Windows File Protection? 60 Processes running.

Recently infected with malware/trojans. I think AVG Free successfully removed, however the Sonic Update Manager starts every time I start windows. Also, Windows File Protection pops up and says that some versions of files are not recognized. The system is running extrememly slow, and running approx. 60 processes at any given time. I just ran ComboFix and MGtools today. Any support is greatly appreciated!

 

OOps! here's they ComboFix and MG logs.

 

Hi crazycat243!
Welcome to Major Geeks!
Still missing your AVG-Antispyware log and your MGlogs.zip

The MGlogs.zip should be directly under C or whichever drive has your operating system in it. Your hijackthis log will be part of the zip file, not separate.
abri

 

I'm not sure if this is what you need from AVG. It is not creating logs for me to save.:confused

 

Please help!

 

Hi crazycat243!

Do you have two resident antivirus programs running? If so, please uninstall one of them.

Then continue as follows:

1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 6"
Java 2 Runtime Environment, SE v1.4.2_03"
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1




2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyx.exe

After you click fix, just close hijackthis.


3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri
Wasn't able to work with my PC until this morning. AVG Antivirus Free detected the following during a scan overnight:
Virus name: Virus found Lop filename: ptch[1]
Trojan horse BackDoor.Agent.PTA filename: blsyniag.exe
Virus found Lop filename: htcp[1]

I quarantined them and don't plan on doing anything with them without your approval.

I removed the old java apps. After this i started getting a bunch of popups.
I also tried to remove MicroTrend, an antivirus software I received free from Dell, but it asked me for a password which I don't know, so I left it alone.

I ran analyse.exe

I also downloaded and ran Avenger. It didn't prompt me to reboot, so I rebooted myself. System is still full of processes (approx 60), Windows File Protection popped up on startup, and Sonic Update manager is dying to install an update from source '1'. Honestly I don't even use the Sonic programs, so I wouldn't mind getting rid of them. The problem is that it came with the PC from Dell, so I don't know if I will need a password to unlock the uninstaller.

Since you wanted to know how things were working after this, I'm waiting for a response before beginning with ATF Cleaner.

 

here's the MGlogs. For whatever reason, avenger did not create a log. Perhaps I need to run it again? it never prompted me that my computer needed to be rebooted after it was finished.

-crazy

 

Avenger still isn't doing anything. I input the script. click the traffic light. the whole program closes. thats it!
-crazy

 

Hi CrazyCat!

Avenger is the best tool so I would prefer to get it to work if possible. If it simply won't work, I will give you another tool to use. First let me ask you if you downloaded the zip file to the desktop? If so, did you then extract the Avenger.exe and save it also to the desktop? And when you copied the contents of the box, did you include the words "Files to delete" and "Registry keys to delete"? The contents of the box have to be completely copied, not just the file. The above are the three main reasons why Avenger doesn't run properly.

You can alternatively run the following:

1) Download - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.


2) Now copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0092E95-78AE-4DDF-8CCF-54A71FFF7C63}]

3) Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX6A.tmp
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.exe
C:\WINDOWS\mrofinu72.exe.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates
That log is under C:\

abri

 

Here's a quick update. MicroTrend discovered Vundo after an update. I'm going to go through the removal procedures for it now. Maybe this is what has been plauging me the whole time?

 

Oh! I didn't know that Vundo is what the problem was. I ran VundoFix found in the stickeys in the malware forum. Attached are the VundoFix and Hijack logs.
I would like to also note that windows file protection didn't prompt after reboot! I did however receive an error message which after reporting, allowed me to download the fix from Microsoft. I'm also not getting popups at this time.

In response to the questions about Avenger..
Will Avenger work in safe mode?
Avenger is located on my desktop as well as the zip.
Yes I copied and pasted the quotes before and after chaslang's edit.

 

crazycat,
VundoFix isn't adequate to remove Vundo, but I can see from hijackthis that the infection is still there, which means, that VundoFix didn't remove it. It's because it's a difficult infection to remove, that certain procedures and tools are used in this forum which allow for its removal. It's a manual process which requires your assistance to us in providing the logs we request and in installing and implementing the tools in a way that they can work. To get your logs up-to-date, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip. This will allow me to see if some of the files were removed by VundoFix and which ones still remain. The one which generates all the new files is still there, healthy and kicking.

Thanks
abri

 

Sorry Abri. Here's the new zip.

Upon reboot earlier I received the following... not sure if it will help you at all.

RUNDLL
Error loading C:\windows\system32\ckwcyraj.dll
The specified module could not be found.

 

Here it is after running Vunfind

 

Hi crazycat!

Please copy the contents of the box below into Notepad and save the notepad file to the Desktop with the name Log.txt

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip

abri

 

What is RenV?

 

Here's the Log it created.

 

Yes I'll be online for a while.

 

too late...=[ !! I'm online now. everytime i'm on it shows you are offline. I didn't see this thread before running combofix. i saved RenV.exe to the desktop.

 

you want me to paste into RenV or just run it?

 

here's the log from RenV

 

vunfind update

 

isuspm.exe, 29 Dec 07, 244 kb
qttask.exe, 03 Jan 08, 96kb
msnmsgr.exe, 03 Jan 08, 5.41 mb

 

isuspm.exe 249,856 b
qttask.exe 96,304 b
msnmsgr.exe 5,674,352 b

 

Ok! Avenger set up to run on restart this time. After restart it said can't find Avenger.txt. Do you wish to create? I clicked yes. It brought up a blank notepad. Since that seemed odd to me, I stopped to let you know. I haven't run CCleaner or getlogs yet.

 

I deleted them. I could not find avexport.bat or ckwcyraj.dll.
Also, when I deleted nqpisdfu.ini it gave me the 'system file' warning and told me a program may stop responding. All of the deleted items are in the recycle bin. Do you want me to empty the recycle bin or just get you the logs?

Avenger.exe is located on the desktop.

 

I (just now, before getlogs.bat) ran CCleaner to empty all the temp files. I didn't run the registry scanner.

 

Things seem to be running much faster. Down to 45 proccesses. So do you think its all gone?

 

Thank you so much! I want to ask also.. where did you learn how to do all of that?