trying to make it through the first part..

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Deemer, Nov 17, 2007.

  1. Deemer

    Deemer Private E-2

    hi all,

    i'm trying to get through the "read & run me first" but it's proving to be quite difficult. i can't seem to get my computer to boot in safe mode via F8 or msconfig.exe. please help, as i'm trying to get rid of these nasty chinese pop-ups!
     
    Deemer, Nov 17, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run the below new version of the READ ME which does not require safe boot mode and it is also a much shorter, faster, and easier version to run.


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    Read & RUN ME FIRST Before Asking for Support
     
    chaslang, Nov 17, 2007
    #2
  3. Deemer

    Deemer Private E-2

    Hi Chaslang,

    I'm attempting to run ComboFix and all I'm getting is "Stack Overflow" and then it disappears. Any suggestions?


     
    Deemer, Nov 17, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shutdown any antivirus and antispyware programs that are running and try again. If this does not help, try doing the below.

    Run this Virtumonde aka Trojan Vundo Removal and do not attach the requested log right away. Run it multiple times until it comes up clean and then attach the final log.

    Even if ComboFix and VundoFix will not run, just continue.
     
    chaslang, Nov 17, 2007
    #4
  5. Deemer

    Deemer Private E-2

    I had no logs show up for anything (Vundo, ComboFix, AVG) except for the MGTools.zip logs which I am attaching. Please let me know if there is anything I was supposed to do--thanks!
     

    Attached Files:

    Last edited by a moderator: Nov 20, 2007
    Deemer, Nov 19, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The VundoFix log is right where the procedure said it would be: C:\VundoFix.txt

    AVG Antispyware soes not create a log automatically. You have to follow the instructions in the READ ME to create one.

    Your PC appears to be missing a required Windows system file. The file named regedit.exe which is the Windows Registry Editor appears to be missing. As a result, two your logs are incomplete (the newfiles.txt and runkeys.txt logs). Do you have your Windows XP boot CD. Also do the below and tell me what you get:

    Click Start and select Search
    Now Select "All files and folders"
    Enter the regedit in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
    Then click the Search button.

    Report back where matches to regedit are found.



    Now run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O24 - Desktop Component 0: (no name) - (no file)

    After clicking Fix, exit HJT.

    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe by double clicking on it.
      [*]click the Make Writeable? button.
      [*]click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program
    Now delete the below files:
    C:\Program Files\Internet Explorer\IEXPLORE32.bbs
    C:\Program Files\Internet Explorer\IEXPLORE32.Dak
    C:\Program Files\Internet Explorer\IEXPLORE32.Dat
    C:\Program Files\Internet Explorer\IEXPLORE32.ime
    C:\Program Files\Internet Explorer\IEXPLORE32.jmp
    C:\Program Files\Internet Explorer\IEXPLORE32.New
    C:\Program Files\Internet Explorer\IEXPLORE32.Sys
    C:\Program Files\Internet Explorer\IEXPLORE32.Tmp
    C:\Program Files\Internet Explorer\IEXPLORE32.win


    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.
     
    chaslang, Nov 19, 2007
    #6
  7. Deemer

    Deemer Private E-2

    I've attached the VundoFix log and there was not a record created with AVG--I have run it twice and the report section came up blank.

    I do have my XP boot CD around..

    I've attached the Print Screen from doing the regedit.exe search as a JPEG. Hope this helps.

    Running HiJackThis, I got multiple errors, one of which that read:

    Please help us improve HijackThis by reporting this error

    Click 'Yes' to submit

    Error Details:

    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O24 - Desktop Component 0: (no name) - (no file))
    Error #53 - File not found

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2900.2180
    HijackThis version: 2.0.2

    I also got errors for HostsXpert and the program disappeared on me because of those errors.. I was also unable to delete most of the iexplorer files you directed me to.
     

    Attached Files:

    Last edited by a moderator: Nov 20, 2007
    Deemer, Nov 20, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the c:\i386\regedit.exe file into your c:\windows\system32 folder

    If you get it copied properly then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.


    Try deleting them after booting in safe mode.
     
    chaslang, Nov 20, 2007
    #8
  9. Deemer

    Deemer Private E-2

    I tried copying the file into my folder, but when I ran the scan it said that it wasn't there, though I saw the file in the folder. I've attached the new log after trying what you told me to do.

    I also tried deleting the internet registry things in safe mode.. didn't really work. I managed to delete a few of them but the others came up with errors.

    Thanks for your help with this--I appreciate it!

     

    Attached Files:

    Deemer, Nov 21, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure it is there? Check again right now. Right click Start and select Explore. Navigate to C:\Windows Do you see regedit.exe? If so, what is the size and date on the file. Also is there anything else with a similar name (like regedit.com, regedit.bat.....etc).
     
    chaslang, Nov 21, 2007
    #10
  11. Deemer

    Deemer Private E-2

    Regedit.exe is there -- 143 KB, 8/29/2002
    That's all I see with "regedit" in the name.

     
    Deemer, Nov 21, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run, and enter regedit and click OK. What happens?
     
    chaslang, Nov 21, 2007
    #12
  13. Deemer

    Deemer Private E-2

    "Windows could not find 'regedit'"

     
    Deemer, Nov 21, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This means that Windows believes the regedit.exe is not in C:\Windows

    Are you sure that you saw regedit.exe there or was it regedit.ex_
     
    chaslang, Nov 21, 2007
    #14
  15. Deemer

    Deemer Private E-2

    It's regedit.exe in C:\Windows
    I am trying to attach a print screen of what exactly I see, but it's proving to be too big as an attachment.

     
    Deemer, Nov 21, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter each of the below command. There are spaces after the cd after the dir , after the

    cd C:\Windows
    dir > c:\wfiles.txt
    regedit

    Tell me what happens after you enter the regedit command.

    Then try regedit.exe and tell me what happens.


    Also attach the c:\wfiles.txt file to your next message

    When you run AVG Antispyware, does it find any problems?

    Do you have your Windows XP boot CD?
     
    chaslang, Nov 21, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After doing what I requested in message # 16, please try to do the below. Those IEXPLORE32 files I wanted you to delete are hooked into a bunch of your running processes and that is why you cannot delete them.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.



    Make sure you tell me how things are working now!

    For reference purposes, below is a list of how the those trojans are hooking into your process. The list gives a process name and then indented shows which trojan files are hooked in.
    Code:
    The infections are loading up with a bunch of process as seen below.
SynTPLpr (C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
avgas (C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
explorer (C:\WINDOWS\Explorer.EXE)
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.win
 
aim (C:\Program Files\AIM95\aim.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
mcagent (C:\PROGRA~1\mcafee.com\agent\mcagent.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
DSentry (C:\WINDOWS\System32\DSentry.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
wscntfy (C:\WINDOWS\system32\wscntfy.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
 
SynTPEnh (C:\Program Files\Synaptics\SynTP\SynTPEnh.exe)
         C:\Program Files\Internet Explorer\IEXPLORE32.Dat
         C:\Program Files\Internet Explorer\IEXPLORE32.Sys
     
    Last edited: Dec 1, 2007
    chaslang, Nov 21, 2007
    #17
  18. Deemer

    Deemer Private E-2

    Hello! I hope you had a happy Thanksgiving--

    When I tried running regedit through the command box, it said that it could not be located. I've attached the c:\wfiles.txt like you asked me to. I don't believe I have my Windows boot CD.. is that going to be a problem?

    Am in the process of running AVG and will let you know how that goes.

    Thanks so much!



     
    Deemer, Dec 1, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything.

    Yes it could be a problem not having your CD.

    It is not necessary to quote my procedures unless you are directly answer specific things with in the message. Like I did in message # 8. Quoting just clutters the thread up.
     
    chaslang, Dec 1, 2007
    #19
  20. Deemer

    Deemer Private E-2

    sorry-
     

    Attached Files:

    Deemer, Dec 1, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well I see regedit.exe right there in your C:\Windows folder where it is supposed to be. I'm not sure why your system says it cannot be located.

    Follow the instructions I gave you in message # 17 and then attach the new requested logs.
     
    chaslang, Dec 1, 2007
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds