You guys rock! Chance to do it again...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by yanqui, Aug 14, 2006.

  1. yanqui

    yanqui Private E-2

    Friday afternoon I knew something got loaded on my machine--I saw it start and tried to get it to stop, but couldn't. I ran Spybot S&D and it found quite a few things, all of which were downloaded at the same time. After the s&D run and clean up, I updated it and ran it again, and found nothing. I logged off and went home. This morning I came in to a message that my computer was running low on virtual memory. That was strange, because I didn't do anything on it all weekend--or so I thought. When I went to log on, there were 15 IE windows open! (that explains the low virtual memory, doesn't it?)
    I ran S&D again and got ONE thing. I have run the stuff from the "read and run first" list. I have the logs saved from everything, so let me know what to do next, adn I appreciate everything in advance.
     
    yanqui, Aug 14, 2006
    #1
  2. matt.chugg

    matt.chugg MajorGeek

    Well. as you have 'read the read and run first' post the logs from the scans and specifically ShowNew and RUnkeys from step 5, bitdefender and activscan from step 6 and a hjt log from step 7

    Please pay careful attention to step 7 as the instructions in there are vital as some infections will hide form HJT if the steps arn't followed corectly.
     
    matt.chugg, Aug 14, 2006
    #2
  3. yanqui

    yanqui Private E-2

    Think i got it--Defender found one thing, and I forgot that we have WinPatrol; I hardly ever use it, but it's a handy tool and it detected a couple of things that S&D missed. May have been too new for S&D updates to catch, because WinPatrol's information site didn't know what they were either, but since I got rid of them the popups have stopped.

    But I now have a couple of new tools that have worked out pretty well, too.

    HOWEVER--I got a message when I tried to use Bitdefender:

    This web site is not authorized to host this ActiveX Control.

    Does that mean anything to you?
     
    yanqui, Aug 14, 2006
    #3
  4. matt.chugg

    matt.chugg MajorGeek

    Your domain policies probably prevent the installation of activex controls.

    Post the logs from step 5 and step 7 and don't worry about the online scans for now.

    Also post shownew and runkeys logs.
     
    matt.chugg, Aug 14, 2006
    #4
  5. yanqui

    yanqui Private E-2

    Here goes, and thanks again.
     

    Attached Files:

    yanqui, Aug 14, 2006
    #5
  6. matt.chugg

    matt.chugg MajorGeek

    In add/remove programs uninstal 'My Way Search Assistant'

    Post a new SHowNew Log
     
    matt.chugg, Aug 14, 2006
    #6
  7. yanqui

    yanqui Private E-2

    It doesn't show up in add/remove programs.
     
    yanqui, Aug 14, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I see that you had a problem running Bitdefender but you did not mentioned PandaActiveScan. Did you try to run it? You really should! It often finds many things that others do not. Try to run it and attach the log as requested in step 6 of the READ ME.

    You also need to go back to step 7 of the READ ME and install HijackThis exactly as requested and you also need to rename the HijackThis.exe file as requested. This is very important as stated. Do this now, before continuing on to the below. Do not attach a new log yet. I will ask for one further down.

    First we need to get your Sun Java version updated. Install this: Sun Java Runtime Environment

    Now we need to uninstall some old Sun Java versions and some malware. I know you said that My Way Search Assistant does not exist but look again any way. I have include a manual fix further down for it anyway. So now goto Add/Remove programs and uninstall all of the below if found. Tell me which ones are found and do uninstall.
    Enhanced Browser Overlay
    IRISmon
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    My Way Search Assistant
    Viewpoint Media Player


    Now download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
    O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\media_motor_bundle.exe
    C:\WINDOWS\MirarSetup_876075.exe
    C:\WINDOWS\system32\adrot-uninst.exe
    C:\WINDOWS\system32\adrotate.dll
    C:\WINDOWS\system32\comcap16.dll
    C:\WINDOWS\system32\icon_mediamotor.exe
    C:\WINDOWS\system32\irsmamym.dll
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\nodeipproc.dll
    C:\WINDOWS\system32\tdopenmg.exe
    C:\WINDOWS\system32\ts_mediamotor.exe
    C:\WINDOWS\system32\uninstIcn.exe
    C:\WINDOWS\system32\UnIrimon.exe
    C:\WINDOWS\system32\WinNB58.dll


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot, use the below online file scanner to scan this file on your PC: C:\WINDOWS\system32\nsfB7.dll

    http://virusscan.jotti.org/

    Just click the above link and then click the Browse button and locate the C:\WINDOWS\system32\nsfB7.dll file on your PC and select the file and click Submit. Post the results of the scan back here.

    Now attach a new HJT log and tell me how the steps went.

    Also download the current version of ShowNew and use it to attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 15, 2006
    #8
  9. yanqui

    yanqui Private E-2

    I didn't try to run the panda, Matt said to skip the online scans for now, to move on to the next steps. I'll do that when I get a chance, as well as the rest of your instructions.

    As for the motorola iden stuff, are you targeting that for a specific reason? We use a program called motorola iden to update our motorola phones with ringtones, or synchronizing with our desktops. is that a file that isn't part of that?
     
    yanqui, Aug 15, 2006
    #9
  10. yanqui

    yanqui Private E-2

    Wow--I only THOUGHT things were fixed. Here's what's new, addressed in the order you recommended.

    Ran Panda Scan, yup, it caught several things.

    Did the hijackthis using analyse.exe; results later.

    JRE updated.

    I found Enhanced Browser Overlay, IRISmon, J2SE update 4, and update 6, and Viewpoint Media player (but not MyWay search assistant) in Add/Remove programs. Uninstalled them.

    Ran HijackThis, fixed all the problems you recommended.

    Did the fixme.reg registry fix.

    Ran Pocket Killbox, unregistered the dll's, and deleted on reboot, rebooted.

    jotti.org file scanner STILL picked up several things in the dll I scanned, results attached as jotti.txt.

    Newest HJT log attached, newest ShowNew log attached.

    Are we getting there yet?
     

    Attached Files:

    yanqui, Aug 16, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume you are referring to this:
    O1 - Hosts: 216.19.0.250 idenupdate.motorola.com

    Putting things in the hosts file is a dangerous practice and it is normally not necessary. Do you really need to do this?

    First of all that IP address is not the same as idenupdate.motorola.com.

    That IP address belongs to:
    Where as idenupdate.motorola.com is:
    So the question is, why are you trying to change idenupdate.motorola.com to go to RTD Systems and Networking. Did Motorola sell this to someone else?
     
    chaslang, Aug 16, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where is the log?

    I asked you to download the new version of ShowNew. You still have the old version.


    It looks to me like the HJT fix and the registry patch were not run. I still see many of the things we were trying to fix.

    Let's do the below fix below (some are repeats but we will include that other file that Jotti scanned). But first, please uninstall Windows Defender and shutdown Symantec. I have a feeling they may be blocking the fixes.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
    O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    After clicking Fix, exit HJT.

    MAKE SURE TO REDOWNLOAD THIS REGISTRY PATCH. I modified it slightly. There was a typo that could have affected it last time.
    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\nsfB7.dll


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.

    Also download the current version of ShowNew and use it to attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
    Last edited: Aug 16, 2006
    chaslang, Aug 16, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds