Seems clean, but some removal guide issues!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mr--t, Jan 16, 2008.

  1. mr--t

    mr--t Private E-2

    Hi, firstly, thanks for the guides and site, my pc seems to be running the way it used to - 'seems' being the operative word!! This is going to be a really long boring read, especially as my computer running alright, but better to be safe I guess... You can probably skip to the last paragraph and logs if you're busy!!!

    ****
    Spent the last day or so trawling through the removal and cleaning guides and finally made it through the other side, not without some 'minor'(!) difficulties.

    I'm running Windows XP Home Edition SP2 2002. I think my problem started after mistakenly allowing access to a rogue program via Norton. On subsequent reboots i was greeted with a 'Potential error' message (the contents of which I googled leading me here - somebody had the exact same issue:)). I've forgotten the exact message (useful, I know, sorry!), but ther were three errors listed; A registry error, an irql error and a KMODE error.

    Then a program called avp.exe would display a yellow box from system tray alerting me to loack of security. Multiple popups and tab would open beyond control and then and final error message about my computer being shut down due to being buggy would come up.

    Finally, I noticed a multitude of pos###.tmp files in My Documents folder.

    Sorry for the essay, this is what happened in brief whilst following the guidde best I could, listed the points that went wrong;

    - Found 'Autoupdate' in add/remove program list but CCleaner couldn't locate uninstaller. Also found Icon.exe in processes which I understnd may be rapidblaster virus? But RapiblasterKiller program didn't detect so left that file alone.

    - Norton was running in secret during first run of Combofix so interferred. First time took about 1.5hrs due to pos.tmp files. Found infections, but log didn't save anyway!

    - Then tried Spybot. First it wouldn't let me install, the dialogue boxes kept dissappearing even if I sped through, the final installing box would stil vanish.

    - So skipped to AVGAS. First time this installed and updated fine. Found a lot of errors on scanning, but even after checking 'Automatically generate report after every scan' and unselecting 'Only if threats were found', no report was availiable or saved!! At this point I quit and tried the whole process from Combofix after a few reboots today.

    I only write the above so maybe these errors/difficulties can be addressed in the removal guide if not already? Could save a lot of people a lot of google search time.

    Second run-

    - Combofix log attached below (after manual ccleaner shredding of pos.tmp files, was a lot quicker to scan)

    - Spybot installed after unchecking 'Update automatically' (or something like). Wouldn't update through program (couldn't connect to server?), so downloaded from website and ran manually. Didn't find anything on scanning so no log?

    - avgas.exe then started disappearing and not loading even after several unistall and install attempts. When it finally started playig nice, I would find two avgas.exe files in the program file folder, one outdated and around 7mb, one in date arounf 6mb. AVG detected high risk dropper.agent.dgo in the older avgas.exe file and ran after its deletion.

    Couldn't update this both through the program or off the website, so ran a scan without update.

    Scan found a few errors, log attached below.

    - MGtools ran fine, log below.

    ***

    In summary, the logs I could get are attached, please have a look and let me know if I'm safe or not.
    Cheers for your time!
     

    Attached Files:

    mr--t, Jan 16, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 5"
    Java 2 Runtime Environment, SE v1.4.2_05
    Now download and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Download and save to RenV.exe Desktop (must be on the Desktop)
    * Doubleclick RenV.exe
    o When finished, it will produce a new log named Log.txt on the Desktop.
    o Attach this log to your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Jan 16, 2008
    #2
  3. mr--t

    mr--t Private E-2

    Hi, sorry for the late reply, I've attahced the requested logs but these are only from thursday - it's taken multiple reboots and safe mode to get this up here!
    The orignal error has returned on startup, it reads;

    During a scan of files at system startup, potential errors in system registry were found
    p-07-0100-irql: 1f SYSVER 0x1f-00024
    NT_Kernel error 1256
    KMODE_EXCEPTION_NOT_HANDLED

    Also, the registry key number in {} you gave me to fix in avenger and replace was different;
    O2 - BHO: (no name) - {436E9904-DE28-4DF7-5854-3C1B41F192BE} - C:\WINDOWS\system32\vturp.dll
    So I put that number into the fixME.reg file instead of the one you gave me, not sure if this was the right idea?

    Thanks for your time
     

    Attached Files:

    Last edited: Jan 19, 2008
    mr--t, Jan 19, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Scan at startup with what?

    I didn't give you a reg key to fix with avenger...I gave you one in Regedit!

    C:\Program Files\AGT 5000 -->? What is this?

    * Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).
    Code:
    C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\FlashGet\FlashGet .exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Norton Internet Security\UrlLstCk .exe
C:\Program Files\Onfolio\onfserv .exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\NWTRAY .EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2 .EXE
    * Now using your mouse, drag Log.txt onto RenV.exe
    * When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    I want you to try running avenger again and do exactly as directed:

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
    Then attach the new logs:

    * Log.tx from running RenV
    * c:\avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 19, 2008
    #4
  5. mr--t

    mr--t Private E-2

    Hi,

    Logs are below as requested and ran CCleaner. Computer's still very slow and errors keep showing at startup as well as mulitple popups. The C: drive icon has been replaced by a red X.

    In answer to questions;
    - I don't do an intentional scan at startup, "During a system scan, potential errors...etc" is the first line of the error message. Another error keeps appearing now

    "A potential problem has been found and Windows has been shutdown buggy application to prevent damage to your computer.
    ****WYXZ.SYS - Address F73120AE base at C00000. Date Stamp 36b072A3
    Kernel Debugger Using: COM2 (port 0x28f, Baud rate 192000)"

    After some googling, it may seems these errors are fabricated by a nasty strain of the Vundo virus?? Any clues?

    - AGT5000 is an [unused!] fitness tracker program - definitely expendable if causing problems

    - I meant to say Regedit not avenger sorry.

    On that note, I couldn't fix the files you listed in HijackThis. The F3....vturp.exe file wasn't there at all, and despite fixing the 02 - BHO.....vturp.dll file it keeps reappearing on subsequent scans? I'll Include this log on a seprate post, hopefully that will shed some more light on the situation.

    Thanks again!
     

    Attached Files:

    mr--t, Jan 21, 2008
    #5
  6. mr--t

    mr--t Private E-2

    HijackThis log
     

    Attached Files:

    mr--t, Jan 21, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The MGlogs.zip is January 16, 2008
    The RenV log is ...Ran on 20/01/2008
    Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file

    Also uninstall and reinstall Avenger.

    Also Note ...HJT is included in the MGLogs ..you don't need to attach it.
     
    TimW, Jan 21, 2008
    #7
  8. mr--t

    mr--t Private E-2

    New Mgtools log and RenV are below, but forgot mention problems with avenger from last post.
    Even after 'uninstalling' (just deleted and redownloaded?) avenger as requested in your last post, when clicking green light it gives the errors;

    "Error: Could not create Zip file" and "Error code:0"

    After reboot, it doesn't load up - not sure it's creating new logs. I've atttached it here anyway.

    Computer's still slow and giving startup errors and pop-ups etc.

    Thanks again!
     

    Attached Files:

    mr--t, Jan 22, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Apparently you are having a problem with dragging and dropping the code I gave you onto RenV.exe ....so let's try a different approach:

    Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below quote box into it:
    Code:
    Files:
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\FlashGet\FlashGet .exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\Norton Internet Security\UrlLstCk .exe
C:\Program Files\Onfolio\onfserv .exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\NWTRAY .EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2 .EXE
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below.

    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\vturp.dll
    C:\WINDOWS\system32\prutv.ini
    C:\WINDOWS\system32\prutv~1.ini

    Attach the combofix log......and tell me exactly what problems you are still having.
     
    TimW, Jan 22, 2008
    #9
  10. mr--t

    mr--t Private E-2

    Computer seems to be running much better now. No pos.tmp files, red X icon's gone as well as pop-ups and no startup errors - for the time being anyway! However, vturp.exe, vturp.dll and prutv.ini return after deletion?

    Thanks a lot for your time!
     

    Attached Files:

    mr--t, Jan 23, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Returned after running ComboFix? If so....run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Jan 23, 2008
    #11
  12. mr--t

    mr--t Private E-2

    Return both after ComboFix and after maunal deletion (browsing and finding files you requested)

    Cheers
     

    Attached Files:

    mr--t, Jan 24, 2008
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't allow the C:\MGtools\GetLogs.bat to run completely ....all of the files were from 1/16/08 except for one run on the 24th.

    Please do it again and allow it to complete before you close it.
     
    TimW, Jan 24, 2008
    #13
  14. mr--t

    mr--t Private E-2

    Hope this is better,
    thanks
     

    Attached Files:

    mr--t, Jan 24, 2008
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are getting nowhere:
    HJT log = It's Wed January 16, 2008
    NewFiles log = It's Wed January 16, 2008
    Runkeys Log = It's Wed January 16, 2008

    Delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip,

    Now reboot and download the MGTool.exe and run it afresh.
     
    TimW, Jan 24, 2008
    #15
  16. mr--t

    mr--t Private E-2

    I checked the dates in this, they all seem recent!
    Thanks
     

    Attached Files:

    mr--t, Jan 24, 2008
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is much better!\

    What are the below files for?
    Code:
    C:\Documents and Settings\windows user\Desktop\1349699.m3u

C:\Documents and Settings\windows user\My Documents\
~$ggbt.doc    20 Dec 2007         162  "~$ggbt.doc"
~$scol~1.doc  30 Dec 2007         162  "~$scolyrics.doc"
    We still have one Vundo item to remove.....
    Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

    Code:
    C:\WINDOWS\system32\ctfmon .exe
    * Now using your mouse, drag Log.txt onto RenV.exe
    * When finished, RenV.exe will produce a new log names Log.txt on your Desktop.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
    Then attach the new logs:

    * Log.tx from running RenV.
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 25, 2008
    #17
  18. mr--t

    mr--t Private E-2

    C:\Documents and Settings\windows user\Desktop\1349699.m3u is a sample music file

    C:\Documents and Settings\windows user\My Documents\
    ~$ggbt.doc 20 Dec 2007 162 "~$ggbt.doc"
    ~$scol~1.doc 30 Dec 2007 162 "~$scolyrics.doc"

    Temp files from word documents? Are they infected files?

    Not sure RenV ran properly again, but here are the requested logs anyway,
    thanks!
     

    Attached Files:

    mr--t, Jan 26, 2008
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No they aren't infected ...I just didn't know what they were ...as malware has a tendency to use random letters and symbols at times.

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    *How to Protect yourself from malware!
     
    TimW, Jan 27, 2008
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds