Virus/Malware hard to remove

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by khronos1, Feb 25, 2007.

  1. khronos1

    khronos1 Private E-2

    Hello.

    I have had an issue since about Thursday night and have been trying to remove the malware program and have been unable to.

    The program appeared on Thursday night and what it shows is a yellow triangle with an exclamation mark on it in my taskbar. It constantly tells me that there is malware but I don't click it because it begins to install some program.

    I have checked my add/remove programs and have removed what has installed itself, but they just come back or are replaced by something new. Currently the one on there is called command. I tell it to remove and it spawns an explorer window to their website and asks me to download something else to remove it, which I don't do because I refuse to download something else from them when I never downloaded anything in the first place.

    The virus/ malware constantly spawns advertisements in explorer windows for numerous websites and products. I have had this problem before on another computer and it was spysherrif and I ran smit fraud fix in safemode and it fixed the issue. But to my problem, Smitfraud fix does nothing.

    I did everything in your read me and run me first guide and it did claim to remove numerous spyware but I couldn't tell you what.

    I'm an MCP so I am not totally dumb with pc's but this virus is kicking my butt and I need help.

    I am attaching my hijack this log along with the logs from counterspy, bitdefender,
     

    Attached Files:

  2. khronos1

    khronos1 Private E-2

    Here are the balance of the files you ask for. Hope you guys can help. I really don't want to reformat and start over.

    Thanks

    Franklin
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You have a lot of problems! Let's get started!

    First please run this: RogueRemover

    Now go to Add/Remove programs and uninstall all of the below:
    Command
    IpWins
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 SDK, SE v1.4.2_05

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Now run this procedure: DelCmdService - How to use


    Continue by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.


    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of awtqn.dll once and then click the kill button. After you have killed all of the awtqn.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
    nnnolji.dll
    winijp32.dll

    Next double click on explorer.exe and again click once on each instance of awtqn.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    nnnolji.dll
    winijp32.dll
    Next double click on iexplore.exe and again click once on each instance of awtqn.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    nnnolji.dll
    winijp32.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s\command.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\Program Files\Ipwindows\ipwins.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {32ECEBBE-8E2F-6E4C-1F83-0BD3DA12633D} - C:\WINDOWS\system32\fetuoth.dll (file missing)
    O2 - BHO: (no name) - {55DCCDDC-D391-CEA3-E9D8-097C3B221F27} - C:\WINDOWS\system32\hezitbi.dll (file missing)
    O2 - BHO: (no name) - {68C86083-B922-4954-BB41-651A85E3923E} - C:\WINDOWS\system32\awtqn.dll
    O2 - BHO: (no name) - {EB56076C-EEB4-4FB9-BE89-04A5B6980A8E} - C:\WINDOWS\system32\nnnolji.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fknydlc.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\FrankDawg\Local Settings\Application Data\fknydlc.dll",wsymijg
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdif.dll,startup
    O4 - HKLM\..\Run: [ccrvbnb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\FrankDawg\Local Settings\Application Data\ccrvbnb.dll",hmesur
    O4 - HKLM\..\Run: [{4025ADB6-0BBE-1033-0819-050507050001}] "C:\Program Files\Common Files\{4025ADB6-0BBE-1033-0819-050507050001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uqjgwlik.dll",setvm
    O18 - Protocol: bw+0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {1CFD5C33-52B7-450C-9424-1A4319D12F27} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll
    O20 - Winlogon Notify: nnnolji - C:\WINDOWS\SYSTEM32\nnnolji.dll
    O20 - Winlogon Notify: winijp32 - C:\WINDOWS\SYSTEM32\winijp32.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s\command.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    c:\program files\common files\{4025adb6-0bbe-1033-0819-050507050001}\update.exe
    C:\Program Files\Ipwindows\ipwins.dll
    C:\Program Files\Ipwindows\ipwins.exe
    C:\Program Files\Common Files\{4025ADB6-0BBE-1033-0819-050507050001}\system.dll
    c:\windows\uninstall_nmon.vbs
    C:\Documents and Settings\FrankDawg\Local Settings\Temp\~nsu.tmp\Au_.exe
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\8LYZSLY3\104[1].net
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\8LYZSLY3\128[1].net
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\8LYZSLY3\dohinst-103[1].0000
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\ABEDQTAT\xc29[1].exe
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\KJA3AL8D\122[1].net
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\KJA3AL8D\setar-101[1].0000
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\KJA3AL8D\xc42[1].exe
    C:\Documents and Settings\FrankDawg\Local Settings\Temporary Internet Files\Content.IE5\KJA3AL8D\xc60[1].exe
    C:\Program Files\Outerinfo\OiUninstaller.exe
    C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s\asappsrv.dll
    C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s\command.exe
    C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s\lBL1vAQPuqb0pZ15tqUSsZP.vbs
    C:\WINDOWS\Temp\b104.exe
    C:\WINDOWS\Temp\b122.exe
    C:\WINDOWS\Temp\b128.exe
    C:\WINDOWS\Temp\mst684.tmp
    C:\WINDOWS\Temp\win68A.tmp.exe
    C:\Documents and Settings\FrankDawg\Local Settings\Application Data\fknydlc.dll
    C:\Documents and Settings\FrankDawg\Local Settings\Application Data\ccrvbnb.dll
    C:\WINDOWS\system32\atmtd.dll
    C:\WINDOWS\system32\awtqn.dll
    C:\WINDOWS\system32\drvdif.dll
    C:\WINDOWS\system32\dmubtopb.exe
    C:\WINDOWS\system32\kilwgjqu.ini
    C:\WINDOWS\SYSTEM32\nnnolji.dll
    C:\WINDOWS\system32\nqtwa.tmp
    C:\WINDOWS\system32\nqtwa.tmp2
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\uqjgwlik.dll
    C:\WINDOWS\system32\vtutust.dll
    C:\WINDOWS\system32\v6.exe
    C:\WINDOWS\SYSTEM32\winijp32.dll
    C:\WINDOWS\system32\wnsapisu.exe
    C:\WINDOWS\Temp\b104.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete if found:
    c:\program files\common files\{4025adb6-0bbe-1033-0819-050507050001}
    C:\Program Files\InetGet2
    C:\Program Files\Ipwindows
    C:\Program Files\Outerinfo\
    C:\Program Files\VSAdd-in
    C:\WINDOWS\RnJhbmtsaW4gV2hlZWxvY2s
    Now Run CCleaner

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  4. khronos1

    khronos1 Private E-2

    Hey,

    OK I have done all you have said and some of it worked fine, but some didn't. The fixme.reg would not merge with my registry. I tried doubleclicking on it and it would not work. I also tried to import it from regedit and it still would not work. So I went in and changed the keys manually.

    Other than that, everything seemed to run smoothly. On my final reboot, the yellow shield with the exclamation mark was gone. This sheild actually kept spawning when I would delete tcpipmon.exe, so that may have been one of the culprits.

    I have attached the new logs and just want to make sure that everything is removed. One thing I am still not seeing is my NAV 10 shield on my taskbar and windows is still not recognizing that it is active even though when I open it, it shows the latest signatures installed and that all my autoprotects are enabled.

    Let me know if it looks like anything else is out of whack. Worse case scenario, I can always reinstall my nav 10. I just want to make sure that the malware is all gone.

    Thanks for all your help. You guys are the bomb!!!

    Khronos
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see fixme.reg on your Desktop. Where did you save it too.

    Are you absolutely sure you are saving the file EXACTLY as instructed using notepad? If not done properly, it will not work. What error message are you receiving when trying to import or when double clicking on fixme.reg?

    You have more things to fix, but I need to know that you can save registry patches properly and also get the installed into the registry.

    Is your copy of Spy Sweeper a paid version or free trial version. If free, uninstall it now.

    Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Please delete the below folder? Note that the Questionmark represents unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add a comment in RED next to each item. Note the date of the folders which will help you to locate them:
    Code:
    "C:\Documents and Settings\FrankDawg\Application Data\"
    SMANTE~1      Feb 23 2007              "S?mantec"   [B][COLOR=red]<-- may look like Symantec[/COLOR][/B]
     
    The below files were not delete with Pocket Killbox. Try again. Make sure they are deleted. Look for them yourself after reboot and if still present, delete them manually using Windows Explorer:
    C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\kjjlm.tmp
    C:\WINDOWS\system32\nqtwa.ini
    C:\WINDOWS\system32\nqtwa.ini2



    Now let's fix the NETWORK_MONITOR problems (ADSPY/ISearch.d.2)!

    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

    Run Registrar Lite navigate to each of the following keys (one at a time) and Set Permissions for Everyone(I explained how to do that further down).
    To set permissions for Everyone for each key, do the following
    • Copy & Paste the registry key from above (one at a time) into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the top Menu
    • Select Edit Permissions so we can change permissions to everyone.
    • Now here is what I expect you to see in the Group or user names area of the form that comes up:
      • Everyone
      • SYSTEM
    • Select Everyone by clicking on it.
    • Now at the bottom in the Permissions box click the check box for Full Control.
    • Then click Apply and then OK to get back to the main Registrar Lite screen.
    • Now right click on the registry key and select Delete.
    • Then click View and Refresh. Check to see if the registry key just deleted truly deleted.
    • If so, move on to the next regkey to work thru the whole list.
    • If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.
    Then reboot your PC!

    Now run GetRunKey again and attach a new log!
     
    Last edited: Mar 3, 2007

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds