Please Help With Malware Removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wolfone, Jun 7, 2006.

  1. wolfone

    wolfone Private E-2

    I have read and followed your post on Read and Run Me First before asking for support. I am still having problems. I have attached the bit defender scan report, the panda activescan report and the hjt report. My main problem was that I got this pop up in the middle of my screen. There is no way to close it, and there is no indication of it on the task bar. I can't move it or change it, and it always stays on top. It is not popping up as I am writing this, however I don't know if it is indeed gone. My biggest concerns are the items that Bitdefender and Panda found and could not get rid of. One other thing that I noticed, when running CounterSpy, it would find mwtrg.dat. It says it was an adware and recommended removal, so I did. But every time I rebooted, it was right back. I could see it in explorer and delete it myself, but it still came back on the reboot. Any and all help and/or information you can give me will be greatly appreciated. Please let me know if you need any other information from me.

    Kindest Regards, Wolfone
     

    Attached Files:

    wolfone, Jun 7, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You have a load of different infections: WareOut, PurityScan, Qoologic, WinlogonHook, SurfSideKick, ZenoSearch, traces of Look2ME, and more. You probably got such a bad infection because you have never updated your Windows OS and Internet Explorer versions. You are running original WinXP. This is a major security risk. After we fix your current problems, you must get update. DO NOT TRY TO UPDATE while infected.

    Do you know what the below is?
    C:\Program Files\MegaMotivator\MegaMotivator.exe

    Let's start by fixing all but Qoologic. We will do Qoologic later because we need to collect more info with some other scanners before we can fix it.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist (if you get any error messages from HijackThis, just ignore them and continue):
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\System32\ssn6tuu.exe"
    O4 - HKLM\..\Run: [w9f6bc2f.dll] RUNDLL32.EXE w9f6bc2f.dll,I2 0012b2e209f6bc2f
    O4 - HKCU\..\Run: [Mszqbek] ?\l?gonui.exe
    O4 - Startup: Z_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F68D9-0EA0-4D3E-8928-F89305D436D5}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2BBFAB-2A07-4738-B3A5-C33C40E4BDB5}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D074A3D5-4B70-45B3-ADF8-CD6DEF1C921A}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CS1\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CS2\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O20 - AppInit_DLLs: repairs303169590.dll C:\WINNT\System32\winspool.dll
    O20 - Winlogon Notify: MCD - C:\WINNT\system32\u8ru0i99e8.dll (file missing)


    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\Program Files\UnSpyPC <--- delete the whole folder if found
    C:\WINNT\System32\repairs303169590.dll
    C:\WINNT\System32\winspool.dll
    C:\WINNT\System32\ssn6tuu.exe"
    C:\WINNT\System32\w9f6bc2f.dll
    C:\WINNT\SYSTEM32\dwdsregt.exe
    C:\WINNT\System32\dmonwv.dll
    C:\Program Files\Comon Files\ASKS~1\MSDTC.EXE
    C:\WINNT\SYSTEM32\mwtrg.dat
    C:\WINNT\SYSTEM32\swinkqez.exe


    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log. I'm expecting that the C:\WINNT\System32\winspool.dll item may come back.
     
    chaslang, Jun 7, 2006
    #2
  3. wolfone

    wolfone Private E-2

    Hi Chaslang - Thanks so much for responding. However, the two links you provided me for the Fixwareout will not load. I keep getting the "cannot find server, page cannot be displayed" for both of the links. Any suggestions?

    Kindest Regards,

    Wolfone
     
    wolfone, Jun 8, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That''s probably because of all of the infections you have. The links work just fine. Try again and if they do not work just continue thru all the other steps just like you did the FixWareout step. Obviously at the end you will not have the C:\fixwareout\report.txt so just attach the new HJT log and we will continue.
     
    chaslang, Jun 8, 2006
    #4
  5. wolfone

    wolfone Private E-2

    Hi Chaslang,

    Thanks - I got Fixware to download - I used my other computer.

    In response to your original post, MegaMotivator.exe is a program I installed. It is a legitimate program.

    I followed your instructions with Fixware (log is attached).
    HiJackThis did not launch automatically from Fixware, but I started it manually. (New log is attached.)

    After running HiJackThis, I checked the items you had listed. All but 3 were found in the list. The first, third, and fourth "R0-" items were not found in the HJT scan.

    After clicking the Fix Checked, I closed HJT, and rebooted in safemode.

    I used Windows Explorer to check the items you listed. Only one was found - the C:\WINNT\SYSTEM32\mwtrg.dat. I deleted this with Windows Explorer.

    I rebooted in normal mode and checked for the mwtrg.dat again and, it is still there.

    Let me know what I need to do next. Thanks, again.

    Kindest Regards,

    Wolfone

    P. S. I just got a adware popup while attaching the files.
     

    Attached Files:

    wolfone, Jun 8, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why is HijackThis now installed and being run incorrectly? You have it here:

    C:\Documents and Settings\LB\Desktop\virus cleaners\hjt\HijackThis.exe

    You had it correct in your first log. Delete the above copy and do not run it anymore. Only use the copy in C:\Program Files\HJT\HijackThis.exe

    You must make sure you have viewing of hdden and system files enabled. Some of those files should have been found. At anyrate let's continue on to locate other hidden files related to your Qoologic infection and we will add your other problems that did not get fixed in the first go around (possibly because some hidden files were not deleted).

    Download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • attach the contents of the txt.log which will open when the scan is finished.
    FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.
     
    chaslang, Jun 8, 2006
    #6
  7. wolfone

    wolfone Private E-2

    Hi Chaslang - sorry about the wrong HJT - It has been deleted.

    I checked explorer for the hidden files and folders option. It was already active.

    I have attached the report for FindQool.

    Thanks again for working with me on this.

    Kindest Regards,

    Wolfone
     

    Attached Files:

    wolfone, Jun 9, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINNT\System32\ssn6tuu.exe
    C:\WINNT\System32\w9f6bc2f.dll
    C:\WINNT\SYSTEM32\dwdsregt.exe
    C:\WINNT\SYSTEM32\swinkqez.exe
    C:\WINNT\SYSTEM32\mwtrg.dat
    C:\WINNT\system32\gyfotk.exe
    C:\WINNT\system32\wivst.exe
    C:\WINNT\system32\mgeolss.dll
    C:\WINNT\system32\iedveph.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygqpa.exe



    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\wivst.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,iedveph.exe
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\System32\ssn6tuu.exe"
    O4 - HKLM\..\Run: [w9f6bc2f.dll] RUNDLL32.EXE w9f6bc2f.dll,I2 0012b2e209f6bc2f
    O4 - HKCU\..\Run: [Mszqbek] ?\l?gonui.exe
    O4 - Startup: Z_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll (file missing)
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F68D9-0EA0-4D3E-8928-F89305D436D5}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2BBFAB-2A07-4738-B3A5-C33C40E4BDB5}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D074A3D5-4B70-45B3-ADF8-CD6DEF1C921A}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CS1\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O17 - HKLM\System\CS2\Services\Tcpip\..\{10FB42CC-85CE-4476-A1D0-66841997B8C4}: NameServer = 85.255.116.121,85.255.112.69
    O20 - AppInit_DLLs: repairs303169590.dll C:\WINNT\System32\winspool.dll
    O20 - Winlogon Notify: MCD - C:\WINNT\system32\u8ru0i99e8.dll (file missing)

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

    C:\WINNT\System32\ssn6tuu.exe
    C:\WINNT\System32\w9f6bc2f.dll
    C:\WINNT\SYSTEM32\dwdsregt.exe
    C:\WINNT\SYSTEM32\swinkqez.exe
    C:\WINNT\SYSTEM32\mwtrg.dat
    C:\WINNT\system32\gyfotk.exe
    C:\WINNT\system32\wivst.exe
    C:\WINNT\system32\mgeolss.dll
    C:\WINNT\system32\iedveph.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygqpa.exe


    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!

    We may need to redo the FixWareOut procedure now but the HJT fix part should be smaller.
     
    chaslang, Jun 9, 2006
    #8
  9. wolfone

    wolfone Private E-2

    Hi Chaslang!

    Okay, I followed your latest instructions.

    I did the Regit4, ran the PocketKillBox and pasted all items one by one.
    Killbox did reboot into normal mode. I did the next step and ran HJT (I did not open any other windows: I always print out the instructions.)

    I did not see either of the items listed in open process manager.

    I ran the HJT scan and found only 3 of the items you had listed. These were the:
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\wivst.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,iedveph.exe

    I fixed these 3, then exited. I then went to Windows Explorer and searched for the items listed, none were found. (I verified show hidden files was active.)

    Your next instruction said to reboot in normal mode, which made me think what I had already done should have been done in safe mode. I was still on the reboot from the PocketKillbox. So, I rebooted in safe mode and repeated the HJT and checked again the file entries with explorer. I did not find any of the entries in either of the lists.

    I rebooted again into normal mode and rechecked all items again. None were found.

    I have attached the new HJT log and the new FindQool log.

    Well, things are improving. I did not see any popups at all this morning. My computer was practically unuseable when we started all this with you. I also noticed the logs are getting much smaller. You are brilliant!

    Please let me know what else I need to do and many, many thanks again for working with me on this.

    Kindest Regards,

    Wolfone
     

    Attached Files:

    wolfone, Jun 10, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and have it fix the below two lines:

    O4 - HKLM\..\Run: [gqjgti] C:\WINNT\System32\gyfotk.exe reg_run
    O4 - HKCU\..\Run: [cnphu] C:\WINNT\System32\gyfotk.exe reg_run

    Also the below are not malware but they are not necessary and just waste system resources. Fixing them will speed up startup and improve general performance. So fix them if you want.

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    Attach a new HJT log. How are things working? If everything is good you MUST do the below ASAP since your OS is severely out of date.

    It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 10, 2006
    #10
  11. wolfone

    wolfone Private E-2

    Hi again Chaslang!

    I ran HJT again and removed the two items as well as the optional ones. A new HJT log is attached.

    I then went back to the Read and Run Me and followed the system restore directions.

    I have been trying to get Windows XP to update, but I have been having problems with that. It keeps saying I need to install a security update. I do the update, and it keeps coming back that I need to update it but it gives me 0kb as file size. Nothing really happens. I have sent Microsoft a note on this and I am waiting on their reply.

    I am now going to follow your steps on how to protect myself malware.

    My computer is running much faster. I have not seen any popups. However, this morning when I logged on, Counter Spy had found Web Nexus again and quarantined it. I had it remove it.

    Again, thanks for all your help.

    Kindest Regards,

    Wolfone
     

    Attached Files:

    wolfone, Jun 11, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log still looks the same. The items I asked you to fix are still there. There are three possible reasons for this:

    1) Either you are forgetting to click Fix Check with HijackThis

    2) Or they are coming back due to malware still reinfecting you

    3) Or something like Trend Micro or similar is blocking the changes.


    I'm going to guess that it is number three. So here is what I want you to do:

    Uninstall CounterSpy and then shutdown all active protection from TrendMicro.

    Now Run HijackThis and have it fix the below two lines:

    O4 - HKLM\..\Run: [gqjgti] C:\WINNT\System32\gyfotk.exe reg_run
    O4 - HKCU\..\Run: [cnphu] C:\WINNT\System32\gyfotk.exe reg_run

    What security update does it tell you is missing?
    According to your HJT log you are missing loads of updates!
     
    chaslang, Jun 11, 2006
    #12
  13. wolfone

    wolfone Private E-2

    Hi Chaslang,

    I uninstalled CounterSpy and turned off Trend Micro. You are right. Trend Mico found a lot of Trojan when I ran it yesterday and quarantined them.

    I ran Hijack This again, but, I am not finding the two items you said to remove. The new HJT log is attached.

    Since I am not finding them, are they gone, or am I doing something wrong?

    I have since my last post downloaded several updates from Microsoft Update.

    As I said in my previous post, I have been trying to get Windows XP to update to SP2. It keeps saying I need to install a security update. (Security Update #KB835732). I do the update, and it keeps coming back that I need to update it but it gives me 0kb as file size. Nothing else happens.

    I have sent Microsoft a note on this and I am waiting on their reply. I tried some of the fixes on the link you have, but they do not work. If you have any suggestions, while I am waiting on Microsoft to answer, I would appreciate it.

    Again, thanks for all your help.

    Kindest Regards,

    Wolfone
     

    Attached Files:

    wolfone, Jun 12, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There gone now. Don't worry about them.



    Try downloading the update file for your OS directly from the below:

    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    Then install it. Let me know if that works. If not, I would recommend temporarily shutting down your firewall (and maybe all of Trend Micro) and installing the update from Microsoft.
     
    chaslang, Jun 12, 2006
    #14
  15. wolfone

    wolfone Private E-2

    Hi again, Chaslang,

    Ok - I tried your link to the Security Update. It seemed to work. I had to agree to a license and I followed the directions to install it.

    But, for some reason, Microsoft Update is not seeing it installed on my computer. I had shut down everything (including Trend Micro). Microsoft Update is still giving me the same message that I need to install Security Update #KB835732, and I am still getting 0kb as the download size. When I check my history of downloads, it is showing that update being done (many, many times now).

    Any other suggestions? Because, of course, I still have not heard from Microsoft's support technicians.

    With all the viruses that were on my computer, I will not let my daughter use her instant messenger. I fear that everything could start all over again without my computer having the correct updates and/or current OS. And, she of course, is getting frustrated with not being able to talk to her friends. I did suggest there was something called a telephone, but she won't hear of it. So, you can see my frustrations.:)

    Again, thanks for all your help.

    Kindest Regards,

    Wolfone
     
    wolfone, Jun 12, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You could have a broken/incomplete installation somewhere. I saw Windows Installer loaded and running in your last HJT log.

    Give the below a run and maybe it can be used to cleanup a broken install.
    Windows Installer CleanUp Utility
     
    chaslang, Jun 12, 2006
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds