9 hours + and still working

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ethveg, Sep 3, 2006.

  1. ethveg

    ethveg Private E-2

    I had the Raze Spyware problem today (red background, etc.) but found the easy solution to removing it on this site. THANK YOU.

    But since there had been other anomalies lately I decided to clean up the machine, and more than 9 hours ago I began following the directions on the "Read and Run Me First before asking for support" page and have just completed downloading, extracting, running the programs, going into and out of safe mode, turning restore points off and back on, etc.

    The only thing I did not do was disable msconfig before the reboot when I ran HijackThis (I didn't see any instructions on how to do that - but I don't know if it was ever even enabled.)

    Anyway, the last "cleaning" step was the Panda Scan, and it still showed 4 unremoved items.

    So I've uploaded the BitDefender report, the Panda Report and the HijackThis log.

    The RunKeys report was empty.

    I'll reply to this post (if I'm allowed to) and add the newfiles.txt file.

    I would appreciate any feedback anyone wants to offer on

    1. how to remove the 4 items Panda shows, and
    2. whether the Hijack log shows anything that should be dealt with.

    Thank you for what you've alredy done (the procedures I followed eliminated A LOT of stuff) and for whatever further advice you offer.

    For everyone who has found solutions here and not left feedback, I thank you sincerely for your altruism.
     

    Attached Files:

  2. ethveg

    ethveg Private E-2

    This reply serves only to allow me to upload the newfiles report.

    Thanks again.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are in step 7 of the READ ME.

    You need to go back to the READ ME and read step 3 again and then uninstall one of the antivirus applications you have installed.

    Then please follow the directions exactly as written in the download link for GetRunKey and attach the requested log from GetRunKey. You must extract all the files from the ZIP files. You need to do the same for ShowNew (its log was also incomplete because you did not follow the directions). Then also attach a new log from ShowNew.

    Then attach a new HJT log after completing the above.
     
    Last edited: Sep 4, 2006
  4. ethveg

    ethveg Private E-2

    I admit I'm feeling kind of dumb, but to the best of my knowledge there is only one AV program running on the machine, AVG.

    "Windows Security" is "built in" but is not active in AV (am I allowed to DELETE it?) and I know there's an AV component in Norton, but it too is disabled and I don't know how to delete it entirely without also losing my firewall.

    I apologize for being so unknowledgable about this area of software, but can you TELL me which AV programs to remove (and whether I can remove Nortov AV w/o losing the firewall;oer should I give that up too and use WIndows' firewall)?

    Thanks again
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have both Symantec and AVG installed.

    You need to complete the steps in my last instructions for getting the logs from GetRunKey and ShowNew.

    Then uninstall AVG and use Symantec's antivirus. Otherwise uninstall Symantec completely and use one of the free firewalls given here: How to Protect yourself from malware!
     
  6. ethveg

    ethveg Private E-2

    I uninstalled Norton Security, incuding the firewall: the uninstall utility in Add/remove programs "failed" repeatedly, "retry" after retry. Finally I "ignore"d the failures (they occurred when trying to remove adblocker and parental control subfolders) and at the end was directed to the Symantec Website for a button to finish the removal.

    It required me to download MORE Symantec files, which I did, and after that I "uninstalled" again, failed again, was taken back to the Symantec site and this time was sent to an apparently more secure page (I had to copy in the upper and lowercase letters) and again uninstalled.

    After that there were still Symantec and Norton folders in my program files which would not "delete" (because they were "being used") so I deleted ALL the contents of both of them, then activated the Windows internal firewall (which does not have a "block (all) traffic" setting so I think I'll re-install the Norton firewall after I finish this post.)

    But getrunkey.bat STILL produced an empty Notepad file. The only onscreen message in the DOS window was that "grep" was not a recognized internal or external command or the name of a program or batch file.

    So I ran EVERYTHING else from instruction 3 on, hoping that one of the "cleaners" might remove whatever was interfering with the batch file. But after I finished with Panda the problem still exists - no keys shown at all.

    I did disable restore, reboot, and create a new restore point.

    I'm attaching the new log files. Can you suggest what I might do next (sorry to keep asking, but I'm now about 14 hours of scanning into this problem!) to enable getrunkey.bat to work?

    Thanks again.
     

    Attached Files:

  7. ethveg

    ethveg Private E-2

    This is just to attach the remaining files to.

    In the same minute that it created the EMPTY runkeys.txt file, HijackThis ("Analyse.exe") created about 19 other files also, at least some of which are specifically about my machine, so I'm attaching one of them also.

    Thanks again
     

    Attached Files:

  8. ethveg

    ethveg Private E-2

    Sorry - In the above message I probably meant that "getrunkeys" created those files, not HiJackThis.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is why I gave you the How to protect yourself from malware link. There are free firewalls given in that link and it also tells you that the Windows Firewall is not adequate and must be disable when one of the other firewalls is installed (normally they will disable it automatically). Why would you want to reinstall Norton? Just look at all the problems you just had trying to uninstall it. It behaves like malware in this manner.


    You are still not following the directions given in the download links for both ShowNew and for GetRunKey as I stated in message number 3. If you don't follow the directions and extract ALL THE FILES FROM THE ZIP that is what you will get. You MUST NOT run the .bat files directly from the ZIP file. Also you are using an old version of ShowNew. Get the current version. After you complete the other remaining instructions below (the fixes), then follow the directions in the links and attach new and complete logs from ShowNew and GetRunkey (these are the newfiles.txt and runkeys.txt logs respectively. We don't want any of the other intermediate temporary files that are created when running the tools and those temp files are removed when the batch files terminate properly.)


    System Restore should not have been touched until all malware has been determined to have been removed.


    Did you install and do you use VMN.net Toolbar I see it in your HJT log.

    Let's get started on your fixes!

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved
    it double click it and allow it to merge with the registry.
    Now make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O1 - Hosts: localhost 127.0.0.1
    O4 - HKCU\..\Run: [untfs] C:\WINDOWS\System32\untfs.exe
    O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\System32\MSAgentXP.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: www.comcast.net
    O15 - Trusted Zone: http://www.whyy.org
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/319eaf442689f8d76023/netzip/RdxIE601.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8F391C6-56C1-4D9C-AC55-651586C8EC39}: NameServer = 85.255.116.38,85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AA541E-B9FF-4EAA-8847-7D446BF87D1C}: NameServer = 85.255.116.38,85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E117520E-BAA0-4655-BFAF-67FC19C0D0A2}: NameServer = 85.255.116.38,85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCAFE7A-E5FE-45D5-BBBF-D97A51DAE593}: NameServer = 85.255.116.38,85.255.112.95
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.38 85.255.112.95
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.38 85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.38 85.255.112.95
    O23 - Service: mp43dmod - Unknown owner - C:\WINDOWS\System32\mp43dmod.exe (file missing)

    After clicking Fix, exit HJT.

    Now run this procedure: WareOut Removal

    Attach the log from c:\fixwareout\report.txt

    Also look for the below two files and if found, delete them:
    C:\WINDOWS\System32\untfs.exe
    C:\WINDOWS\System32\MSAgentXP.exe

    Now also attach the below new logs (make sure you extracted ALL the files for ShowNew and GetRunKey and that you are not trying to run the files from inside of the ZIP):
    - HijackThis
    - GetRunKey
    - ShowNew
     
    Last edited: Sep 7, 2006
  10. ethveg

    ethveg Private E-2

    1. I chose NOT to reinstall Norton Firewall. I did click on the "How to Protect yourself from malware!" link in your previous reply, but it didn't work. So I decided to use Windows Firewall (ONLY during the cleaning process) after uninstalling Norton. But I fully intended to replace Windows Firewall with a better package (I did not know that the broken link was for a page with a number of such download links) as soon as I was done - which I thought would be only a few hours: Although you apparently replied to my previous post yesterday, I did not receive an e-mail telling me so: I checked repeatedly (apparently I've become unsubscribed somehow.) It was only this morning that I decided to visit the thread and saw your reply. Again, I appreciate not only your help but your promptness and your patience.

    But since firewalls was the first topic you wrote about in your reply, after following the instructions INCLUDED in your reply (REGEDIT4 fix, HijackThis, FixwareOut) I Googled "How to protect yourself from malware", found the page, and have now downloaded and installed ZoneAlarm Firewall (since it starts with "Z" but you put it first I figured it might be the program you preferred) and I have verified that it has disabled the Windows Firewall. Soon after doing that I was left with two questions:

    a. Following the installation of ZoneAlarm and the reboot, my default browser's (IE 6.0) homepage was set to msn.com. Is this a feature of the firewall installation, or does it indicate that the reboot activated some malware still on my machine which then hijacked my browser? (Or, remembering that I installed the firewall AFTER following your REGEDIT4 and HijackThis instructions, could MSN be IE's default homepage, activated when data about the URL of the homepage I had been using was removed?)

    b. Since I installed Windows Defender (beta2) several days ago I have seen three or four pop-up windows above my systray telling me that Windows Defender has DONE something on the internet (like change the registered user's name, I think - the message vanishes quickly.) Now, minutes after I installed ZoneAlarm Firewall, the firewall issued a security alert that: "Windows Defender User Interface is trying to access the internet.
    Application: MSASCui.exe"
    Is this normal behavior for Defender, or do the pop-ups indicate that it was infected and should be blocked from internet access?


    2. Regarding extracting the bat files before running them, I did, honestly!
    However, I had them on my D: drive (much larger than C:, it's where I put downloads), but I (stupidly) copied the bat files to the PCUtils folder I created on my Desktop while downloading and installing the tools on the "Read and Run Me First" page in order to make it easier to follow the "now run them" directions once I was ready.

    I apologize for not realizing that my "extra step" caused the problem: I had written trivial batch files back in the DOS days (pre-Windows) for processing batches of files, and I was unaware that a bat file might use another (data?) file while it was running. Again I apologize. But I wanted you to know that I was not so disrespectful as to "skip a step"; I "just did something extra." :-(

    Anyway, I re-extracted the files from getrunkeys.zip onto my C: drive and put shortcuts in the Desktop folder (given the obvious time and effort you've put into refining the malware-removal process, I want to keep access to all of the tools AND the directions for using them in a single folder on my computer.)

    getrunkeys.bat now runs and I'm attaching its report, runkeys.txt.

    I also downloaded the version of ShowNew.zip in your "Using ShowNew" post and unzipped it on the C: drive, and I'm also attaching the new newfiles.txt.


    3. I knew that the instructions said not to do the off-on thing with System Restore until all malware had been removed, but the other programs I ran (CCCLeaner, SpyBot, Panda, and the others) removed SO MUCH garbage that I did not want any of it to repropagate. I hope that the fact that the system DID reboot means that I have not done anything terribly harmful.

    4. VMN.net toolbar is NOT something I ever chose to download or install. But it did install itself on my IE toolbar (and removed the Google search bar, and a few other items, including the NAME "Google search" on the "View menu/Toolbars submenu drop-down list of choices; but it apparently could not delete Google's space on the menu; so I unchecked the "VMN" choice and checked the empty space where Google had been, and now my IE at least LOOKS like it's running "normally" (for me) with the Google search window in place.
    But the VMN item still appears on the View/Toolbars submenu and I'd be pleased to remove EVERYTHING connected with VMN. (Could IT be responsible for changing IE's homepage?)

    5. The first thing I did upon reading your reply (BEFORE the above 1, 2, and 3.) was to follow the "REGEDIT4" procedure you posted; I received a message that it was successful. Then I ran HijackThis and followed your directions. I will attach the log.

    Is it okay for me to run it again and select all lines containing references to programs I do not use and never intend to use? (The whole Sony VAIO complex of folders has never been used, but almost since I bought the machine I've been getting "This program has to close: send report/don't send" messages about "Sony UPnP Framework", and I'd be pleased to remove all of the Sony stuff, the VAIO stuff, and some other items I see in the HijackThis report if that's safe.


    6. Then I ran FixwareOut. That report too is attached, but it seemed so short that I renamed it (to save it) and ran the program again, after installing the new firewall, to make sure I'd done it right. The second report was identical to the first, line by line, EXCEPT for the list of RegEntries that were deleted (there were none in the second report.)


    7. Regarding
    C:\WINDOWS\System32\untfs.exe
    C:\WINDOWS\System32\MSAgentXP.exe
    neither program appears in the directory, but there IS a untfs.dll file. Should I (can I) delete that? (I don't want to sound too computer-naive: my concern in asking the question is that the author of untfs.exe might have chosen that name because there was a legitimate .dll file of that name used by Windows.)

    8. Finally, about to post this, in the process of getting the attachments ready, I looked at the hijackthis.log which was created this morning, just minutes after I read your most recent reply and followed the immediate directions at the end. It still showed at least some of the items you told me to remove, so I ran hijackthis.exe again, and those items no longer appear in the new log. So I am also attaching the "NEWEST" hijackthis.log to let you see the status at the time of this post

    Thank you again for sharing your expertise.

    I'll follow this with a dummy post to attach the two bat file reports.
     

    Attached Files:

    Last edited: Sep 8, 2006
  11. ethveg

    ethveg Private E-2

    This is for the .bat file reports:
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good idea not to install Norton! Sorry about the broken link, but I see you found the sticky lated.

    ZoneAlarm my be trying to set your Home page to the default which is an MSN page. You can look in the settings for ZA and disable the feature for protecting the start page if desired. Is http://tvfanforums.net stuff your desired start page?

    This is normal and you need to allow it access thru the firewall. It is trying to check for updates that may be required for the program.

    You will find that it is critical to follow directions exactly without deviation. And in the exact order written. Sometimes things may not make sense but there is always a method to our madness. ;) It is even highly suggested to put things into the exact locations (folders) we suggest even though not always necessary to make things work. It just makes things go easier in the long run and keeps unexpected things from happening.

    That's not how System Restore works. You would have to initiate a restore for them to come back.

    We will uninstall it (along with some other old stuff) below.

    First install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Then uninstall the below software:
    J2SE Runtime Environment 5.0 Update 4
    Java 2 Runtime Environment, SE v1.4.2_01
    Mozilla Firefox (1.0.4)
    VMN Toolbar



    You would have to speak to Sony to find out what is needed and not needed to operate your PC correctly and then you would have to uninstall them (you cannot fix them with HJT. They are installed programs and services). You need to find out what they all are and whether you use the features. The are integrated into the PC you bought from Sony (not really a good choice... because of unnecessary stuff like this being installed when many users may never want it. But you bought it!)

    No! It is a required Windows file from Microsoft.

    Is your copy of XoftSpy a paid copy or a free trial? Free trials of this program will not fix anything, so if it is free, uninstall it to avoid wasting system resource and to avoid conflicts with Windows Defender.

    Delete the below files from your Desktop:
    fixme.reg
    Fixwareout.exe

    Delete the below folders if they still exist:
    C:\Program Files\Norton Internet Security(2)
    C:\Program Files\vmntoolbar
    C:\Program Files\Common Files\eSellerate
    C:\fixwareout

    Now reboot your PC and attach a new log from ShowNew and a new HJT log!

    How are things running?
     
    Last edited: Sep 9, 2006
  13. ethveg

    ethveg Private E-2

    1. Downloaded and installed Java Runtime Environment
    2. Dowloaded and installed Mozilla Firefox
    3. Using Add/remove programs, uninstalled

    J2SE Runtime Environment 5.0 Update 4
    Java 2 Runtime Environment, SE v1.4.2_01
    VMN Toolbar

    but

    Mozilla Firefox (1.0.4)

    was not on the list. After the new Firefox installed, it opened to a page (I believe - or maybe a pop-up window, but I think a website) telling me that Firefox had been "updated", so could the new installation have overwritten the old version and so left no record of the old version on my machine?)

    At a request from ZoneAlarm Firewall I gave Java updates permission to access the internet at will.

    Then I used Add/remove to remove XoftSpy (I was DESPERATELY seeking help before I found you guys! More on that later.)

    Next I deleted
    fixme.reg
    and
    Fixwareout.exe
    from the desktop using the right-mouse menu. (I was sorry to lose the Fixware program from the "arsenal" I've been building to aid in following the "Read and Run Me" page.)

    Then I went into the C:\Program files directory and deleted
    Norton Internet security(2),
    C:\Program Files\Common Files\eSellerate,
    and
    C:\fixwareout

    but when I tried to delete
    C:\Program Files\vmntoolbar
    I got an "access denied" message.

    I opened the folder and found there were just 4 files. I deleted each of them successfully, but when I tried to delete the folder again, I got a 'cannot delete - being used by another program' message.

    During this process, even with ZoneAlarm "locked" (no internet access) I got a systray popup from Defender telling me that an application had applied for an "Application Registration change".

    Then, following directions, I rebooted and, (on my own) went back to the C:\Program Files folder to see if I could delete the vmn folder, but it was already gone.

    So I ran ShowNew and HijackThis, and will attach their two reports to this post.

    And, to answer your final question, my machine has been running GREAT for a few days already! The e-mail comes in at speeds like the old days, even with AVG's e-mail scanner running (I had disabled it for awhile because Outlook Express couldn't access the internet with it running - so I never click on ANYthing in an e-mail - not links, not attachments - unless it's from a VERY trusted source like CNN or Amazon.) At the risk of repeating myself, THANK YOU. :)

    I'm hoping that I'll now see a "final post" telling me that the machine is clean and I should create a System Restore point.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Small programs/tools like this should always be redownloaded anyway when they are needed because they get changed frequently anyway. If you want to keep a collection of tools, that's fine, just create folders specifically named for them and indicate version numbers too (if any). But it is always best in the future to check for updates.

    Your logs are clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds