much quicker the second time.) Interestingly, I did not see any Virus alerts re the email problem I had.

    A couple of items to note as I went thru the instructions:

    1) Avenger ran after rebooting, however while it was running the following dialogue box appeared:
    Windows -- No Disk
    Exception Processing Message
    C0000013 Parameter 75b6bf9c 4 75b6bf9c 75b6bf9c

    2) When I ran HJT, I only saw about half of the items that you designated to fix. Others did not appear to show up in the scan results.

    I'm attaching:
    getrunkey
    shownew
    hjt
    avenger
    combofix
     

    Attached Files:

    lpeter, Jun 15, 2007
    #4
  5. lpeter

    lpeter Private E-2

    Here are the additional attachments
     
    lpeter, Jun 15, 2007
    #5
  6. lpeter

    lpeter Private E-2

    I see that my attachments did not load. Trying again...
     

    Attached Files:

    lpeter, Jun 15, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall Counterspy ....we are done with it.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
    * Avenger
     
    TimW, Jun 16, 2007
    #7
  8. lpeter

    lpeter Private E-2

    Followed all instructions. Restarted computer. Experienced trouble when I tried to post a reply the first time. I got to this reply page but no letters appeared when I began typing. I rebooted. Computer took awhile until it came up fully. Once it did, I received a McAfee alert that "the application eaxaedof.exe is requesting access to the internet." I did not recognize the application so I blocked access. The I proceeded to this page to enter this reply.

    Note also that prior to applying the fixes you suggested today, the email problem had returned this afternoon. Also, I write this email I have just received a virus warning "Potential Worm Activity Detected. The last few sent emails contained similar subject or body content."

    Also, McAfee Privacy Service is still disabled and I'm unable to activate it when I try.

    Attaching requested files to this email and the next one.
     

    Attached Files:

    lpeter, Jun 16, 2007
    #8
  9. lpeter

    lpeter Private E-2

    additional attachment...
     

    Attached Files:

    lpeter, Jun 16, 2007
    #9
  10. lpeter

    lpeter Private E-2

    I have also noticed now that Outlook Express stops functioning once the worm activity begins (i.e., it tries to connect but is unable; it also locks up so that I must quit the application via the Windows Task manager). This is new. Previously the worm would simply function in the background.
     
    lpeter, Jun 17, 2007
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    HJT
    ShowNew
    GetRun
    Avenger
     
    TimW, Jun 17, 2007
    #11
  12. lpeter

    lpeter Private E-2

    Followed instructions. See attached files.


     

    Attached Files:

    lpeter, Jun 17, 2007
    #12
  13. lpeter

    lpeter Private E-2

    runkeys attached
     

    Attached Files:

    lpeter, Jun 17, 2007
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Stuborn little nasty....let's try again.

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
     
    TimW, Jun 18, 2007
    #14
  15. lpeter

    lpeter Private E-2

    Followed all instructions.


     

    Attached Files:

    lpeter, Jun 18, 2007
    #15
  16. lpeter

    lpeter Private E-2

    I'm attaching 2 HJT files. (It occurred to me that I wasn't certain if you are requesting the HJT log that is generated when I run HJT early in your instructions, or if you want me to generate the file after I've completed all of your instructions.) As you can see I've labeled the 2 files "before" and "after".
     

    Attached Files:

    lpeter, Jun 18, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run CCleaner and delete all the temp files!

    Use add/remove programs to uninstall:
    AIM 6.0 ---> it's the reason for the troubles!

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to Aim Version 6
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    Now do the same thing for Print Spooler Service.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste Aim-v6 into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    Now do the same thing for iqioquiot3obny
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT ----last scan after doing the fix!
    * Avenger
     
    TimW, Jun 18, 2007
    #17
  18. lpeter

    lpeter Private E-2

    Followed instructions but there was one glitch. I could not "stop" aim version 6 before I disabled it. It was in "started" state, but the options to stop, pause, etc. were grayed out.


     

    Attached Files:

    lpeter, Jun 18, 2007
    #18
  19. lpeter

    lpeter Private E-2

    run keys attached...
     

    Attached Files:

    lpeter, Jun 18, 2007
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Open services.msc again and tell me if these two still exist:
    Aim-v6
    Print Spooler Service ----> this is still showing after the fix. Did you have an error with the script?
    Aim6 may not be there...but stop the print spooler service.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking fix, exit HJT

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
    * Avenger
     
    TimW, Jun 19, 2007
    #20
  21. lpeter

    lpeter Private E-2

    Aim-v6 was no longer there. Print Spooler fixed again. Similar to last time it showed as "stopped" when I found it. Did not see Print Spooler Service in HJT scan. Once again I set it to disabled and then followed rest of your instructions.

    I notice an exception processing message every time I reboot to run avenger. Avenger runs a bit and then a dialogue box pops open and says what I believe is the same thing every time:

    Exception Processing Message
    C0000013 Parameter 75b6bf9c 4 75b6bf9c 75b6bf9c

    I have to click continue or quit or (whatever the other button is) several times for avenger to finish and generate the log. This time I kept hitting continue.

    BTW, my daughter lives on AIM. Will I be able to reinstall at some point? McAfee Privacy Service also still showing as disabled. Thx.

     

    Attached Files:

    lpeter, Jun 19, 2007
    #21
  22. lpeter

    lpeter Private E-2

    runkeys...
     

    Attached Files:

    lpeter, Jun 19, 2007
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The aim6 that we removed was part of mywebsearch ...just be sure that you download from AOL ...or run trillian, which will allow aim contacts.

    You may need to reinstall Mcafee ...the nasties may have corrupted the security center.

    Your logs look clean. You may uninstall any programs we had you download (including CounterSpy, etc).

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Jun 19, 2007
    #23
  24. lpeter

    lpeter Private E-2

    Many thanks, Tim!!! I'll monitor my computer for the next day or so and then implement final steps as suggested.
     
    lpeter, Jun 19, 2007
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let us know ....your welcome.
     
    TimW, Jun 19, 2007
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds