Need help with malware

Welcom to Major Geeks!

Is that the exact message? Try again!

What browser are you using? IE or FireFox? Whichever you are using, try the other?

Also note, you have Mozilla Firefox (1.5.0.9) which is way out of date. You should install and use this: Mozilla Firefox


What I'm looking for you to attach are the below three logs:
- AVG Antispyware log
- GetRunKey log (c:\runkeys.txt)
- HijackThis log

 

You can wait until we remove your malware but you really must make sure you do update!


Did you configure the below policies yourself?

Code:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoStrCmpLogical"=dword:00000001
"CDRAutoRun"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoThemesTab"=dword:00000001
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoHelpItemTipOfTheDay"=dword:00000001
"NoHelpItemNetscapeHelp"=dword:00000001
"NoHelpItemTutorial"=dword:00000001
"NoHelpItemSendFeedback"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"StartMenuFavorites"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoInternetOpenWith"=dword:00000001
"RunStartupScriptSync"=dword:00000001
"SynchronousMachineGroupPolicy"=dword:00000001
"SynchronousUserGroupPolicy"=dword:00000001

Let's start your fixes by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Jean\Local Settings\Temp\11exa50p.7.exe
C:\Documents and Settings\Jean\Local Settings\Temp\38exa50p.7.exe
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\rghiuh.exe
C:\WINDOWS\system32\rghiuh.dat
C:\WINDOWS\system32\rghiuh_nav.dat
C:\WINDOWS\system32\rghiuh_navps.dat
C:\WINDOWS\system\smss.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay then I'm going to give you steps to remove all of them.

Also did you install these:
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Kontiki\KHost.exe

Or was it already on the PC. It can be a massive waste of bandwidth and I highly recommend that it be removed. Let me know what you want to do with this. It appears in Add/Remove programs as 4oD. Uninstall it if you did not install this yourself.

Did you get Pocket Killbox to work properly? It does not look like it and you did not say you had any problems.

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [rghiuh] c:\windows\system32\rghiuh.exe rghiuh
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete the below files (if found):
C:\WINDOWS\system32\rghiuh.exe
C:\WINDOWS\system32\rghiuh.dat
C:\WINDOWS\system32\rghiuh_nav.dat
C:\WINDOWS\system32\rghiuh_navps.dat

Now run Ccleaner

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Uninstalling 4oD may help!


Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I moved your other posts for the second PC into a new thread. Trying to work multiple PCs in one thread leads to pure chaos.

If this first PC has problems with a wireless connection, I doubt it is malware. Also I saw no drivers loading for a wireless connection in your previous logs. What kind of wireless card is it and do you see any wireless card software/drivers installed because I don't see any!

 

Okay that's the driver. Is there any software that came along with this?

Is the hardware showing in Device Manager?
Is the driver showing as being installed correctly?
Is the wireless interface actually enabled/turned on?

 

How do you setup the wireless parameters (channel, encryption....etc) on the PC?

Perhaps your wireless card is the problem. Remember just prior to saying it does not work at all that you did say things were really slow. At that point in time your malware was already gone, so I would expect that the problem is not malware. It is more likely due to a hardware or software problem. You said you reset the router, but did you make sure that the router also still has the wireless part enabled and are the router and the PC setup to use the same channel and encryption keys.