Welcome Home to Lots of Viruses!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by daveb44, May 22, 2007.

  1. daveb44

    daveb44 Private E-2

    Hi -
    I'm visiting my wife's family and found their computer in really bad shape. They hadn't been using any anti virus sw for awhile and were having problems going online and staying online with their DSL connection. I knew there would be tons of viruses, etc...so I went through the malware removal proceedures on the site and I wasn't disappointed. Can someone help me get their computer back into shape? They don't get tons of pop ups or anything like that - but their internet connection is problematic and I can't access windows update. I also haven't tried re-installing their Norton AV (an older version wasn't properly uninstalled, so the newer version is not loading up). I figured after I dealt with the issues they have, I'd install Norton - lemme know if that's the wrong way around.

    Anyway, here are the specs:
    Windows XP SP2
    2.93 GHz Celeron Processor
    503GB RAM

    Running Spybot S&D found 70 problems including:
    Backdoor.Win32.SdBot.gen
    Win32.agent.aaw
    NewDotNet
    Win32.SdBot.yx

    Of the seventy instances (which include a bunch of adware I didn't list) only sixty eight could be fixed in safe mode (not including NewDotNet and Win32.SdBot.yx)

    I'm attaching the Counterspy, bitdefender, panda active scan, hj this and other logs. It doesn't look pretty.

    Please let me know what to do next. Thanks!
    daveb44
     

    Attached Files:

    daveb44, May 22, 2007
    #1
  2. daveb44

    daveb44 Private E-2

    More scans...
    daveb44
     

    Attached Files:

    daveb44, May 22, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the
    kill button.
    hpbahpb.dll
    ipv6monq.dll
    ipv6monr.dll
    jxaztfoh.dll
    stp68_2007.dll
    txgobwwx.dll
    txjebshc.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    ipv6monq.dll
    ipv6monr.dll
    jxaztfoh.dll
    stp68_2007.dll
    txgobwwx.dll
    txjebshc.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    ipv6monq.dll
    ipv6monr.dll
    jxaztfoh.dll
    stp68_2007.dll
    txgobwwx.dll
    txjebshc.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {48EA419A-4BC5-4C1F-B045-DBAE871C060A} - c:\windows\system32\hpbahpb.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
    O4 - HKLM\..\Run: [dcdnwvdm] C:\WINDOWS\system32\dcdnwvdm.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [dcdnwvdm] C:\WINDOWS\system32\dcdnwvdm.exe
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\hpbahpb.dll
    O20 - Winlogon Notify: stp68_2007 - stp68_2007.dll (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue. After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 23, 2007
    #3
  4. daveb44

    daveb44 Private E-2

    Chaslang -

    thanks for all your help! I followed your instructions and I am attaching the new logs you requested. Process Explorer found several instances of hpbahpb.dll in all three of the processes you had me look at as well as instances of txgobwwx.dll in explorer.exe and iexplorer.exe - I killed all those and followed all your other notes.

    Let me know where we stand now - I haven't tried surfing around the internet too much to see if it hangs or drops, but so far it hasn't kicked me off while coming to the MG site. Hopefully that's a good sign.

    Thanks again -
    daveb
     

    Attached Files:

    daveb44, May 24, 2007
    #4
  5. daveb44

    daveb44 Private E-2

    Here is the new HJT log as well.
    db44
     

    Attached Files:

    daveb44, May 24, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This infection is still there. Let's try another method of fixing this.

    First uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Now download install and update Prevx1 then run a full scan and fix what it finds. See if you can save a log and attach it. Then also attach a new HJT log.
     
    chaslang, May 24, 2007
    #6
  7. daveb44

    daveb44 Private E-2

    Chaslang -
    Okay, I uninstalled CounterSpy and downloaded Previx (though the link from the author's site took me to Previx2 instead of 1). I installed it, rebooted and it did an initial scan which found nothing and said I was clean. Then I did a full file scan which was then verified online. This scan also came back clean. I did an additional process scan - also clean.

    So, let me know what you can think of next. I'm attaching a new HJT log, but it might not be demonstrably different than the last. Thanks -
    db44
     

    Attached Files:

    daveb44, May 25, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you are the second person to indicate that Prevx does not fix something that they claim to fix. Oh well, I guess we will not be trying it anymore. Please uninstall it now.


    Now please download ProcessDLL.zip and save to your desktop.

    Extract the ProcessDll.exe file from inside and run it.

    This will create a new file on your Desktop called procdll.txt

    Attach this log as your next post.


    Also run this: Using Sophos Anti-Rootkit and attach the requested log from it.


    Do you have a bootable Windows XP SP2 installation CD? Chances are very high that we are going to need it to try and fix this.
     
    chaslang, May 25, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also please do the below. DO NOT REBOOT at anytime while doing the below and DO NOT power down or reboot after attaching new logs. Wait until I give you the next steps.

    Download the below two tools and extract them to a folder of there own.
    You can put both into the same folder.
    First let's just setup Filemon.
    • Run Filemon by double clicking on filemon.exe
    • When it comes up, change the *.* in the Include box to be hpbahpb.dll; ungjjhjm.sys The semicolon between the two filenames is required.
    • Then click Apply and OK.
    • The Filemon window now comes up and will monitor for anything accessing hpbahpb.dll or ungjjhjm.sys
    • Now just leave this running and continue.
    Now go back and run the Process Explorer procedure to unhook hpbahpb.dll from winlogon.exe, explorer.exe, and iexplore.exe (also unhook it from csrss.exe which we did not do before). After doing this, try fixing the below two lines with HJT:

    O2 - BHO: (no name) - {48EA419A-4BC5-4C1F-B045-DBAE871C060A} - c:\windows\system32\hpbahpb.dll
    O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\hpbahpb.dll

    Now exit HJT.

    Now delete the below files!
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\48EA419A-4BC5-4C1F-B045-DBAE871C060A.dat
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\48EA419A-4BC5-4C1F-B045-DBAE871C060A.ini
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\48EA419A-4BC5-4C1F-B045-DBAE871C060A.txt


    Now go back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an attachment.

    Now attach new logs from ShowNew and HJT!
     
    Last edited: May 25, 2007
    chaslang, May 25, 2007
    #9
  10. daveb44

    daveb44 Private E-2

    Chaslang -

    Okay, I've gone through the steps you outlined. Right off the bat when I uninstalled Prevx1 the computer crahsed so there was a reboot there - it was before I went on to do any of your other steps, so hopefully it won't screw up the whole thing. I have not rebooted since starting with the ProcessDLL.exe in your second to last email.

    Sophos Anti-Rootkit came back clean - I'm attaching the log, but it doesn't show anything. I am also attaching all the other logs you requested.

    My wife's sister doesn't have an XP install disk, but we are checking around to see if anyone else has one. I'll let you know. Thanks for all your help.

    db44
     

    Attached Files:

    daveb44, May 26, 2007
    #10
  11. daveb44

    daveb44 Private E-2

    Here are additional logs you requested
    db44
     

    Attached Files:

    daveb44, May 26, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    • Make sure that one and only one Internet Explorer browser is opened up!
    • Also shutdown ALL other processes including Instant Messengers, antivirus and antispyware tools!
    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    libssl32.dll
    libeay32.dll
    jxaztfoh.dll
    mgyyumjw.dll


    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLs, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    txgobwwx.dll
    libssl32.dll
    libeay32.dll
    txjebshc.dll
    jxaztfoh.dll
    mgyyumjw.dll


    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLs, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    txgobwwx.dll
    libssl32.dll
    libeay32.dll
    txjebshc.dll
    jxaztfoh.dll
    mgyyumjw.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLs, just continue on.)

    Next double click on csrss.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLs, just continue on.)

    MAKE SURE YOU READ THE BELOW NOTE ABOUT MULTIPLE SVCHOST.EXE PROCESSES!!!!


    Next double click on svchost.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hpbahpb.dll
    libssl32.dll
    libeay32.dll
    jxaztfoh.dll
    mgyyumjw.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLs, just continue on.)

    NOTE: There will be multiple instances of svchost.exe running. YOU MUST CHECK EACH ONE and kill the above DLLs in each one if found. I suspect that only one will have them, but there is no way for me to tell you which on.


    Now just exit Process Explorer.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {48EA419A-4BC5-4C1F-B045-DBAE871C060A} - c:\windows\system32\hpbahpb.dll
    O20 - Winlogon Notify: nfhakpga - C:\WINDOWS\SYSTEM32\hpbahpb.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 27, 2007
    #12
  13. daveb44

    daveb44 Private E-2

    Chaslang -

    Okay, I've gone through all your instructions but I still see the hpbahpd.dll instances in the HJT log. I'm including all the logs you requested. Hopefully we can get it sorted out.

    Internet Explorer has been crashing a lot after being open for a few minutes (I get a run time error 216). Also, when I rebooted after running Avenger, I got an error on startup that said, "There is no disk in the drive - please insert a disk into the drive". I tried to hit continue a few times and try again, but eventually had to hit cancel to continue on with the reboot.

    I'm going to be leaving my wife's family house tomorrow, so let me know if you think I should suggest to them to get rid of this computer if we can't fix it by then (or reformat the hard drive).

    Also - I tried to upload the newfiles.txt and the runkeys.txt files, but I keep getting an error from the MG attachment manager that says I've already uploaded these files in this thread. I tried renaming the files with a "1" after them, but I get the same error that I've already uploaded them. Should I start a new thread or does this mean that the files are identical to the ones I've previously posted?


    Thanks again for all your help -
    db44
     

    Attached Files:

    daveb44, May 27, 2007
    #13
  14. daveb44

    daveb44 Private E-2

    additional requested logs
    db44
     

    Attached Files:

    daveb44, May 27, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a new type of infection that is not very well known as of yet. There are no known fixes yet for this infection. It is possible that booting to the Recovery Console from your original Windows XP CD (if you have one) can be used to delete the files. But if the infection has other files hidden somewhere, they could reinfect you at normal startup. The only way to know would be to try.

    However at this point (especially since you have time constraints), it may be faster to format and reinstall Windows.

    If means you did not get NEW logs. You have to run the programs again to get new logs. You are trying to attach the exact same files as last time.
     
    Last edited: May 28, 2007
    chaslang, May 27, 2007
    #15
  16. daveb44

    daveb44 Private E-2

    Chaslang -

    Okay, thanks a lot for all your help - I'll recommend a format/reinstall. I've read that the safest way to format your drive to prevent re-infection is to write 1s and 0s over the drive. Do you know where there's a program that does that?

    Strange about those logs - I definitely re-ran the scans and saved the new logs over the old ones.

    Thanks again,
    db44
     
    daveb44, May 28, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't need to do that! What I would suggest is:
    • to back up any important personally data and settings first.
    • get copies of your antivirus, antispyware, and firewalls onto a CD so they can be reinstalled after the format but before conntecting the PC to the internet.
    • then boot from the Windows CD and delete the current partition.
    • then recreate the partition
    • then format
    • then reinstall Windows
    • then install the protection software mentioned above
    • then connect the PC to the internet and download ALL updates for Windows and for your protection software
    • then start reinstalling all other required application.....etc.
    Double click on the files and look at the date and time inside the files (about 15 lines down in the log). What do you see in each file?
     
    chaslang, May 28, 2007
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds