WinSoftware and other problems

HijackThis must be installed and run properly per the below instructions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Re: Attachment

You have a Virtumundo infection we need to fix.

Do you recognize the below:

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe

 

Re: Attachment

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of yayvs.dll once and then click the kill button. After you have killed all of the yayvs.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yayvs.dll

Now also in the Process Explorer window locate and kill: C:\WINDOWS\TEMP\LY4A07.EXE

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\yayvs.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: yayvs - C:\WINDOWS\System32\yayvs.dll

Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\TEMP\LY4A07.EXE
C:\WINDOWS\SYSTEM32\svyay.ini
C:\WINDOWS\SYSTEM32\svyay.ini2
C:\WINDOWS\SYSTEM32\svyay.bak
C:\WINDOWS\SYSTEM32\svyay.bak2
C:\WINDOWS\SYSTEM32\svyay.tmp
C:\WINDOWS\SYSTEM32\yayvs.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Re: New HJT run

That's because it is changing names! Probably renames at power down or at power up (or reboot). See you log. It is now C:\WINDOWS\TEMP\MI7AE5.EXE

You need to locate whatever the filename is now and kill the process tree using Process Explorer and then delete the file. In fact delete everything in c:\windows\temp that it allows you to delete (there will be a few files there you will not be able to delete.

Virtumundo is now gone. How are things currently working?


If the above search for this temp file does not work out, download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

I'm watching the Yankee/Red Sox game inbetween typing.

 

Re: Back again

We need to figure out what it causing this to load, what makes it rename itself, and causes it to come back after being stop and deleted.

Let's try the below. Note: you should now be able to locate this bad file in c:\windows\temp yourself each time. So if I use whatever the last name was and it no longer has the same name, you should just use the new name that you can see.

Download and install Unlocker

Accept all the install default settings.

Now open Windows Explorer and navigate to C:\WINDOWS\TEMP\MI7AE5.EXE
And right click on the file name and select Unlocker
A Window will pop up showing some information about the locked file and which Process Paths are using it. Make sure you write down the info so you can tell me later what you saw. Then click Unlock All Now Kill the process! and then try to delete the file itself using Windows Explorer. Did that work?

 

Re: No luck

Well since you said it does not appear in safe mode.....no!


Try using msconfig to limit all startup items:

- run msconfig (click Start,Run and enter msconfig and click ok)
- click the Selective Startup radio button
- uncheck the top four items under this button.
- Click Apply and OK

Now reboot in normal mode. And see if the process is still appearing. Note: you will not be able to do too much in this mode. You will not be able to connect here. You will need to go back and select Normal Startup so you can tell me what happens.

 

Re: No dice

Okay now try a slightly different thing with MSconfig.

- run msconfig (click Start,Run and enter msconfig and click ok)
- click the Selective Startup radio button
- uncheck the SYSTEM.INI, WIN.INI, and Load Startup Items (this means only Load System Services should be check).
- Click Apply and OK

Now reboot in normal mode. And see if the process is still appearing. Note: you will not be able to do too much in this mode. You will not be able to connect here. You will need to go back and select Normal Startup so you can tell me what happens.

 

Re: I'm back

That's what we are trying to do. We are trying to see where in the startup process it is loaded. Let's try a slightly different process. Make sure you are following these steps exactly.

Okay now try a slightly different thing with MSconfig.

- run msconfig (click Start,Run and enter msconfig and click ok)
- click the Selective Startup radio button
- uncheck the SYSTEM.INI, WIN.INI, and Load System Services, (this means only Load Startup Items should be check).
- Click Apply and OK

Now reboot in normal mode. And see if the process is still appearing. Note: you will not be able to do too much in this mode. You will not be able to connect here. You will need to go back and select Normal Startup so you can tell me what happens.

 

Generate a StartupList log using HijackThis.

Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

Also use MSconfig and look at what is in the startup list. Do you see something with the below tow processes:
NetMeeting "C:\Program Files\NetMeeting\useredits.exe" /s
OSP "c:\windows\system32\ospedit.exe" /s

If so, just disable both of them from loading. Now reboot. Does that strange temp file still appear.

 

Okay enable those other two that we had disabled. And try finding and disabling the below. Then reboot and see if the temp file appears.

UpdateSerialNumber = C:\WINDOWS\System32\updateserial.exe /s
PRPCMonitor = PRPCUI.exe
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
LifeScape Media Detector = C:\Program Files\Picasa\PicasaMediaDetector.exe
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

 

Re: Back again

Please locate your System.ini file and your Win.ini file in the c:\windows folder and either copy and paste there contents here or put a copy of them in a ZIP file and upload the ZIP.