Very Challenging Worm 2

How much of what was posted in the other thread have you done? Explain?

Can you run steps from the READ & RUN ME sticky? If not, explain exactly what you can and cannot run?
Do any of the tools run?
What about HijackThis?
Does your PC reboot when you try to run the tools?

Did you try GetRunKey125b.bat?

 

Why are you upoading my attachment here? You are supposed to upload the results of running the scan.

But based on what you have done thus far. Your symptoms are not like the other thread. You need to do the below. You did not even install HJT properly. Please explain your problems and run the below.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

As I said previously, you do not have the same problems as the other thread. You are not even close to having the same problems. You have other problems. Run the steps I gave you in message number 6. It should fix at least some of your problems. One of which is: ISTsvc

Also you should uninstall this rogue tool: SpySpotter

Also you are running multiple antitvirus applications. Uninstall ALL but one.

 

If you cannot run steps in the READ ME, just take notes on which ones and what happens and continue thru all steps. Then come back and provide the results and attach the requested logs (3 of them as stated in msg # 6).

 

What about MS Windows Defender and Spybot? Also Microsoft Windows Malicious Software Removal Tool ?

Please install HJT properly (read step 7 again). You installed it exactly where we ask you not to install it. Fix this while I look at your log.

Who is opening mutliple notepad sessions? Is it you?

 

Your HJT log seems to be filitered or edited? There do not seem to be very many O4 lines loading startup processes and there should be. Are you filtering anything or are you using msconfig to control startups?

Are the below something you installed because they are malware. Look for them in Add/Remove programs. Tell me if found and also uninstall if found.

C:\PROGRA~1\NetGuide\BHO\NETGUI~1.DLL (file missing)
C:\PROGRA~1\Grip\Toolbar\CURSOR~1\gripcz41.dll

 

ALL steps in the READ ME were supposed to be run and in the order given. If you skip things or change the order, you only hurt you and waste my time. Please follow directions. Directions on not using MSCONFIG are also in the READ ME (in step 7's links) . You need to follow ALL steps properly.

 

Did you see message number 17?

Okay! I still have those items you just uninstall in the steps below just in case the show up. Just ignore any items you no longer see.

Your Sun Java version needs updating but that can wait until later. Just remember we need to do it when finished cleaning the malware.
Finish running all the tools you have not run and then continue with the below steps.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - _{0FD7DAF0-BBEF-4990-B19E-2805D280571F} - (no file)
O2 - BHO: NetGuideBHO Class - {0FD7DAF0-BBEF-4990-B19E-2805D280571F} - C:\PROGRA~1\NetGuide\BHO\NETGUI~1.DLL (file missing)
O2 - BHO: MSProxy Support Dll - {1920E150-5D27-4B95-B60B-D68B78928441} - C:\WINDOWS\system32\msprxcore.dll
O2 - BHO: Grip Toolbar - {4E7BD74F-2B8D-469E-A38A-E56FA49CA83A} - C:\PROGRA~1\Grip\Toolbar\CURSOR~1\gripcz41.dll
O3 - Toolbar: Grip Toolbar - {4E7BD74F-2B8D-469E-A38A-E56FA49CA83A} - C:\PROGRA~1\Grip\Toolbar\CURSOR~1\gripcz41.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ41\Cache\SelectedContextSearch.htm
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\Hrncqb <--- the whole folder
C:\Program Files\Suetyw <--- the whole folder
C:\Program Files\GRIPCZ41 <--- the whole folder
C:\Program Files\NetGuide <--- the whole folder
C:\WINDOWS\system32\msprxcore.dll
C:\WINDOWS\system32\algpapi.exe
C:\WINDOWS\system32\aclvcs.exe
C:\WINDOWS\qyhsotqe.exe
C:\WINDOWS\zeta.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.
Also attach a new runkeys.txt log from running GetRunKey125b.bat again.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What does this mean?

Why are these running?
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\NOTEPAD.EXE

 

Now your log is showing all the stuff that was hidden! My fix may get some of it.

But have you run the other tools! They are important to run. They typically fix things like IstSvc

Did you uninstall SpySpotter like I requested way back? It's still in your log.

 

You need to supply feedback on steps I give you. Most of the items I requested that you fix and files I asked you to delete are still there. Did you have problems finding and deleting these files?

Did you run ALL the other tools yet?????? If not, stop right now and run ALL of them. Let me know if they find anything.

Also run this Running Spy Sweeper and attach the requested spysweeper.txt log.

Then attach a new HJT log.

 

In an attempt to keep you moving along, I'm posting the next steps but first complete what I gave you in message # 26.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Yshzjo] C:\Program Files\Suetyw\Xjzy.exe
O4 - HKLM\..\Run: [Wuqlefml] C:\Program Files\Hrncqb\Uksg.exe
O4 - HKLM\..\Run: [p3sQ32e] algpapi.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [EYcOer] C:\WINDOWS\qyhsotqe.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Y034RSKFR] aclvcs.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg Scheduler.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\Hrncqb <--- the whole folder
C:\Program Files\Suetyw <--- the whole folder
C:\Program Files\McAfee.com <--- the whole folder
C:\WINDOWS\system32\msprxcore.dll
C:\WINDOWS\system32\algpapi.exe
C:\WINDOWS\system32\aclvcs.exe
C:\WINDOWS\qyhsotqe.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Make sure you tell me how things are working now.


The below line indicates something is broken with a required Windows Service.

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)

Double check to see if the C:\windows\System32\alg.exe file is really missing. If so, you will have to get another copy from your Windows CD or maybe a backup folder on your harddisk.

 

So does this means you could not run SpySweeper?
How far does it get?
If you did get it installed and it does at least open, try the below but first save or Print these steps locally because I want you to be offline with no other windows opened while running.

• Run SpySweeper but do not scan yet. Just leave it open.
• Press CTRL-SHIFT-ESC to bring up Task Manager. DO NOT CLOSE IT UNTIL I TELL YOU TO.
• Select the Processes tab and click the Image Name column heading to sort by name
• Locate all occurences of IEXPLORE.EXE and right click on them and select End Process
• Don't be alarmed when doing the next step because your Desktop will blank out and no icons will being showing. It is only temporary.
• Locate all occurences of EXPLORER.EXE and right click on them and select End Process
• Now see if you SpySweeper scan can run to completion. If so, save the log.
• If not, and your system reboots just tell me later.
• If not, and your system does not reboot, tell me this too, but now in Task Manager, click File, New Task(Run...) and enter explorer.exe and click OK. This will bring back your Desktop.

That is typical of Spybot. It is not a problem. There are just so many forms of CWS (around 200) and then it has to scan for each of them looking thru all files. It takes a long time.

At anyrate please run the below (if possible).

Follow the directions for Running WinPfind by OldTimer.

Post the WinPFind.txt log.

 

Run them in any mode possible!

 

You can try using System Restore to get back to a point in time prior to where the malware infected you. It is a matter of figuring out how far back you need to go. But also just a warning, this will make all progams you have installed after the restore date non-functional (like anything just installed for malware removal). It also does not remove malware but just could help to make some components of the malware become dormant. Also note, that doing the restore may not fix certain issues, like missing system files. It is worth a try if you have a clean restore point. But after restoring, even if it makes your PC more functional, we should still check for malware that may need to be removed.

 

Okay! So here is what I would suggest! Attach a current HijackThis log and then use System Restore an go back to a date prior to where you got this infection.

Then let us know how things look and also attach a second HijackThis log from after the System Restore.

 

Sounds good! But you did have malware in there too. It would be a real good idea to see if you can complete the whole READ & RUN ME now and attach the logs from step 6. Also attach a new runkeys.txt log (from GetRunKey125b.bat) and also a new HJT log. There was some real nasty stuff hidden in your system, If you can now run all the tools, we should be able to get you fixed up.

 

You have already run it once before and posted a log in message # 8. But run download and run the new version now from:

Using GetRunKey

 

I have not had time to look at all logs right now but you still have ALL the problems that I asked you to fix in messages #19 & 28. So you really need to complete that whole process again. I also see multiple antivirus applications (AVG and Symantec). You must make sure only one is installed and in fact right now they may all be getting in the way.

Did you run MS Windows Defender? Did it find anything?

SpySweeper appears to be partially uninstalled or broken.

Did you play with System Restore?

Search your PC for alg.exe or alg.ex_

Tell me where you find them (if any)!

 

I did not say to reinstall SpySweeper. All I said was it seems to be partially uninstalled or broken. It was not uninstalled correctly. You can tell this because some items still show in your log. If you can re-install it and run a full system scan now and attach the log, that would be good. SpySweeper is probably the best program of its type on the market and you should think about buying it (not uninstalling it). However during malware cleanup, any program like this can get in our way. So we shall see what we need to do later.

You must not have multiple AV programs installed so uninstall ALL but one (step 3 of the READ ME).

The READ ME is pretty clear about disabling system restore only after ALL your malware problems are gone. It does not say disable it after running the READ ME. Since you have already disabled system restore once, it does not really matter what you do with it now because you have no useful restore points to use anymore. So you can just leave it disabled (if disable). If not disabled, I would disable anyway since your system is so badly infected you would not want any restore points that are being created right now anyway.

 

By the way I actually see three antivirus applications running now.
AVG7
McAfee
Symantec

Please choose the one you want and uninstall all traces of the others. You must do this now.

 

In message # 44 I asked:

I need an answer to this.

You still have some internal problems hiding that are not cleaning up. I'm starting to think you are having fixes blocked by some to tools that are installed. So here is what I want you to do.

- first uninstall Spy Sweeper and Microsoft Windows Defender
- disable or uninstall AOL Antispyware. Make sure it stays disabled
- then reboot

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

The use HJT to fix the below lines:

These two items from Real Player are not really necessary and can be removed but they are your choice.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Fix the rest of these:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Now reboot into safe mode and delete the below folder:
C:\Program Files\Grisoft

While in safe mode use Windows Explorer (do not use Windows Search) and tell me if you see the below:
C:\WINDOWS\qyhsotqe.exe
C:\Program Files\ISTsvc

If you find them, delete them! But make sure you tell me either way what you find.

Now reboot in normal mode! DO NOT OPEN any notepad sessions!!!!
Now attach a new HJT log and a new runkeys.txt log but use the newer version (1.26) that I gave you the link to in message # 41