First Post - Add. Help Needed -Steps 0-9 Complete

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Stumped06, Jul 30, 2006.

  1. Stumped06

    Stumped06 Private E-2

    First Post
    07/30/2006

    Dell INSPIRON 6000
    Intel Pentium M 1.60 GHz, 512 MB OR RAM
    Microsoft Windows XP Professional
    Version 2002
    Service Pack 2

    Computer Logged in as Administrator

    Computer in safe mode because in normal mode spyware, adware,
    trojons and worms prevent you from performing simple tasks, you cant
    do anything because of the mass infection or they just keep popping up
    and you cant get anything done.

    SPECIAL REMOVAL PROCEDURES

    SurfSideKick Removal
    Ran Brute Force Uninstaller with sidekickfix.bat - fixed Problems
    Reran in normal mode because Surfsidekick was still present.
    SurfsideKick seems to be removed. SurfsideKick is still present on machine,
    removal tool does not seem to be working.

    Ran CCleaner.Deleted contents of C:\WINDOWS\PREFETCH - Fixed Problems. Reran in normal mode. Fixed Problems.

    Look2Me VX2 Removal - Fixed Problems.

    END OF SPECIAL REMOVAL PROCEDURES

    0.PRELIMINARY HOUSE CLEANING

    Uninstalled All Malware via Add/Remove Programs
    Removed files from Norton Antivirus Quarantine
    Removed files from Webroot Spysweeper Quarantine
    Emptyed files form Norton Protected Recycle Bin

    0.END OF PRELIMINARY HOUSE CLEANING

    1.SYSTEM RESTORE
    Had already disabled system restore from a previous fix
    before starting READ & RUN ME FIRST Before Asking for Support.

    2.ENABLE VIEWING OF HIDDEN, SYSTEM AND EXTENSION FILES.
    Done.

    3.MULTIPLE ANTIVIRUS APPLICATIONS
    Only One installed.

    4.DOWNLOADING TOOLS
    Tools Downloaded.

    5.CLEANING MALWARE
    Computer In Safe Mode.

    Network Cable Unpluged.

    Ccleaner - no problems. Reran in normal mode - no problems. Also ran under other users, fixed problems.

    Microsoft WindowS Malicious Software Removal Tool - fixed problems.

    Ad-Aware SE - Having a problem running in safe mode, when screensaver
    enables and try to go back to the desktop, instead get the blue screen
    stating to disable or uninstall virus protection etc. It writes memory to
    disk then reboots. Will try and run in normal mode. Reran in normal mode, there seems to be a probelem when it gets to c:\windows\installer
    it just stays there and never finishes scaning. Finally got it to scan
    buy only by performing smart system scan. Reran after downloading updates in windows safe mode with networking support. Reran in normal mode, program not responding...

    Spybot Search & Destroy - Would not run untill updated. Will try in
    normal mode. Reran in normal mode and will not run untill detection updates are installed. Will try and update in Windows safe mode with networking support. Reran after downloading updates in window safe mode with networking support. Reran in normal mode, fixed problems.

    Microsoft Windows Defender - Will not run in safe mode. will try and run in normal mode. Reran in normal mode and stated it required Windows Installer 3.1 or later to be installed. Reran after installing Windows Installer 3.1, would not install because a required update to Windows Update is available at the Window Update Website. @%$#!!! Oh My God!!! Wil try and run in Windows safe mode with networking
    support. Counld not get it to run, need add. updates. Having error on windows update page.

    CounterSpy - could not run in safe mode because could not click on I agree button, ran scan in normal mode with no problems, counterspy.txt attached to post. Reran after downloading updates in windows safe mode with networking support. Revised counterspy.txt attached to post.

    CWShredder - Not a valid Win32 application or will not run in safe mode. Will try to run again in normal mode. Reran in normal mode, not a valid win32 App. File downloaded from majorgeeks.com somehow became curupt,redownloaded and ran in normal mode with no problems.

    Kill2Me - fixed problems.

    6.ONLINE VIRUS AND TROJAN SCANNING
    Computer booted in safe mode with networking support.

    Java - Will not install in safe mode. Will reinstall in normal mode. Installed in normal mode, no problems.

    Bitdefender - no problems running, bdscan.txt attached to post.

    Panda Active Scan - no problems running, activescan.txt attached to post.

    7.HIJACKTHIS LOG POSTING
    Had no problems running, hijackthis.log attached. Steps for Downloading,
    Installing, and Running HijackThis were followed.

    8.Alternative Scans
    (NOTE! It is very hard to do these steps in safe mode on a laptop on account of the monitor is rather small and there is no way to make it larger. However, on some programs if you press the TAB key, this will allow you to get to the buttons.)

    Webroot Spysweeper - purchase version curently install on computer.

    Ewido Security Suite - Could not run in safe mode because could not click on
    buttons and settings, display area to small. Rerun in normal mode, no problems, ewidoscan.txt attached.

    Trojan Online Scan - Quarantined Problems.

    Kaspersky Online Scan - no problems. There was no save as text button, however I did copy the results into notepad. kasperskyscan.txt is attached.

    Trend Micro Online Scan - fixed problems, multiple windows updates needed. Will run windows update last in normal mode.

    ZoneAlarm Spyware Scanner - no problems

    A-Squared - fixed problems, a2scan.txt attached.

    Avast Virus Cleaner Tool - no problems, avastscan.txt attached.

    McAfee Avert Stinger - no problems.

    Panda Quick Remover - no problems.

    Blacklight Beta - A system error reading a resource occured!
    Server error 404
    Not Found
    The page you requested was not found on server, please go back and try again. Probably you used an outdated link or an old bookmark.
    If you followed a link on our site, please try it again in a few minutes.

    Finished processing steps 0-9 and still haveing problems, only one problem that keeps coming up and thats Aware.SurfSideKick.exe cant seem to get rid of it every time the pc reboots Norton finds it and requires a reboot to remove it, filename is unavailiable and original location is unavailiable. Its in the mscofig as a startup but I unchecked so it would not start, it must be somewhere else that I am not aware of. Also, there are alot of tracks left behind by these parasites, any help geting rid of these would be great, tracks are in msconfig, etc... Finally got windows
    updates to install, first time to connect to the web in normal mode before I started these steps this was impossiable.

    I would like to say Thank You in advance to the MajorGeeks Team.

    End
     

    Attached Files:

  2. Stumped06

    Stumped06 Private E-2

    Additional Attachments Required...
     

    Attached Files:

  3. Stumped06

    Stumped06 Private E-2

    Additional Attachments Required...

    End of Additional Attachments.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your second run of CounterSpy you did not allow it to fix what it found. You had it ignore everything. Please run it again and make sure you fix all that it found. It had found a load of problems. Then attach a new log from CounterSpy. After getting it to fix everything, uninstall CounterSpy to avoid conflicts with your paid version of Spy Sweeper.

    Download and run this new version of QooFix: http://www.malwarebytes.org/qoofix.php


    After running it, some of the items included in my procedure below may already be gone. Just ignore and continue.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xeyhplx.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\Run: [{20-05-58-85-ZN}] c:\windows\system32\oodsregr.exe CORN003
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\RunServices: [winlog] winlog.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    <--- the whole folder

    C:\Program Files\MYWEBS~1 or My Web Search or MyWebSearch <--- the whole folder
    C:\Program Files\outlook <--- the whole folder
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\WINDOWS\keyboard1.dat
    C:\WINDOWS\sys0257602683-82006.exe
    C:\WINDOWS\whCC-GIANT.exe
    c:\windows\system32\oodsregr.exe
    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\xeyhplx.exe

    Additional step to delete files in the Downloaded Program Files folder :
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s f3initialsetup1.0.0.15.inf

    del f3initialsetup1.0.0.15.inf
    exit


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Jul 31, 2006
  5. Stumped06

    Stumped06 Private E-2

    CounterSpy
    I apoligize chaslang, I noticed that I did not let Counterspy fix what it found on my second scan as well, I lost that page when I was saving the log file, or it had gotton to late, so I ran it again and fix everything it found, but for good mesure I ran it again. Having problems with CounterSpy have run it three
    time and can not get a log per instructions, I try and click on View -> Spyware Scan -> View Spyware Scan History -> view full details of scan and nothing happens. Any Suggestions? I keeps finding Aware.SurfSideKick and I keep removing it everytime it finds it. If finds it when it checking the windows registery. It finds it everytime a scan is done. (Just curious, now that updates are install from windows update, should I run Microsoft Windows Defender?)

    Qoofix
    No malicious modules found.
    No Qoologic infected files found.
    Scan Completed Successfully

    HiJackThis
    Completed.

    Deleteing of Folders
    Folders Deleted.

    Deleting Downloaded Program Files
    Could not click on run in safe mode instead I did Start-> All Programs-> Accessories-> Command Prompt. File Not Found - f3initialsetup1.0.0.15.inf

    Deleted c:\windows\prefetch files.

    Ran Ccleaner.

    Reset Web Settings.

    Reboot in normal mode.

    Posted new HJT Log.

    Adware.SurfSideKick still present. Its detected by Norton on almost every bootup in normal mode. Do still need me to uninstall CounterSpy? Other than that OS seems to be running fine. 99% better that it was, Thanks, but not giving up let me know what we need to try next.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall CounterSpy now as I said before to avoid conflicts with SpySweeper. No! Do not install Windows Defender for the same reason. Also uninstall Ewido which you have just installed. Please do not install anything unless I request it. Uninstall these now before continuing.

    Look in Add/Remove programs for SurfSideKick 3 and uninstall if found. Then continue with the below.


    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [{20-05-58-85-ZN}] c:\windows\system32\oodsregr.exe CORN003

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    c:\windows\system32\oodsregr.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    MAKE SURE you tell me if you do not find or cannot delete any of the above items!

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Aug 1, 2006
  7. Stumped06

    Stumped06 Private E-2

    CounterSpy
    Sorry about the poor cumincation, I was simply wanting to be sure since CounterSpy had found the aware even tho it had been previously remove. CounterSpy is Uninstalled. Ewido was aready install before we started from tutorial. Ewido is Unistalled.

    Looked in Add/Remove programs for SurfSideKick 3 and Did Not See it.

    Viewing of hidden files is enabled.

    Ran HijackThis and Fixed the following with no browser sessions open:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [{20-05-58-85-ZN}] c:\windows\system32\oodsregr.exe CORN003

    Booted in safe mode and did NOT find:
    C:\Program Files\SurfSideKick
    c:\windows\system32\oodsregr.exe
    Also did NOT find in windows task manager.

    Deleted all files in c:\windows\Prefetch

    Rebooted in normal mode and ran HJT.
    Hijackthis3.log attached.

    OS seems to be running fine, a little slow, defrag has been done, worried about Aware.SurfSideKick continuously showing its teeth. The Lines you asked me to fix in HJT are some of the same ones I fixed the first time, its like it did not fix them the first time? Hanging in there.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it looks to me like Spy Sweeper and CounterSpy may be making the final cleanup difficult. Uninstall CounterSpy and Spy Sweeper. (DO not reinstall Spy Sweeper until I say to do so and leave CounterSpy uninstalled permanently). Then reboot and then run the below.

    Start by downloading Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [{20-05-58-85-ZN}] c:\windows\system32\oodsregr.exe CORN003

    Now exit HijackThis after clicking Fix checked.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\Program Files\SurfSideKick 3\Ssk.exe
    c:\windows\system32\oodsregr.exe

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.

    Now run the below procedure and attach the runkeys.txt log.
    Now run the below procedure and attach the newfiles.txt log.
    Make sure you tell me how things are working now!
     
  9. Stumped06

    Stumped06 Private E-2

    I am confused, CounterSpy is already uninstalled. SpySweeper is Uninstalled.

    Downloaded Tools, Pocket KillBox, GetRunKey, ShowNew.

    Rebooted in normal mode. Cable unpluged. All browsers closed. I exited all processes and items in the System tray except for some reason I could not get the network connections icon nor the norton antivirus icon to go away.


    Ran HJT and fixed:
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [{20-05-58-85-ZN}] c:\windows\system32\oodsregr.exe CORN003

    Ran Pocket Killbox and Deleted on Reboot the following:
    C:\Program Files\SurfSideKick 3\Ssk.exe
    c:\windows\system32\oodsregr.exe
    Unregister DLL was unavailable. Computer did not reboot and did get Pending Operations type message. "PendingFileRenameOperations Registery Data has been Removed by External Process!" Manually Rebooted.

    Ran HJT hijackthis4.log attached.

    runkeys.txt attatched.

    newfiles.txt attatched.

    Looking good, all task completed with ease.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may have! But for the same reason the malware items were not going away, CounterSpy was and still is showing in your log. This is why I wanted to uninstall it and Spy Sweeper.

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run HJT and fix the two below lines:
    O4 - HKLM\..\Run: [SunServer] "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe"
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    No exit HJT and reboot.

    After reboot attach a new HJT log and a new runkeys.txt log.

    If this all checks out, I will then tell you to reinstall Spy Sweeper.
     
    Last edited: Aug 3, 2006
  11. Stumped06

    Stumped06 Private E-2

    Copy That! on the malware items.

    Completed the regedit instruction with no problems.

    Ran HJT and fixed with no problems.
    O4 - HKLM\..\Run: [SunServer] "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe"
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Exited Hjt and rebooted. New Hjt log and runkeys.txt attached.

    OS running very smoothly now.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now everything is all cleaned up! You can re-install Spy Sweeper now to get your active protection back up!

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds