Browser problems, need help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by huskrthill, May 20, 2007.

  1. huskrthill

    huskrthill Private E-2

    Hey guys, I could use a little help. I think I have some spyware/adware/malware problems. I keep getting random pop-ups through Internet Explorer, though I very rarely use that browser.

    I ran Ad-Aware, Spybot, AVG Anti-Spyware, CCleaner, Panda, etc. I've been reading through everything that I am supposed to do before posting a Hijack This log, and I hope I've done it all correctly. If not, I apologize - let me know what I'm missing. I've attached what I have right now - the HijackThis log is on the way in the next post... Thank you all so much in advance for your help.

    Andy
     

    Attached Files:

  2. huskrthill

    huskrthill Private E-2

    Here is the Hijack This log. Please let me know what other info you need to help me out.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes you missed the requested logs from AVG Antispyware and ShowNew. Don't attach them yet. Wait until the end where I request them.

    Please attach the AVG AntiSpyware log now but wait until doing the below before attach a log from ShowNew.

    Please run this Virtumonde aka Trojan Vundo Removal but do not attach the VundoFix log right away. Run the procedure multiple times until it comes up not finding anything. Then attach the below logs:
    • the log from AVG AntiSpyware you forgot to attach
    • the final log from VundoFix
    • a NEW GetRunKey log
    • a NEW ShowNew log
    • a NEW HJT log
     
  4. huskrthill

    huskrthill Private E-2

    Here are the logs for AVG and VundoFix. The rest will be on the next post
     

    Attached Files:

  5. huskrthill

    huskrthill Private E-2

    Here are the GetRunKey, ShowNew, and HJT logs.

    Thank you again very much for your help!!

    -Andy
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Kazaa Lite K++ v2.4.3 <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {1AE65072-5D99-4A3C-AD6F-75034E44C013} - C:\WINDOWS\system32\efccyxu.dll (file missing)
    O2 - BHO: (no name) - {AB050E9D-BBBA-4936-894A-54FC1B19A1CB} - C:\WINDOWS\system32\mljjg.dll (file missing)
    O20 - Winlogon Notify: efccyxu - efccyxu.dll (file missing)
    O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041
    C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
    C:\WINDOWS\system32\efccyxu.dll
    C:\WINDOWS\system32\winmmz32.dll
    C:\WINDOWS\system32\bmuorrip.ini

    Now run Ccleaner

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.

    1. ComboFix
    2. GetRunKey
    3. ShowNew
    4. HJT
    Make sure you tell me how things are working now!


    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  7. huskrthill

    huskrthill Private E-2

    Ok, I went through step by step... there were a couple of things that you asked me to delete that I was unable to find:

    C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
    C:\WINDOWS\system32\efccyxu.dll
    C:\WINDOWS\system32\winmmz32.dll


    I did everything else, though. Here are the new logs. The Hijack This log will be in the next post.

    So far, things seem to be running pretty well. You are very good at what you do!

    Thanks,
    Andy
     

    Attached Files:

  8. huskrthill

    huskrthill Private E-2

    Here is the Hijack This log. As I mentioned, things are looking pretty good so far. I'm hoping that you've solved my problem. How does it look?

    Thanks,
    Andy
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your main problems are fixed. However, it looks like ComboFix may not have removed folders from a PurityScan infection I was hoping it would remove. Please download the latest version of ShowNew which was just updated. Use it to get a new log and attach the log. Then I will give you manual removal steps based on what I see in the log.
     
  10. huskrthill

    huskrthill Private E-2

    Here is the ShowNew log.

    Thanks!
    Andy
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please delete the below folders?

    Note that the questionmarks represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. BE VERY CAREFUL and note the date of the folders which will help you to locate them. You must take care to only delete the folder names matching this date. If you are unsure then do not delete. There are valid folder names like these that will appear in Windows Explorer. The malware is corrupting the bad folder names so that they look to be valid names in Windows Explorer, but as you can see from the listing below, the names have illegal characters in them (the ? and the à ):
    Code:
    "C:\Program Files\Common Files\"
    àDOBE         May  7 2007              "àdobe"  [B][COLOR=red]<-- may look like adobe or Adobe[/COLOR][/B]
     
    "C:\WINDOWS\"
    SSTEM~1       May  7 2007              "s?stem"   [B][COLOR=red]<-- may look like system[/COLOR][/B]
    SSTEM3~1      May  7 2007              "s?stem32"   [B][COLOR=red]<-- may look like system32[/COLOR][/B]
    
    After deleting these, attach a new log from ShowNew.

    How is everything working?
     
  12. huskrthill

    huskrthill Private E-2

    I deleted those folders. Here is the new log.

    Everything seems to be running fine now. I haven't had a random pop-up in quite a while. I'll say it again - you're definitely good at what you do. Is this a full time paying job for you? Or do you just do this out of the goodness of your heart?

    Thanks!
    Andy
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks! ;)
    No and yes! :)

    You're welcome Andy!

    Now on to the final steps!

    Your log is clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  14. huskrthill

    huskrthill Private E-2

    Thanks again, Chaslang. Everything is all better now!
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds