Sending out an SOS.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Blac_Slayer, Feb 2, 2005.

  1. Blac_Slayer

    Blac_Slayer Private E-2

    Um... I'm not good with introductions, so I'll just skip on to the problems.

    I have several programs that keep re-installing themselves (wugriy.exe, zsxcwiac.exe) and keep running Packager and Calculator. I also have other programs that keep coming back (video.exe, now sdfe.exe, paco.exe, dees.exe, ect, ect). I have a VX2 infection that can't be removed by ad-aware's VX2 cleaner, since it always states the system is clean, and my Spyware Blaster keeps getting edited to allow some sites through, without my doing. Something also causes Warcraft III to freeze up with a rediculous refresh rate (As in, the screen freezes, the monitor resets, the screen freezes).

    I have followed your basic spyware removal, several times, and it did most of the stuff away... But I still have some major problems. Just recently, I was able to fix my IM windows to actually message without causing a major crash, but I'm afraid thats already been voided.

    Please, I would really like some help. I'll be waiting with a HJT log if need be.
     
  2. TheOldThug

    TheOldThug First Sergeant

    Welcome

    It sounds like you have done most of the tutorial. Please make sure you have followed it as best you can.

    This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!! :)

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

    TheOldThug
     
  3. Blac_Slayer

    Blac_Slayer Private E-2

    HJT log attached.

    Its seems as though no matter how many times I scan my computer, certain sites are changed to trusted. One other problem is that I can't run CWShredder because it crashes when it finds an actual CWS file.

    Oh yeah, forgot to mention I'm running Windows XP Home, SP2.
     

    Attached Files:

  4. jarcher

    jarcher I can't handle a title

    what I think

    end process for:
    C:\WINDOWS\System32\w?nspool.exe
    C:\WINDOWS\System32\wugriy.exe
    C:\WINDOWS\System32\zsxcwiac.exe
    remove them manualy
    then have HJt fix

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnfak.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnfak.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnfak.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnfak.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\15.tmp.exe 5 1000
    O4 - HKLM\..\Run: [zsxcwiac] c:\windows\system32\zsxcwiac.exe
    O4 - HKCU\..\Run: [Rsogfkz] C:\WINDOWS\system32\w?nspool.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
     
  5. dequan

    dequan Private E-2

    I had that prob with CWShredder also make sure u have the update version and uncheck the option for the file to b sent to ur recycling bin.. and run it at least twice and that should help
     
  6. Blac_Slayer

    Blac_Slayer Private E-2

    For zsxcwiac.exe, that cannot be killed, as it always restarts itself the minute it is killed. This program also seems to open calc.exe and packager.exe in the background, as well as iexplore.exe. I tried to remove wugriy.exe, but the process is brought back by zsxcwiac.exe. Also, I can't locate w?nspool.exe in my system32 folder.

    HJTlog posted. It seems as though I can't remove certain ones, as they are re-edited back into the registry right after HJT removes them.
     

    Attached Files:

  7. dequan

    dequan Private E-2

    u need to have hjt delete these
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
     
  8. jarcher

    jarcher I can't handle a title

    safe mode remove

    C:\WINDOWS\System32\wugriy.exe
    C:\WINDOWS\System32\zsxcwiac.exe
    c:\windows\system32\packager.exe

    and HJT fix
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
     
  9. Jigsaw

    Jigsaw Private E-2

    Just had the same problem with CWShedder. First time i ran it aborted. The second time it advised that CWS was not on my Laptop. So i tried CWShredder (Last Merijn Version) instead. Worked a tread. Removed the CWS Variant, as it called it. The CWS i had was something called Azesearch (ztoolbar.dll) . Nasty little thing, put a search tool bar on all your Windows Explorer Windows (something i hadn't seen done before) Icon on your desktop that reappear after you've binned them and adds 100's of link to your Favourite.

    So thanks Majorgeeks for helping me find the software i needed to destroy this pest.
     
  10. Blac_Slayer

    Blac_Slayer Private E-2

    Well, I'm having a VERY difficult time with wugriy.exe. I was able to remove the other file, but this one is just plain ANNOYING! I've tried renaming it, deleting it both manually and automatically, and killed the process, but it keeps coming back, in safe mode even!

    There are also three sites which cannot be removed from the HJT list, no matter what I do. I've attached a new HJT log for you to look at. I've killed these files in safe mode, and they still come back.

    I truly need help getting rid of this wugriy file specifically. It keeps bringing in things that I don't need, and hides itself when I bring up the normal windows process list (I can only kill the process in HJT). This is probably the root of most of my problems... Now if only I can get rid of it.
     

    Attached Files:

  11. jarcher

    jarcher I can't handle a title

    open HJT
    click
    none of the above,just start the program>config>Misc tools>Delete file on reboot
    find
    C:\WINDOWS\system32\wugriy.exe
    restart later
    go back and have HJT fix


    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

    make sure you system restore is disabled
    if that doesn't work
    try the Symantec Trojan.Vundo Removal Tool (I don't know if that's what it is)
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's not part of Virtumondo. wugriy.exe is part of a Narrator trojan common to all the threads we have been fixing with VX2 problems. You need some special tools here. Also CrazyWinning will not go away just by using HJT.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

    Now download the below tools and run only what I request:

    Pocket KillBox

    VX2.BetterInternet Finder XP/2k - Version Msg126

    Generic Find It Tool - NT/2000/XP

    Extract all the files from the Generic Tool into its own folder.
    Then run find.bat. Post the log it creates back here as an attachment.

    Also post a new HJT log.
     
  13. Blac_Slayer

    Blac_Slayer Private E-2

    Find it Log Uploaded.

    For some odd reason, I've been attacked with something else. My desktop is now hit with an ad, and I can't close the explorer window that resides on my desktop. Any ideas on removing this?
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I expect, you have a whole load of nasty problems that need to be fixed. As I said before that is a Narrator trojan and you do have a VX2 infection along with some other problems.

    I need that HijackThis log to continue.
     
  15. Blac_Slayer

    Blac_Slayer Private E-2

    HJT Log Attached.

    I did delete most of those before; Sadly, they just come back.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also, download this tool to your Desktop:

    L2MeFix Tool

    Now with the L2MeFix Tool on your Desktop, and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE:Please do not run any other options or files in the l2mfix Folder!

    Please save the l2mfix logand attach it like you did with your previous logs.

    TRY NOT TO REBOOT or POWER DOWN after running L2MeFix. Problems could spread and mutate if you do.
     
  17. Blac_Slayer

    Blac_Slayer Private E-2

    L2Me Log Posted.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay here is the next step read it carefully and follow steps exactly:

    Please make sure ALL Browser Windows are Closed for this step!

    Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go a little crazy for a bit, but just let it run. It should eventually produce another log in Notepad. Please attach the L2MeFix Log.

    Don't run any other files in the L2MFix folder.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I also see some files related to HSA hijacker hidden in your logs. Have you seen HSA hijack problems on this PC before or did you ave any lately? They may popup up after fixing some of these current standout VX2 problems. Many times one malware problem masks another one.
     
  20. Blac_Slayer

    Blac_Slayer Private E-2

    L2Me log Posted.

    Actually, I never could find any HSA malware affecting my computer, save 8 files that could not be deleted through HSRemove. Er... Now that I think about it, maybe I should have stated that in the beginning. =/ I did have some until I went off and ran HSRemove a long time ago. They stopped, and I really haven't been paying much attention to it after.

    On another bad note, the L2Me folder has got adware files placed in it, mainly something about dirty teens and an evil dialer program that keeps trying to reach a certain number (Aptly named dddd.exe). I've tried deleting these files before, but they keep coming back.
     

    Attached Files:

    • log.txt
      File size:
      14.9 KB
      Views:
      2
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't run anything else and don't worry about anything else until we finish all these steps. If you perform other actions you could interfere with what we are doing. Only run what I request. Nothing else.

    Extract the files from PocketKillbox into their own folder.

    1. Double-click on KillBox.exe to run it

    2. Click "Delete on Reboot” Option.

    3. Copy and Paste this file into the top "Full Path of File to Delete" box.


    o C:\WINDOWS\system32\epnboz.dll
    4. Click the "Delete File" button which looks like a stop sign.


    5. Click "Yes" at the Replace on Reboot prompt.

    6. Click "No" when asked if you want to REBOOT now.

    7. Repeat steps 2-6 above for these files:

    C:\WINDOWS\System\guard.tmp
    C:\WINDOWS\system32\cuqoyg.dll
    C:\WINDOWS\system32\huawzp.exe
    C:\WINDOWS\system32\pukbaq.dat
    C:\WINDOWS\system32\wugriy.exe
    C:\WINDOWS\system32\wugriy.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\WINDOWS\isrvs\ffisearch.exe


    8. Click ""Delete on Reboot” Option.

    9. Paste this file into the top "Full Path of File to Delete" box.
    o C:\Documents and Settings\All uSers\Start Menu\Programs\Startup\hgituy.exe
    10. Click the "Delete File" button which looks like a stop sign.


    11. Click "Yes" at the Replace on Reboot prompt.

    12. Click "Yes" when asked if you want to REBOOT now and allow your PC to reboot.

    Note any error messages you get upon reboot. Write down the EXACT message. And post it back here for me to see.

    After it reboots get another find.bat log and post it.

    Also post a new HijackThis log.

    Important:
    Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not. Even more important DO NOT REBOOT your PC at this point because the problem files could mutate and spread.
     
  22. Blac_Slayer

    Blac_Slayer Private E-2

    HJT and Find Log Posted.

    I recieved NO errors, which makes me very nervous.

    Good news is that Guard.tmp cannot be found in the System32 folder of Windows.

    Another bad note: It seems as though a very annoying search bar has been installed, placed (un)conveniently behind the taskbar, and it raises up when you move your mouse to the taskbar. It seems to be harmless, at the moment.
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\isrvs\desktop.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wugriy.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\blank.htm
    C:\WINDOWS\system32\wnim.dll
    C:\WINDOWS\system32\wugriy.exe
    C:\WINDOWS\isrvs <--- the whole folder
    C:\WINDOWS\isrvs\mfiltis.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Double check again and make sure they are all deleted. Tell me if you have any problems deleting or finding any of these. Note: the isrvs folder has been very difficult to get rid of sometimes.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You gave me the wrong log in message number 22. I need the output log from the Generic Tool's find.bat file like you did in message #13. You need to rerun it so I can verify that our fixes are working. Do this after completing the HijackThis fixes from my previous post.
     
  25. Blac_Slayer

    Blac_Slayer Private E-2

    HJT and Find it Log Posted.

    I'm back at square one; Everything is back, and the same things bashed me in the head.
     

    Attached Files:

  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really! There are just more things being uncovered which were being masked before. You have a load of nasty stuff on your PC. Let's take a slower approach here and remember do nothing else but what I ask.

    And you must remember that no browers can be running anytime you use HijackThis. You had these running:
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    They will interfere with the ability to fix problems. You must be sure to follow directions exactly and you must provide proper feedback on steps. In my previous message I said:
    I still see the isrvs stuff in your log. That would appear to me that it was not deleted as requested. I also ask you to double check. Look for it right now. Is the folder present?
     
  27. Blac_Slayer

    Blac_Slayer Private E-2

    Actually, I checked when the computer rebooted; The folder was re-created on reboot.

    As for the Firefox, I apologize. The iexplore is a different problem, though. It seems as though iexplore is opened hidden from me, and will suck up my CPU usage and commit more charge until my computer really slows down very badly.

    And yes, the folder is present.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! This is important info that you must always tell us about. Let's first try to fix the O15 lines showing in HJT. Some of these may be getting put back in after reboot or even almost instantly. We need to see which ones.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com

    After clicking Fix, exit HJT.
    Now restart HJT and see if any of those came back already. If so, give me a new HJT log right now. If they did not come back yet, reboot and then check to see if they came back. Post a new log after reboot.
     
  29. Blac_Slayer

    Blac_Slayer Private E-2

    HJT Log Posted.

    Shortly after using HJT, a window popped up stating that I have to click yes to access this content with a single ok button. I clicked the X, and shortly afterwards, the dddd.exe opened up. Its a program to access Wet Horny Teens, and tries to dial a number that I can't seem to find. It gives me an Dailing failed error, with error #680 in paranthesis. I'm going to be checking my HJT log real quick to make certain everything just didn't get replaced.

    Also, the iexplore popped back up, and nearly sucked my CPU out again. I had to end the process, and this occured after the HJT fix.

    EDIT: Having just checked my HJT log, everything that was removed was replaced instantly.
     

    Attached Files:

  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's not what I see. Some stuff came back but not nearly everything. And some that came back now say file missing.
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can you see the below file:
    C:\WINDOWS\system32\wnim.dll

    If so, what happens if you right click on it an attempt to delete it.
     
  32. Blac_Slayer

    Blac_Slayer Private E-2

    Actually, they have been. I just did not put up the log. Here is the HJT log after the fix, and everything has been replaced. As for the file, I'm looking into it now.

    ...By the way, I appreciate how much time your putting into helping me. Truly, thanks.

    EDIT: I just tried to delete the file, but it cannot. The file isn't write-protected, so it must be in use.
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So what was the log in message #29 from.

    Is your system restore disabled?
     
  34. Blac_Slayer

    Blac_Slayer Private E-2

    The HJT log in message #29 was RIGHT AFTER the fix. The most recent HJT log is what happened about 30 (Approx) seconds AFTER the fix.

    System restore is disabled.
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not look to me like Spybot S&D is installed. Do you have it installed?

    If so, did you use the Immunize feature? If not, please do so immediately.
    Also you need to enable the SDhelper function (IE bad download blocker) of Spybot S&D.
     
  36. Blac_Slayer

    Blac_Slayer Private E-2

    I have Spybot installed.

    The Immunize function was run before, but some programs seem to disable some of the protection. And something is preventing me from turning on the SDHelper function. I'm not certain what is, but something is. I cannot check the box for it, even though I click.
     
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


    Okay you need to print these instructions or save them locally in a file because in the next step YOU MUST physically disconnect (unplug your cable and leave unplug until told to reconnect) and you MUST shut down all browsers.

    Okay physically disconnect and shut down browsers now.

    Here is a list of files that we need to delete using Killbox (read thru to the end for the procedure we will use).

    C:\WINDOWS\SYSTEM32\wineg.exe
    C:\WINDOWS\SYSTEM32\sdkrd32.exe
    C:\WINDOWS\SYSTEM32\atlag32.exe
    C:\WINDOWS\SYSTEM32\appln32.exe
    C:\WINDOWS\SYSTEM32\javagx.exe
    C:\WINDOWS\SYSTEM32\bvcag.txt
    C:\WINDOWS\SYSTEM32\yotdk.dll
    C:\WINDOWS\SYSTEM32\tmkcq.dll
    C:\WINDOWS\SYSTEM32\jt8607lse.dll
    C:\WINDOWS\SYSTEM32\Fucf8R.exe
    C:\WINDOWS\SYSTEM32\Terygsc.exe
    C:\WINDOWS\SYSTEM32\YjpWR9u0.exe
    C:\WINDOWS\SYSTEM32\Bwd0m.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\WINDOWS\isrvs\ffisearch.exe


    and C:\WINDOWS\system32\wnim.dll


    And here is how you need to do it.

    Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

    Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\wnim.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\SYSTEM32\wineg.exe

    1) Now, Copy and Paste fullpathfile into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat for all files except the last one

    For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

    Now, Copy and Paste C:\WINDOWS\system32\wnim.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot BUT BOOT INTO SAFE MODE.

    While in safe mode look for all the above files we just tried to delete. If still there try to delete them manually if not deletable note all of them first and then feed the undeletable ones into Killbox again while in safe mode). But do not reboot on entering any of them,

    Run Spybot and see if you can Immunize and set the SDhelper option now.

    While still in safe mode, run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll

    After clicking Fix, exit HJT.

    After it reboots get another find.bat log from the Generic tool and post it along with a new HijackThis log.
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Damn!!! I missed two items I want to put into those registry patches. If not two late, see if you can add these into that patch file:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
    "{950238FB-C706-4791-8674-4D429F85897E}"=-


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
     
  39. Blac_Slayer

    Blac_Slayer Private E-2

    ERK. ...Um, I'll just redo the entire patch since I missed those two. Expect another message in about 30 minutes.

    Two most recent logs you wanted is Posted, though. I'll have two more after I redo this.
     

    Attached Files:

  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg
    Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.

    Now look in your C:\WINDOWS\System32 folder for the one of the below file names. I'm not sure how it will appear in Window Explorer since some characters in the filename are actually non-statndard.
    But not that there is a valid Windows program named similarly called wnspool.exe.
    The bad one is as you see below 389,120 bytes (or 380k) in size. We need to try to delete that file.


    C:\WINDOWS\SYSTEM32\wnspoo~1.exe Wed Dec 8 2004 9:35:36a ..SHR 389,120 380.00 K
    C:\WINDOWS\System32\w?nspool.exe
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This line came back in your log:

    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

    See if it is fixable just by having HJT fix it. If not, use the below again:

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are looking a lot better right now though! Aren't we?

    I gotta run for awhile be back later.


    Question:
    Does your Recycle Bin appear to be working okay?
    When you delete files do they show up there?
    Can you restore files from the Recycle Bin?
    Can you Empty the Recycle Bin?
     
  43. Blac_Slayer

    Blac_Slayer Private E-2

    To answer all those questions about my recycling bin: YES!

    I'm VERY Happy that the Recycling bin is working once more! I thought that the bin was affected by a virus that I couldn't fix, and I had left it alone. It has definately been fixed, thanks to you.

    I only have a few problems now. For one, I got a nasty ad that appears as my desktop, but actually overlays my wallpaper, giving it the appearance that the Ad IS the wallpaper. However, it isn't, and it refuses to budge.

    I still have those ugly dddd.exe files, and haven't deleted them, sheerly because of the fact that I'm scared they will come back and re-infect my computer to a state like before...

    I need permission from you to perform the basic Spybot scans and Ad-aware scans, unless I still have more problems.

    ...As I was typing this, I was just stuck by the iexplore.exe process (Its wierd... It pops up with a window that states "You must press YES to access this content" with only an "ok" button) and several processes behind it popped up... I fear I'm re-infected already. Its makes it even stranger because they seem to come up ONLY when I connect myself to the internet (In fact, I'm typing this paragraph offline).

    Well, I'll just wait for what you want me to do next, then.

    EDIT: I just checked my HJT; My log file is filled with those sites AGAIN!! There is something VERY wrong about how these things can keep coming back...
     

    Attached Files:

  44. PhilliePhan

    PhilliePhan Guest

    Hey guys,

    Don't want to butt in, but I've been able to remove this by going into the isrvs folder and deleting all files and sub-folders and then deleting the isrvs folder itself. Then, I fix remaining HJT entries in SAFE MODE and use HOSTER to restore original Hosts File. Also a good idea to Go Internet Options > Security and manually remove items from Trusted zone if they remain..

    Well, sorry to butt in . . . . Carry on!

    PP :)
     
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks PP! I have had many threads with these isrvs problems. Some go away easily by doing what you said and some do not. In cases like here, something is reinstalling all of the stuff all over again.

    I would like to know what!
     
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Blac_Slayer,

    You need to go to this link: How to Protect yourself from malware!

    I want you to start by getting the Sygate Firewall installed immediately and make sure you disable the not very good built-in firewall of Win XP SP2. Don't allow anything in or out that you do not recognize as being good. Be very fussy with what you approve to have Internet access.

    You do not seem to have (from what I can tell) Spybot install. If you do not, please install it and update it immediately. Either way run Spybot and click on and use it's Immunize feature. Also use the SDhelper feature but do not use the Teatimer function.

    Do you have SpywareBlaster install?

    You did not answer my question from message # 40. Did you do the stuff in message # 40 too?

    After getting the firewall in place and Spybot as indicated. Repeat the steps from below that we did to fix these things especially the registry merges from messages # 37 & 38
     
  47. Blac_Slayer

    Blac_Slayer Private E-2

    HJT Log and Find it Log Posted.

    Good news, bad news. First, bad news.

    It seems as though Microsoft Firewall cannot be disabled on my computer; It has a Group Policy which will not allow it to be disabled (Both the enabled and disabled option has been greyed out). Upon trying to access the Group Policy tool, Windows says that it does not exist.

    Upon doing #37 and #38, before Killbox could reboot, it gave me this error:
    "PendingFileRenameOperations Registry Data has been Removed by External Process!"
    However, I went and rebooted it into safe mode myself. None of the files were found.

    I did recieve some strange requests after installing Sygate and looking at what wanted permission to use the network:
    NDISuser mode I/O Driver (ndisuio.sys) was trying to contact IP address 192.168.100.11
    and NWLINK2 IPX Protocol Driver tried to contact the same IP. The strangest thing about this was that I wasn't even connected to the internet at this time.

    I still have an ugly ad on my desktop that I can't remove.

    Now for actual good news.

    I went off and re-installed Spybot. The SDHelper finally worked, so now its working once more.

    The unexpected attacks seems to have died down significantly, and its acually possible to type what I want without worrying about turning off the internet every chance I get.

    I have Spyware Blaster installed; In fact, thats what got me suspicious in the first place since some of its sites that were supposed to be blocked were unblocked by some unknown program. I'm also happy to say that the unblocked sites are not unblocking themselves as much. In fact, I think that problem is almost solved.

    In response to #40, yes, I did find and delete it. It hid itself by pretending to be an actual system file (I ended up removing the check to Hide important windows system files to find it). Its been deleted, and hasn't shown back up.

    One more thing. Explorer.exe seems to try to send out to one of the adware sites (admin2cash.biz) every now and then, but is blocked by the new firewall. Can something explain this?
     

    Attached Files:

  48. jarcher

    jarcher I can't handle a title

    Thanks Chas.
     
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I hope you did not delete winspool.exe? That is a Windows file. I'm trying to look at the logs now to see where we stand.
     
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good other than the below are back again from message # 41

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds