Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st step.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by 1911freak, Oct 8, 2007.

  1. 1911freak

    1911freak Private E-2

    Hello I am new to the forum.
    My daughter downloaded what she claimed was an active-X add-on that ended up putting about 8 different virus/spyware/malware on my computer including cycberlog-x, worm_nucrp??, icthis.exe etc.:(
    Following some of the reccomendations on this site and utilizing some of the online scans I was able to find and kill all of them :D but I have one lingering problem. One of those programs seems to have shut down all my access to the control panel, internet options and the security center. The link to the control panel is completely gone from my start/settings table. I had placed shortcuts to the control panel, securtiy center and internet options on my desktop but now when I click them I get the following error "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator"
    It's like the malware has setup some kind of network and locked me out.
    I went to the MSN help site and it told me to login as the administrator and click Start, Run, and then enter gpsedit.msc. When I did that that i get a "file not found" error.:cry
    I know I can load programs because I was able to load Hijackthis, Spyware Doctor and a couple others but I can't uninstall anything.
    Does anyone have any idea how to fix this?
    Thanks in advance,
    Marc
     
  2. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    OK I was actually able to find a way to do everything but the "Add or Remove" programs.
    Still have the same issue.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Welcome to Major Geeks!

    If you have followed the instructions in the READ & RUN ME, you need to attach ALL 6 requested logs.

    • CounterSpy - only for Windows XP, 2K, & NT users
    • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • HijackThis
     
  4. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Here you go.
     

    Attached Files:

  5. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Everytime I run Pandascan I only get a summary screen, Ther is no "see report" button anywher.
    Here are the rest.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Why are you running your PC with no antivirus and without a true bidirectional firewall?

    Is your copy of Spyware Doctor a paid version or a trial version?

    Do you use MusicMatch Jukebox?

    You must follow the directions for installing and renaming HijackThis as requested in step 7 of the READ ME. You have it here:

    C:\Documents and Settings\main\Desktop\ANTI-SPY\files\HJT\HijackThis.exe

    That is exactly where we specify not to install it and it is not renamed to analyse.exe as required. You correct this now.

    Also note that per the READ ME, you must not run ShowNew while GetRunKey is still running. Close the log from GetRunKey before running ShowNew.

    Why didn't you run CCleaner as requested?

    Also why didn't you install the version of Spybot requested in the READ ME. You are using version 1.3 which has not been used in over 3 years. Uninstall it and per the READ ME instructions install the current version.

    Uninstall the CounterSpy trial since we are now finished with it.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_11

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Did you configure the below ProxyOverride settings yourself?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;;<local>

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {D7D6C7D2-054D-F9CB-1388-252B431C9DD2} - 321102.dll (file missing)
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - blank (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O9 - Extra button: Corel Network monitor worker - {B00D6FE2-A75C-41D8-AA4F-177791347D91} - C:\WINDOWS\System32\intlmain.dll (file missing)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B00D6FE2-A75C-41D8-AA4F-177791347D91} - C:\WINDOWS\System32\intlmain.dll (file missing)
    O9 - Extra button: Corel Network monitor worker - {B00D6FE2-A75C-41D8-AA4F-177791347D91} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B00D6FE2-A75C-41D8-AA4F-177791347D91} - (no file) (HKCU)
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
    O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  7. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    I thought I was. Windows security said I was. What software do you reccomend?

    I paid for it and it seemed to just slow everything down and I still had tons of crap getting on my computer so I uninstalled it. I reinstalled a trial version when I was originally trying to get rid of the malware.

    No, I uninstalled it.

    I changed the name and ran per your instructions in this email. Log is attached.

    Done, logs are attached.

    I thought I had. Reloaded CCleaner and ran as instructed.


    I already had Spybot on my computer so I ran the version I had. I have installed and run the new version and completed the fix/immunize.

    done

    Done

    Downloaded and run.

    No and I suspect that this is what is causing my computer to act like it is on a network. I still cannot access internet options, control panel, or windows securtity settings. I had to use CCleaner to uninstall programs.

    Done

    Done


    Done, Avenger log will be included in next post.

    Thaks for the help. You're good. As stated above I still cannot access control panel, internet options or windows security. My computer still acts like it is on a network and being controlled from an unknown administrator. I also still get an annoying popup. I will include a screen shot in the next post.
     

    Attached Files:

    Last edited: Oct 21, 2007
  8. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Avenger log and a screen shot of the popup.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    We will discuss this later.

    Uninstall the Spyware Doctor trial if still installed.


    You are missing part of my point in the instructions. It must not be here:
    C:\Documents and Settings\main\Desktop\ANTI-SPY\files\HJT\analyse.exe

    It must be here:
    C:\Program Files\HJT\analyse.exe


    Delete below file which is wasting a ton of diskspace:
    C:\18F.tmp

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;;<local>
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
    O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - Startup: system.exe
    O4 - Global Startup: autorun.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Oct 25, 2007
  10. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Still have the same issues. Steps went well.
    Thsi item
    O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
    was not present on the HJT scan.
     

    Attached Files:

  11. 1911freak

    1911freak Private E-2

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    newfiles log.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Tried to run the READ & RUN ME FIRST. Malware Removal Guide/ can't even do 1st st

    Based on your HJT log it appears that you did not fix everything. I also still see Spyware Doctor installed. You said this was a trial and my previous instructions began with saying to uninstall it which should have been done before doing the other steps. Do this now and then continue on to the below. It could be getting in our way.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure you tell me whether or not you receive a success message on adding the above to the registry. This is important.

    Now repeat my previous instructions in message # 9 since everything I asked you to fix is still there. Did you forget to click Fix checked? Or did you get the HJT log before you did the fixes rather than getting it at the end of the procedure where I requested a log. Note check the Avenger fix again because I'm adding something new to it that just showed up. So you need redownload the Avenger fix.

    Then attach the same new logs.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds