Serious Problems getting worse

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You appear to have ignored step 3 of the READ ME. I see Eset Smart Security and AVG Free installed. Uninstall one of these now!

Note I don't recommend using Ad-Aware 2007. It is a massive resource hog that always has a service running even when you are not scanning. There is no need for this service to always be running.

Is the below from something you installed?
O4 - Startup: check-ip-changed.bat


Uninstall Viewpoint Media Player as requested in step 0 of the READ ME.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [xDRam rar procx] xwinupdaterarx.exe
O4 - HKLM\..\Run: [IEexplorer AUpdate] IEexplore32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [xDRam rar procx] xwinupdaterarx.exe
O4 - HKLM\..\RunServices: [IEexplorer AUpdate] IEexplore32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Exactly what I said in my last message is wrong with it. In addition, it has not been the best for a very long time. It does not even detect many of the typical malware problems that are around and quite a few that it detects (like Virtumonde) it does absolutely nothing to fix the problems. We removed it from the READ ME long ago due to its ineffectiveness. This version is massive in size (over 17 Mb) and wastes tons of RAM running a service even while the scanner is not being run. The program will not operate if the service is removed. If that is not enough, you already have AVG Antispyware installed and it is a better choice. Also you can use Spybot as an additional scan only tool. It is a better choice and also give you the Immunize and bad download blocker features too.

Never. MSconfig was not designed for that purpose. It should only be used as a temporary debugging tool. Most of the time there is no reason to be using a tool to disable startups.

• If you don't need the software, uninstall it.
• If you need the software but not the startup, permanently remove the startup by configuring the program not to run at startup. If they don't give you that option, then use HJT to remove the startup entry from the registry so that it cannot load at startup.
• If you want to keep the startup entry because you sometime need to load the program at startup
  • first make sure that the solution is not just as simple as manually running the process that you need
  • then if necessary use a program like the below for managing startups:
    • Startup CPL

Both normal.


Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Probably not malware. Try the below.

Click Start, Run, and enter ipconfig /flushdns and click OK. There is a space between the ipconfig and the /flushdns

Did that help?

Infections can typically be called different names by ever scanner. So unless they are a big name common infection, names are often not useful. But here are some of the items you had:

• Backdoor.Rbot.BRA
• Backdoor.Gaobot.MIW
• Downloader.Agent.bq
• Trojan.Downloader.Nsis.Agent.AC
• Trj/Dropper.WF

 

Do you use a cable modem or DSL modem?
Do you have a router in between the above and your PC?

If you just goto http://www.bleepingcomputer.com what happens?

 

Power cycle your router.
Then power cycle your cable modem.

Any change?

Did you install one of the recommend firewalls as requested in my final instructions to you or are you still using the inadequate Windows built-in firewall.

 

You just finished telling me that Optonline gave you a modem and now you are saying you don't know what it is???? Optonline is cable provider. They gave you a cable modem. It requires power to operate. Unplug the power and then plug it back in. That is a power cycle.

So now you are telling me that you did not follow my instructions in message # 8??????

That stops anyone from logging into your router and changing any settings in it that would be allow to be changed. But the IP address of your router (your network) is not seen anyway. The cable modem address is what appears on the internet.

 

A few seconds is adequate to cause a reboot.

Follow the steps I gave to you in message # 8 and when you get down to this How to Protect yourself from malware! link. Follow the steps in that link and when you get to step 3 install one of the recommended software firewalls.

Just like using any program (even Windows), you need to do some learning. With a firewall, you basically just have to decide what to allow to access the internet and what not to allow. Most of the time it is rather simple. If you run a browser (like IE or FireFox) you have to recognize the process (should not be too hard iexplore.exe is IE and firefox.exe is FireFox) and then allow the brower to have access and tell it to always allow it. For anything unknown, you can not allow access or you can first do some Google seaching to figure out what the process is for and then decide. Anytime you run something, you need to know what you are running. Like if you run Spybot, you will see a process named spybotsd.exe Sometimes it is easier than other times.

Taking an serious roll in learning about what you run on your PC is the first step in your own security.

 

Yes if you added a password then it is passord protected.

If anything in your network wants to directly login or connect to the router, they will have to use the login name and password as set by you.

No! You are not logging into the router! You are just using it as part of its network and packets are passing thru the router to the cable modem like they are supposed to. This has nothing to due with putting a password on your router.

 

Installing Comodo automatically disables your Windows firewall. You don't need to do anything else and you definitely do not want to try to enable it.

 

I saw your posts but I guess you did not see mine. I'm not sure what you are waiting for. A power cycle takes all of 10 seconds to complete.

 

It will be Sunday night before I get back. I'll be out of town until then.

 

Just incase the power cycling of your Router and also your cable modem do not work, here are some other things to try.


Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Now click Start, Run, and enter ipconfig /flushdns and click OK!


Now please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Now you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adds.)



Did any of the above change anything?

 

Probably because you have it locked with Ad-Aware 7 and or AVG Antispyware or something else. Shutdown all protection software and try again (also try safe boot mode if necessary). (Actually I really recommend that you uninstall Ad-Aware 7).

Continue with the other steps from my previous message no matter what happens. And then do the below:

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

This should be shutdown too.

Nothing else, I repeat, nothing else should be running when trying to remove malware from a PC other than what we ask you to run. If you are doing anything else then do not attempt to run any cleanup steps. In addition, you should not be downloading or installing anything but what we ask you to do while we are trying to clean your PC because it wil change log contents and show things we had not seen before thus confusing the cleaning steps.

You said you have A-squared and Windows Defender installed. Did you shut them down? They will run in the background. It may be easier during this process if you just uninstall them (at least for now).


You still need to follow my instrucions! I said you shoud continue no matter what!
Spybot - Search & Destroy
AVG Anti-Spyware
AVG Free
a-squared Free
Windows Defender
ATF-Cleaner
CCleaner
COMODO Firewall Pro[/quote]

 

I already said in message # 28

 

Did you run DelDomains.inf?

 

Attach new logs from ShowNew and HJT so I can see exactly what is still installed and running. It is quite possible that your problems are not malware related. Please answer some questions:

1. are you logged into an account with administrator priviledges
2. how many sites/URLs do you have problems accessing and which ones
3. what browser are you using
4. have you tried using another browser
5. does it happen in safe boot

 

So you are saying the exact samething happens in safe boot mode???

Open Control Panel and select User Accounts. Read what it says for your account.

Enter this into your browser and hit Go or Enter: http://216.213.19.27

What happens?

Run DelDomains.inf again but this time DO NOT rerun Spybot. Don't redo Spybot until I ask you to.

What are the below files for/from

Code:

"C:\WINDOWS\temp\"
jbigi1~1.tmp  Jun 16 2007       76876  "jbigi14175lib.tmp"
jbigi1~2.tmp  Jun 16 2007       76876  "jbigi12425lib.tmp"
jbigi1~3.tmp  Jun 17 2007       76876  "jbigi13052lib.tmp"
jbigi1~4.tmp  Jun 18 2007       76876  "jbigi17125lib.tmp"
jbigi2~1.tmp  Jun 14 2007       76876  "jbigi21229lib.tmp"
jbigi2~2.tmp  Jun 14 2007       76876  "jbigi22043lib.tmp"
jbigi2~3.tmp  Jun 15 2007       76876  "jbigi21434lib.tmp"
jbigi2~4.tmp  Jun 16 2007       76876  "jbigi29063lib.tmp"
jbigi4~1.tmp  Jun 15 2007       76876  "jbigi49192lib.tmp"
jbigi4~2.tmp  Jun 16 2007       76876  "jbigi46688lib.tmp"
jbigi4~3.tmp  Jun 18 2007       76876  "jbigi44825lib.tmp"
jbigi4~4.tmp  Jun 18 2007       76876  "jbigi40805lib.tmp"
jbigi5~1.tmp  Jun 14 2007       76876  "jbigi5118lib.tmp"
jbigi5~2.tmp  Jun 17 2007       76876  "jbigi50522lib.tmp"
jbigi6~1.tmp  Jun 18 2007       76876  "jbigi61355lib.tmp"
jbigi6~2.tmp  Jun 18 2007       76876  "jbigi62905lib.tmp"
jbigi7~1.tmp  Jun 15 2007       76876  "jbigi7834lib.tmp"
jbigi7~2.tmp  Jun 17 2007       76876  "jbigi7174lib.tmp"
jc5302~1.tmp  Jun 15 2007       40960  "jcpuid21433lib.tmp"
jc5604~1.tmp  Jun 18 2007       40960  "jcpuid61354lib.tmp"
jc5a83~1.tmp  Jun 18 2007       40960  "jcpuid44824lib.tmp"
jc5a87~1.tmp  Jun 18 2007       40960  "jcpuid40804lib.tmp"
jc5c8c~1.tmp  Jun 18 2007       40960  "jcpuid62904lib.tmp"
jc6dfa~1.tmp  Jun 16 2007       40960  "jcpuid29062lib.tmp"
jc6e8a~1.tmp  Jun 16 2007       40960  "jcpuid46687lib.tmp"
jcc23f~1.tmp  Jun 15 2007       40960  "jcpuid7833lib.tmp"
jcc6b2~1.tmp  Jun 17 2007       40960  "jcpuid7173lib.tmp"
jcd104~1.tmp  Jun 18 2007       40960  "jcpuid17124lib.tmp"
jcd184~1.tmp  Jun 16 2007       40960  "jcpuid14174lib.tmp"
jcd18d~1.tmp  Jun 17 2007       40960  "jcpuid50521lib.tmp"
jcd482~1.tmp  Jun 16 2007       40960  "jcpuid12424lib.tmp"
jcdafe~1.tmp  Jun 17 2007       40960  "jcpuid13051lib.tmp"
jcpuid~1.tmp  Jun 14 2007       40960  "jcpuid21228lib.tmp"
jcpuid~2.tmp  Jun 14 2007       40960  "jcpuid5117lib.tmp"
jcpuid~3.tmp  Jun 15 2007       40960  "jcpuid49191lib.tmp"
jcpuid~4.tmp  Jun 14 2007       40960  "jcpuid22042lib.tmp"

Put the below file into a ZIP file and attach it here:
C:\WINDOWS\system32\MS.EXE

 

Did you run the DelDomains command? Did you retry connecting to the IP address afterwards?

Please don't quote procedures. It clutters up the thread. It is not normally necessary accept to address individual comments or questions. Like I did in message # 8 to respond to certain things from you.

Rename C:\WINDOWS\system32\MS.EXE to C:\WINDOWS\system32\MS.EXE.BAK

Then reboot your PC and make sure that no errors occur relating to this MS.EXE file name.

Try temporarily bypassing your router. That is, connect your cable modem directly to your PC. Does that change anything?

Do you have another PC that can be connected to the router (once the router is reinserted into the loop)?



Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach new logs from ShowNew and from HJT.


NOTE: I just notice something that has nothing to do with your problem but you need to fix it. You have your Window Environment path variable totally messed up. It is way too long and has loads of duplicate entries in it. I'm not sure how you did this but you need to fix it. Delete all duplicated. Here is you current path

You really should remove the first item completely:
C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Software, Programs, Games\My Programs\Circumventor\ActivePerl\bin\

And this c:\perl\bin\ should be at the end.

 

It would be good it you could borrow one to try quick test that goes thru your router and cable mode just to see if it works. Something is blocking access to those sites and it is not malware.

That's all well and good but it still remains that your path is messed up and has many duplicate entries in it that do not belong there. I repeat that this has nothing to do with your problem though. It is just an observation.

Have HJT fix that line and then reboot. And see if there is any change, if not, you can just restore from HJT's backups.

ATF was only meant to cleanup the junk. I did not expect it to fix the problem. It appears that it did not cleanup all those unknown files from your C:\WINDOWS\temp folder though. Did you run ATF-Cleaner before getting the new log from ShowNew? Try deleting all the files in this folder yourself. What happens?


Whose PC is this? As in who owns it?
Can you log into the account that is actually name Administrator and is only viewable in safe mode?

What do you see inside of the C:\WINDOWS\System32\drivers\etc\hosts file? Paste te contents here.

What are the below two services supposed to be doing?
O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf (file missing)
O23 - Service: GNUnet - Unknown owner - C:\Program Files\GNU\GNUnet\bin\gnunetd.exe" --win-service (file missing)

 

Yes have HJT fix this line now!!

All this junk seems to be related to the stuff you or someone else installed. You need to keep better track of what is installed on your PCs and what it is used for. These files all seem to relate to the Freenet and GNUnet services I asked you about. Are you sure you don't know what this stuff is and who installed it. Take a look thru the below link. Does anything ring a bell:

http://dev.i2p.net/pipermail/i2p/2004-August/000419.html

http://emu.freenetproject.org/pipermail/cvs/2006-January/013056.html



Why do I see a bunch of host backup files in your etc folder. I see them in the snapshot you posted. Are you using ieSpyad or MVP hosts to create large hosts files to block bad websites? I personally don't agree with this philosophy for a variety of reasons. What I also don't understand is why you are be blocked from deleting the files. This should not happen unless you are running something to lock them or unless you do not have administrator priviledges. The contents in your host file which I was trying to fix with Hoster, could be blocking you from accessing certain websites.

 

I will work up a procedure to get rid of them. It would have been better to use uninstall but I don't see then in your uninstall list. Does anything like them appear in Add/Remove programs? If so, uninstall them.

Yes after running ATF Cleaner and all other steps in the message, attach new logs.

No HJT cannot remove them. We tried some other methods but I believe you were denied the ability to delete them. Try logging into safe boot mode using the Administrator account. See if you can manually delete the hosts file and then all of the other backup files with hosts in the name. Also delete the hosts.mvp file. Do not delete anything else.

 

This is why way back I was trying to get HostsXpert to run. I suspect your hosts files were blocking you but for some reason you kept having problems running it or even manually deleting files.

Posted at the end.

You will have to take this to the Software Forum but however you added it to begin with, you need to do the same to edit all the dupes and junk out. It is found by right clicking My Comptuer and selecting Properties, Advanced, and then the Environment Variables tab. It is rather awkward editing in there since Microsoft chose to make the popup edit window pretty useless.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!