lingering malware? help please!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rrrebecca, Nov 27, 2007.

  1. rrrebecca

    rrrebecca Private E-2

    hi

    so my computer got a really really bad infection last week while i was watching family guy on the internet (i swear it's the copyright people or the government!!!!) anyways, i came here and ran all of the scans that are listed in the "read me first" file and everything seemed to go away, all the annoying popups, fake "ultimate defender" stuff that i never clicked on because i was suspicious. but then, the next day, a few popups came back! i ran everything again (ccleaner, combofix, avg, bitdefender, panda, s&d, vundofix, because it found virtumonde, etc.....) and now when i restart my computer the popups are gone but i always get this error message, that says "error loading C:\WINDOWS\system32\havcxknh.dll the specified module could not be found"

    my boyfriend also ran superantispyware, when we discovered an e404 helper folder among other mysterious things in the program files folder. we ran that after we ran everything else and it still found 84 "dangerous" files. we also checked the hijackthis log against the post here, and we didn't find anything.

    my computer is going a little slower than normal and i get that stupid error message when i start up. at least the popups are gone! im really not great with computers at all, but i definitely CANNOT afford to wipe my harddrive, bring it in to get fixed, or get a new computer altogether...how can i make sure that everything is definitely gone?

    the logs are attached for hijackthis, combofix, mglog.zip, AVG is on the next post

    im trying my best, ive never dealt with this before!!! im so happy you guys have posted these things, i would be lost without you!!!! thank you majorgeeks!!!!

    rebecca
     

    Attached Files:

  2. rrrebecca

    rrrebecca Private E-2

    ok i just remembered that the AVG didn't make a log.......who knows why? i dont!!!
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    It does not make the log automatically. You have to make the log per the instructions in the READ ME.

    Please do not attach HijackThis log especially from one that is installed improperly. We don't need them to be attached separately. As stated in the instructions for MGtools.exe, it automatically includes a HijackThis scan and a log which is in the MGlogs.zip file. And this one is run correctly.

    I'm looking at your logs now. While I do that, you need to complete the below.

    Uninstall the below old versions of software:
    Ad-aware 6 Personal <-- this is 3 years out of date
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_04
    Spybot - Search & Destroy 1.3 <-- this is 3 years out of date
    Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing my instructions in message # 3, continue with the below.



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {235E4AA0-2261-453E-9B0A-5C96866618DC} - C:\Program Files\MSN\mexo4444.dll
    O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\mljhfcd.dll
    O2 - BHO: (no name) - {6BBB3985-01AC-43AB-8507-6BFC5B89B533} - C:\Program Files\MSN\mexo83122.dll
    O2 - BHO: (no name) - {71E9A824-681A-43B7-9E42-8A875D4414B1} - C:\WINDOWS\system32\geebc.dll
    O2 - BHO: {196e0db0-9df9-ec2b-f884-a33ec1aec628} - {826cea1c-e33a-488f-b2ce-9fd90bd0e691} - C:\WINDOWS\system32\iifdumsy.dll
    O2 - BHO: (no name) - {9BFA8D13-10F0-4B0E-8B2B-4CE675F359C6} - (no file)
    O2 - BHO: (no name) - {D564225D-4F5C-446E-BA16-E02C26C77685} - C:\Program Files\MSN\mexo555077.dll
    O2 - BHO: (no name) - {E7970432-8110-480E-588C-A50E15CA2C6F} - (no file)
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
    O2 - BHO: (no name) - {F1287373-216C-4297-B585-B2D019CFAC68} - (no file)
    O2 - BHO: (no name) - {FC6BC6A5-F69C-4FCB-851A-5683A17DAD6F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
    O4 - HKLM\..\Run: [6e3b5d77] rundll32.exe "C:\WINDOWS\system32\havcxknh.dll",b
    O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\system32\YSTEM~1\rundll.exe" -vt yazb
    O18 - Protocol: schmap-help - (no CLSID) - (no file)
    O20 - Winlogon Notify: mljhfcd - C:\WINDOWS\SYSTEM32\mljhfcd.dll
    O20 - Winlogon Notify: swvwafvs - swvwafvs.dll (file missing)
    O20 - Winlogon Notify: ynigfbzn - ynigfbzn.dll (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    Last edited: Nov 28, 2007
  5. rrrebecca

    rrrebecca Private E-2

    thank you! sorry for the hijackthis log. and we followed all of the avg directions step by step and it still didnt give a log, which we also thought was strange. i just rebooted and am installing the java. ill let you know what happens after i follow the rest of your steps. THANK YOU so much for your help!!!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean you followed the steps in the below link and it did not create a log?? Did it detect anything?

    Running AVG Anti-Spyware
     
  7. rrrebecca

    rrrebecca Private E-2

    ok! did all of those steps. i only ran into one problem, which was that a bunch of the lines weren't on the analyse/hijackthis scan. i'm assuming it's because we ran the superantispyware after those logs i posted were produced. but im probably wrong....? these are the ones that didn't show up:

    O2 - BHO: (no name) - {235E4AA0-2261-453E-9B0A-5C96866618DC} - C:\Program Files\MSN\mexo4444.dll
    O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\mljhfcd.dll
    O2 - BHO: (no name) - {6BBB3985-01AC-43AB-8507-6BFC5B89B533} - C:\Program Files\MSN\mexo83122.dll
    O2 - BHO: (no name) - {71E9A824-681A-43B7-9E42-8A875D4414B1} - C:\WINDOWS\system32\geebc.dll
    O2 - BHO: {196e0db0-9df9-ec2b-f884-a33ec1aec628} - {826cea1c-e33a-488f-b2ce-9fd90bd0e691} - C:\WINDOWS\system32\iifdumsy.dll
    O2 - BHO: (no name) - {D564225D-4F5C-446E-BA16-E02C26C77685} - C:\Program Files\MSN\mexo555077.dll
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
    O20 - Winlogon Notify: mljhfcd - C:\WINDOWS\SYSTEM32\mljhfcd.dll

    i fixed all of the others with the browser closed and followed all of the other steps, ran ccleaner, and my logs for avenger and mglogs are attached.
     

    Attached Files:

  8. rrrebecca

    rrrebecca Private E-2

    and in response to your other question about the log, the first time it created no log, even though i swear we followed all of those instructions perfectly. the second time it created a log but didn't find anything, so we didn't save the log because there was nothing there. should i run avg again?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No you don't need to run it again. My main concern was that everything that it found was actually fixed.

    You did not need to run MGtools.exe again to get your logs. All you had to do was run what I said at the end of my last message and that is run C:\MGtools\GetLogs.bat

    I still see all the items in your current HijackThis log that is inside of the MGlogs.zip files. This includes all the items you told me you could not find. See for yourself by looking at the log. You need to make sure you are following my instructions for running HijackThis exactly. You should be running the C:\MGtools\analyse.exe file and selecting Do a system scan only and you must make sure you exit all browsers before clicking fix.

    Also I still see everything else that I asked you to fix in my first two messages? Are you running things in the wrong order?

    [EDIT]
    Now I just took another look at your MGlogs.zip file. It appears that you did not get the tool to run properly this time and that is why it looks like nothing was fixed. That is also why it looks like you ran MGtools.exe again....because it is the same log as in your first post. The logs are almost all the same as last time. Please do the below

    Delete the C:\MGlogs.zip file
    Delete the C:\MGtools folder

    Now download the current version of MGtools.exe which was updated after you first downloaded it. Since we had a problem here, we may as well update to the current version. Download this MGtools.exe to C:\ and then run it by double clicking on it.

    Now attach the new C:\MGlogs.zip file. Also watch the command prompt window to make sure no errors are occurring. Also make sure you wait for the scans to finish running. You will see a message in the command prompt window when it finishes.
     
    Last edited: Nov 28, 2007
  10. rrrebecca

    rrrebecca Private E-2

    ok, so i deleted and re-downloaded mgtools and ran it, last time i think i just thought it was done, so it didnt finish running. sorry about that. but this time, there was an error that popped up, it said "Process Dll.exe Common Language Runtime Debugging Services, process id=0x9e4(2532), thread id=0xbb4(2996), ok to terminate the application, cancel to debug the application"

    i didnt know what that meant, so i tried ok, and the whole thing just ended and produced a log. then i started it again and clicked cance to debug the applicationl, it did a little bit more, and then came up with another error message, which said

    "no debugger found
    an attempt to launch a JIT debugger with the following command resulted in error code of 0x2(2). please check computer settings.
    corbdb.exe !a 0x548
    click on retry to have the process wait while attaching a debugger manually.
    click on cancel to abort the jit debug request."

    i tried both and when i clicked retry nothing happened for a while, so i restarted it and tried cancel, which just produced this log. i know im supposed to wait until the end of the scan, but i thought id let you know about the error message
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Per the instructions you should have put MGtools.exe in the root folder of your Windows boot drive which would mean it should be C:\MGtools.exe for your PC. You ran it from here:

    C:\Documents and Settings\rebecca\Desktop\MGtools.exe

    While it basically ran okay for you, not following instructions can often lead to problems. You were just lucky in this case. Other people may not be so lucky.

    However, this not the reason for your problems with ProcessDLL.exe. I'm not sure why you are getting that error since you do have the Microsoft .NET Framework software installed and not have the .NET software installed could lead to errors. Don't worry about it, since we don't need the output from ProcessDLL.exe anymore.


    Just a word of warning on Adware Away which it appears you purchased. It is not very highly recommended.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Viewpoint Manager Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {24F2DAA8-621B-426D-B43A-15D4DD73C861} - C:\WINDOWS\system32\geebc.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O18 - Protocol: schmap-help - (no CLSID) - (no file)

    After clicking Fix, exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  12. rrrebecca

    rrrebecca Private E-2

    so i did the viewpoint manager service thing, but it was stopped already. so i just changed the start-up type to "disabled". i ran analyse.exe and fixed those three items with the browser closed. then i ran the getlogs.bat but i got a similar error message as before. but this time the "process id=0x7a4(1956)" and "thread id=0xd88(3464)" then when i clicked cancel to debug the application, i got the same error message, but it said "cordbg.exe !a 0x7a4" and the thing pretty much just stopped doing anything.

    i also tried running avenger again with the codes you gave me in the previous post, rebooted, but when i started up again, it said there was an error finding avenger.txt. is it because i already ran that same scan before? i opened it and there was nothing in it, just a blank notepad page.

    and i did not purchase adware away, we just downloaded it because we thought it might work, but it wasn't free so we didnt used it. i uninstalled and deleted it.

    the new mglogs.zip is attached.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's good because it is not worth using.

    The below line is still present:

    O18 - Protocol: schmap-help - (no CLSID) - (no file)

    Did you have all browser windows closed before you clicked Fix checked? It is not a major issue and it is not malware. I believe it is from something you probably had installed at one time and many people seem to have a problem removing this key. I would not worry about it though as your logs are otherwise clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  14. rrrebecca

    rrrebecca Private E-2

    i did have all of the browser windows closed, i dont use that schmap thing but i didnt download it once a little bit ago.

    anyways, i deleted all of the logs and everything you said to delete.

    THANK YOU SO MUCH you don't understand how frustrating this was without your help!!!! i really appreciate it, you guys do a great job, hopefully i wont need your help again any time soon!!!!
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Believe me! We hear all the time how frustrating the malware can be. And in addition we know for many people trying to follow the procedures can be frustrating too, but the end reward is well worth it. ;)

    Surf safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds