What The Heck Is This?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by spadesmamma61, Oct 8, 2006.

  1. spadesmamma61

    spadesmamma61 Private E-2

    I keep getting this error something about the "memory cannot be read" in b111.exe.

    I have scanned like no other etc and everything appears to be clean. I cant do a restore because I turned off the restore at one point.

    Can anyone help me???
     
  2. spadesmamma61

    spadesmamma61 Private E-2

  3. spadesmamma61

    spadesmamma61 Private E-2

    Um hello? Ive never had this much trouble getting a reply before. :( Anyway the problem has worsened. Today when I got home I got the following virus alerts from my anti-virus:



    Win32/SillyDI.AYI 2 times in something called Iget. I deleted that file

    Win32/Sasla.A 2 times in Common files

    Win32/SillyDl.NM 2 times in Common files
     
    Last edited: Oct 9, 2006
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi sadly many of the guys who are active in the malware forum are not just busy with malware as its basically exploded of late, with many other security forums now not assisting in reading logs ( which do take time ) and closing their malware fourm sections, thus we have become alot busier, also like many people these days the have become very busy in their own private lives, so can only spare as much free time as allows, as a tip they also start from the last posted threads or replies and not from the front 1st page so bumps sadly do get you post over looked.

    But to start on the removals process do follow the below guide and attach all the requested logs.




    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  5. spadesmamma61

    spadesmamma61 Private E-2

    OK all done. Thanks for the reply.

    I was unable to do the Bitdefender and Panda scan from safe mode as I have no net connection from safe mode.

    Recovery is off since I already had turned it it prior to thread construction since it wouldnt run anyway.

    Spybot, Windows Defender and Windows Malicious all turned up clean.
     

    Attached Files:

  6. spadesmamma61

    spadesmamma61 Private E-2

    and the last 2
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You appear to have Norton Antivirus and Yahoo's Antivirus both running. But you seem to really only be using Yahoo's. The Norton stuff seems to be broken or incorrectly uninstalled which is very typical of Norton/Symantec.

    Did you configure the below two Proxy settings for something? If not then add them to the lines to fix with HJT in the below procedure.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.87.64.106:553
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

    Now uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Symantec Network Drivers Update
    Viewpoint Media Player

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [ofzk] C:\Program Files\Common Files\ofzk\ofzkm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Common Files\{E427A3CD-07C5-1033-0925-020326200001}\services.dll
    C:\Program Files\Common Files\{E427A3CD-07C5-1033-0925-020326200001}\Update.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\b111.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\81UFM1IL\111[1].net
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KF4NCVWF\111[1].net
    C:\WINDOWS\system32\MsgPlusLoader.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    After reboot locate the below folders and delete them if found:
    c:\program files\180
    C:\Program Files\MessengerPlus! 3
    C:\Program Files\WildTangent
    C:\Program Files\Common Files\ofzk
    C:\Program Files\Common Files\{E427A3CD-07C5-1033-0925-020326200001}

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp

    Now attach a the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  8. spadesmamma61

    spadesmamma61 Private E-2

    Oki doki, all done. I suspect I still have Norton stuff running as I always get an error for them whenever I run the first 2 programs below.

    Everything else went fine. Today is my only day off for the next week so I hope Im able to finish this today since my kid needs to use the computer for homework.

    Thanks so much for everything so far. :)
     

    Attached Files:

  9. spadesmamma61

    spadesmamma61 Private E-2

    Im also getting some kind of cmd error when I try to run those 2 programs. Forgot to mention that earlier. Something like cmd 32?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you goto Add/Remove Programs and uninstall the below?
    Symantec Network Drivers Update

    It still shows! Please uninstall this now. Let me know what happens when you try to uninstall it.

    Then run this: Norton Removal Tool (SymNRT) also tell me the results.

    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop (yes over write the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now look for the below using Windows Explorer and delete them:
    C:\Program Files\Common Files\{E427A3CD-07C5-1033-0925-020326200001} <--- the whole folder
    C:/Program Files/Java/jre1.5.0_04 <--- the whole folder
    C:\Program Files\WildTangent <--- the whole folder

    Now attach new logs from ShowNew, GetRunKey, and HJT!
     
    Last edited: Oct 14, 2006
  11. spadesmamma61

    spadesmamma61 Private E-2

    Does not appear in my add remove programs list. I ran the Norton Removal tool and everything went fine for that.After reboot I ran the programs you asked and both the show new and get run had an error that I had to click on "ignore" in order to get them to run. Ive attached pictures below.

    Next post will attach the logs you requested. :)
     

    Attached Files:

  12. spadesmamma61

    spadesmamma61 Private E-2

    Logs attached and thanks for the help. I also have system restore still turned off.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Read the download pages for ShowNew and GetRunKey. They explain this error message which is a problem on your PC. They also give you a link to fix it.

    You should delete the below folder since you no longer have this installed:
    C:\Program Files\Spyware Doctor

    How are things working now?

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. Since you already had System Restore turn off, you should now turn it back on to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    Last edited: Oct 16, 2006

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds