Son-In-Law seeking help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by soninlaw, Jan 25, 2006.

  1. soninlaw

    soninlaw Private E-2

    I did the full 7 steps in the Read Me First post, and tried the Special Removal processes. I'm working on my father-in-law's computer. He has never used any virus checker or firewall and is so naive about computers that if he sees "Free" he checks it. As a result, he got to the point where his computer would not complete a reboot--the desktop was never completed.

    I got control of the machine in safe mode and installed McAfee virus checker. That found about 20 virii, removed them. My F-I-L uses AOL, so I remove McAfee and installed the AOL virus software (A McAfee variant). I also got Ad-Aware and got rid of the couple of hundred trackers/spammers. He's still infected. I then came here and followed the steps. The logs are still showing infections but I'm getting stumped. For example, the log says he has SurfSideKick but there is no file named ssk.exe, or repair?.dll or a folder called SurfSideKick. There WAS one, but it was removed by one of the checks.

    Ok, that's it. I'm stumped and am looking for help. Here are the three logs--Panda, BitDefender and Hijackthis. I can only work on this in the evenings, so this could be a looooong process. TIA!

    Jake
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Welcome to MajorGeeks.com!

    First, please install HJT properly per step 7 of the READ ME. You have it here:
    C:\Documents and Settings\wgetchell\Desktop\VirusKillerls\HijackThis.exe

    Also only post HJT logs from normal boot mode.

    Then please look in Add/Remove Programs and uninstall the below:

    Oemji

    Please see the below thread on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.
     
    Last edited by a moderator: Jan 25, 2006
  3. soninlaw

    soninlaw Private E-2

    Ok, did that. Deleted and reinstalled HijackThis. Tried to uninstall oemji, it aborted three times. I found a manual process for uninstalling it on the web, followed that process and it appeared to be gone. Downloaded and ran Spy Sweeper and Ewido. Re-ran HijackThis. Log attached. As a note, when I started iexplorer to come here, 5 ads popped up. Something is still there.

    Thanks!

    Jake
     

    Attached Files:

  4. soninlaw

    soninlaw Private E-2

    Here is the SpySweeper file.
     

    Attached Files:

  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    soninlaw,

    Update your SpySweeper definitions and run another full sweep. Afterwards attach this log with a fresh HJT log.
     
  6. soninlaw

    soninlaw Private E-2

    I did update the definitions before I ran SpySweeper, but I'll repeat that process tonight.
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    The latest definitions are 605.

    Sweep initiated using definitions version 556
     
  8. soninlaw

    soninlaw Private E-2

    Ok, got the latest file available to download, reran SpySweeper, then when I tried to post the log I immediately got 4 popups. So, I installed Firefox, re-ran SpySweeper again, then HJT and used Firefox to load here--no iexplorer. The AOL Safety center software reports that \windows\sa22.dll is infected and can't be disinfected or blocked and offers to delete it. I haven't done that yet.

    Logs of SpySweeper and HJT attached.
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Please look in Add/Remove Programs for the following and uninstall them if found:

    Ewido

    Spy Sweeper


    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://promo.ktvad1.com/eas?cu=369&login=672125&mediaid_prefix=005&extparam=1:LE lGrY1HSeyL38Vsb59W0g&asked_billing_id=15&time=312e3230362e31&nums=N0

    O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\windows\system32\nsd261.dll

    O4 - HKLM\..\Run: [0106080907080A0] CDD2D4D5D3D4D.exe

    O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068_XP.cab
    O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
    O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069_XP.cab

    O20 - AppInit_DLLs: oomhpoon.dll

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial.

    Next, run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.

    Note: Remember to get all updates before doing the scans.


    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
    And Click OK.



    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\system32\nsd261.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\system32\oomhpoon.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\system32\CDD2D4D5D3D4D.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.
    After you complete the above, REBOOT and proceed with the rest of this fix...

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  10. soninlaw

    soninlaw Private E-2

    OK, done! Here's the HJT log.
     

    Attached Files:

  11. soninlaw

    soninlaw Private E-2

    Oops, you wanted it with .txt extent. Here you go.

    EDIT: Nope, won't let me upload using ANY name. I'll try again later.
     
  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It's ok, both .txt and .log are fine, we just don't like .doc because they are large in size.

    Your log looks good, are you having any further problems?
     
  13. soninlaw

    soninlaw Private E-2

    Yes, there are still problems. It ran ok for about 5 minutes. Then I opened iexplorer to tell you it was working well, but I got three immediate popups from websites I never went to and now it moves with glacial speed. I ran CCleaner, and tried to run Ad-aware, but Ad-aware hangs up and doesn't complete. I also am getting a popup window asking what I want to connect to when I'm not doing anything. I ran HJT again, and compared the log to the log you said looked good and they were identical. I've just restarted Ad-aware, I'll let it run overnight to see if it will complete.
     
  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  15. soninlaw

    soninlaw Private E-2

    Done. I let AdAware run overnight, it found 5 things to delete. I let it do that, then ran WinPFind. Here's the log. I'm also getting a prompt to pick a dialing location, even though I've connected the computer to a high speed cable modem network with internet access. This box pops up every few minutes.
     

    Attached Files:

  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Now, manually navigate to the Network Connections folder and locate the dialup connection and delete it.

    After you have completed the above, do a search for the below file and delete if found.

    buddy.exe

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\hpothb07.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\hpothb07.tif into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\system32\bdeadmin.cpl into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.
    After you complete the above, let me know how things are running.
     
  17. soninlaw

    soninlaw Private E-2

    I think that got it. IExplore doesn't pop up ads, and the system is running pretty smoothly now. The AOL Security center updated it files and ran a clean full file scan for virus and spybots.

    Thanks for the help!:)
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds