Newbie...help.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tanuki, Jul 2, 2006.

  1. tanuki

    tanuki Private E-2

    Hi everyone, I'm new to the site.

    I worked through the READ & RUN ME FIRST post, and I've attached the logs from HijackThis, Bitdefender and Panda ActiveScan. Unfortunately, I get an error message when I try to run Microsoft Windows Defender (I've tried to run it in both Safe mode and Normal), and Bitdefender still found active viruses. I'm going to try CounterSpy to make up for it...

    I've also run through the SurfSidekick removal protocol, since I know for a fact that was running, and it seemed to have worked. I haven't disabled System Restore yet, because I think I still have malware on my machine.

    I'm about to start with the Alternative Scans. Is there anything that I did wrong (the fact that Microsoft Windows Defender won't run has me particularly worried), or is there anything else I can do at this point?

    Thanks very much...
     

    Attached Files:

    tanuki, Jul 2, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\Program Files\ipwins\ipwins.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKLM\..\Run: [wlm7c229] RUNDLL32.EXE w0019594.dll,n 0017c228000000030019594
    O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
    O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\ipwins<--- the whole folder:
    C:\dfndrb_3.exe
    C:\kybrdb_3.exe
    c:\MTE3NDI6ODoxNg.exe
    c:\windows\keyboard1.dat
    c:\windows\NDNuninstall7_22.exe
    c:\windows\system32\w0019594.dll
    c:\windows\system32\p2pnetworking.exe
    C:\WINDOWS\system32\x3cqp0.dll
    C:\Documents and Settings\Owner\setup.exe
    C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\Content.IE5\CJ1N2UBT\i[1].exe
    C:\Documents and Settings\Tracy\setup.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jul 3, 2006
    #2
  3. tanuki

    tanuki Private E-2

    Followed your instructions, here are the results:

    Booted up in normal mode.

    Found BackWeb-1940576.exe running and stopped it. Did not find ipwins.

    Ran Hijack this. Found all lines except the following:

    O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

    Fixed the others after shutting down all other windows. Rebooted in Safe Mode.

    While shutting down, I got a message that explorer.exe was not responding. I forced it to shut down.

    In SAFE MODE:

    Ran Windows Explorer. Could not find ANY of the files. Double checked to make sure I had all hidden and network critical files visible.

    Deleted everything in the c:\windows\Prefetch folder. There were 100 files.

    Rebooted to Normal, and attached the HJT logfile below.

    Seems to be running fine for the moment (though still very slow). But I'm still leery after the number of viruses Bitdefender found.

    Thanks again for your help chaslang.
     

    Attached Files:

    tanuki, Jul 3, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It will get a little faster over a few days as your Prefetch folder gets back to normal.

    However you have some other potential causes for the slow down now. Too much running.

    Is Spy Sweeper a paid version or free trial? If free, uninstall it now.
    Is CounterSpy a paid version or free trial? If free, uninstall it now.
    Is Ewido a paid version or free trial? If free, uninstall it now.
    Is SpamSubtract a paid version or free trial? If free, uninstall it now unless a free SpamSubtract actually does something useful.
     
    chaslang, Jul 3, 2006
    #4
  5. tanuki

    tanuki Private E-2

    Everything seems to be working well now. I've installed ZoneAlarm, but uninstalled the programs you suggested above. Also, I've disabled and re-enabled system restore as per the tutorial.

    As many people as there are out there devising ways to mess with you, it's always rewarding when someone takes time out of their day to help a stranger.

    Thanks again.
     
    tanuki, Jul 3, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 4, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds