Ran Sticky -- log files attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shanrene123, Feb 24, 2006.

  1. shanrene123

    shanrene123 Private First Class

    Spyware & virus problems evident through lots of pop-ups & ad-aware continually getting "critical items". Ran through all sticky thread & have attached bitdefender, panda, & hijackthis logs. Bitdefender & panda found viruses -- don't think they were able to remove them. Did not run any "Special Removal Procedures", as was unable to determine if needed to or exactly how to. Let me know what else if anything...thanks in advance:eek: Shannon (p.s...it's very late so i'll be checking back tomorrow in early a.m...thanks again!)
     

    Attached Files:

    shanrene123, Feb 24, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It would be better if you posted the log for Bitdefender as the instructions in step 6 said. All you posted the way you saved it was a summary that does not help use to know where the problems are.

    Also please follow step 7 of the read and get HijackThis installed properly. You installed it exactly where we request it not be installed.
    C:\Documents and Settings\Lorean\My Documents\Spy ware\hijackthis\HijackThis.exe

    Fix the HJT install before continuing.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ymoed.exe
    F2 - REG:system.ini: UserInit=userinit.exe,khvinif.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\ymoed.exe
    C:\WINDOWS\system32\khvinif.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Additional step to delete UWFX6_0001_N68M2301NetInstaller.exe :
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s UWFX6_0001_N68M2301NetInstaller.exe
    del UWFX6_0001_N68M2301NetInstaller.exe
    exit


    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 24, 2006
    #2
  3. shanrene123

    shanrene123 Private First Class

    bump...cannot find my post on needed PC:eek:
     
    shanrene123, Feb 24, 2006
    #3
  4. shanrene123

    shanrene123 Private First Class

    Chaslang, I ran ALL steps as you directed, but cannot get PC to start in "Normal" mode...do have it started in "Safe Mode with Networking". Am posting this from a laptop, even though I am able to get online with problem PC. I didn't think I could run HJT in "Safemode", so I'm stuck:confused: . Any suggestions? I'm sorry about HJT being in wrong place earlier...my husband downloaded all malware tools & it was his first time ever...It's fixed now. The problem PC is a friend's computer, not our's...we've worked on it twice before & instructed them in how to run geek's suggestions in "Keeping computer safe from malware" but to no avail...of course, they are not spending the time to do the clean-up & repair & bothering you all...WE are:rolleyes: ! What do I do next:confused: Thanks bunches:) Shannon
     
    shanrene123, Feb 24, 2006
    #4
  5. shanrene123

    shanrene123 Private First Class

    new HJT logfile attached

    Hi! Got it started in "Normal" mode after using msconfig & taking everything off start-up except AVG. Attached is my newest HJT logfile after completing all of your directions.

    Thanks a million, Shannon
    (p.s. Couldn't find "...ymoed.exe" or "...khvinif.exe" in C:\WINDOWS\system32 folder location to delete them. Pretty sure they were not there. However, I did "fix" them in HJT, but they keep coming back in following HJT scans.)

    What next:confused:
     

    Attached Files:

    shanrene123, Feb 24, 2006
    #5
  6. shanrene123

    shanrene123 Private First Class

    Chaslang, also PC is running much better...not nearly as many pop-ups, but still a few...just got one to run "Internet or Install Shield"? Just wanted to let you know. Thanks, Shannon
     
    shanrene123, Feb 24, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shannon,

    The same problem lines are still there as before:

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ymoed.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,khvinif.exe

    You need to fix these and you need to locate the ymoed.exe and khvinif.exe files. Make sure you follow the sticky thread steps to enable viewing of hidden and system files. Boot in safe mode and fix those two lines with HJT then find those two files and delete them as indicated earlier.

    Please see if you can attach the proper Bitdefender log to as requested.
     
    chaslang, Feb 24, 2006
    #7
  8. shanrene123

    shanrene123 Private First Class

    Chaslang, Shannon got called out of town,she'll be back sunday night. I was told NOT to TOUCH that PC:confused: . She said Thanks again Chuck
     
    shanrene123, Feb 24, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I guess you better listen to those orders! ;)
     
    chaslang, Feb 24, 2006
    #9
  10. shanrene123

    shanrene123 Private First Class

    Hi, I'm back:) ! Ran your last suggestions & new bitfender, panda, & HJT logs are attached. Am unable to locate the "F2 - Reg:system.ini:...ymoed.exe" or the "F2 - REG:system.ini...Userinit.exe,khvinif.exe" files to delete them per your directions. I did several different searches for them, both manually & with the assistance of Windows' "Search", but with no luck. I even tried to locate them in "Registry Editor", but again was unable to find them. Any ideas:confused: While in the "Registry", I accidently delected something that looked "suspious", but it was obviously needed, so I had to "Restore" the PC back to earlier today...thank goodness I remembered to leave "System Restore" on per Geek's instructions! I have tried 3 times to "Fix" them in HJT, but they keep coming back! Presently, the problem PC seems to be running very slowly & is still getting a bunch of pop-up ads when online:rolleyes: . Any ideas, Chaslang? Thanks so much for your time & for being easy on me when I don't understand things! Awaiting your reply:) , Shannon
     

    Attached Files:

    shanrene123, Feb 27, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are not files. Those are the lines from your HijackThis log that you were supposed to fix using HijackThis. The file names you need to find and delete are:

    C:\WINDOWS\system32\ymoed.exe
    C:\WINDOWS\system32\khvinif.exe

    PLEASE DO NOT experiment in the registry on your own!
     
    chaslang, Feb 27, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds