Need help removing possible virus/trojans/spyware etc..

pieman · Jan 2, 2007

Hi, i've had all sorts of junk finding its way on my pc since a couple of months ago, it always seems to come and go/change or whatever and i havent been able to fix it after trying a whole bunch of stuff. Anyway i used to have norton (didnt appear to DO much ... besides find little bits and not be able to do anything) but i decided to try antivir it found a bunch of stuff same with spybot it seems to always find new things though so it seems like the malware is constantly installing new things by itself. I've followed the guide on this site and i'll attach all my log files. I also used the hijackthis guide or whatever and fixed what i could find, there were a couple things i didnt touch because i wasn't sure. I took some notes of what i have fixed just incase i need to run something specific to clean up 'more', so it doesn't reappear. I've also had svchost hogging up resources lately .. i think i stopped it, and was previously killing it with spybot, same with alg.exe. Using hijackthis i also cleaned away cnfgld32.exe from startup which the database from the HJT guide listed as part of the SDBOT trojan. As a note i'm sure i've had vundo - winfixer etc, and winvermins among other things. Quite honestly i think i've removed so many things over the past month or two i can't keep track of it. hrmm there was a trojan.zlob or something too. Sorry its all i can remember .. sorry for rambling i'll go ahead and attach my logs, and hope someone can give me a hand . I'll attach my latest HJT log, but i've kept backups of a previous scan or 2 before i used "fix it" just incase. Thanks.

pieman · Jan 2, 2007

more logs

pieman · Jan 2, 2007

Oh and i just realised i forgot to scan with counterspy (damn phonecall), anyway i just did it and it found a bunch of stuff as well. Why is it everything seems to find some sort of vundo thing yet the specific vundofix or whatnot never finds anything ... anyway heres the log from counterspy. sorry again ..

also attaching a new HJT log after doing the counterspy scan

chaslang · Jan 3, 2007

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {26A2B78E-A408-41A2-980E-CC821AD508E7} - (no file)
O2 - BHO: (no name) - {36854D58-A796-BF43-C52E-8DCD2D6F82C4} - C:\WINNT\system32\wwvch.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {ADE7745C-2BF0-4699-9604-9BC3320604BC} - (no file)
O2 - BHO: (no name) - {B4689CAA-B461-4CAB-8CDE-9C9F32C61415} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll (file missing)
O2 - BHO: (no name) - {BE1884AF-19ED-4A79-9520-384CF6612428} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Qaucw] C:\DOCUME~1\ADMINI~1\APPLIC~1\APPATC~1\SOOL32~1.EXE
O4 - HKCU\..\Run: [ozzu] C:\PROGRA~1\COMMON~1\ozzu\ozzum.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mllmj - C:\WINNT\

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\system32\wwvch.dll

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

GetRunKey - get the new version first!

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

pieman · Jan 3, 2007

attaching the first step log file

pieman · Jan 3, 2007

"Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. "

I'm stuck here, when i hit Y and then enter to clean the registry an error popup appears titled "Registry Editor" and it says the following: "Cannot import cleanup.reg:Error accesing the registry."

Please advise, thanks.

P.S. I tried 2 times; same error again. I'm attaching the log anyway just incase, but it seems to think the registry cleaning was a success confused , in the meantime i guess i'll give it another go.

chaslang · Jan 3, 2007

pieman said: ↑

I'm stuck here, when i hit Y and then enter to clean the registry an error popup appears titled "Registry Editor" and it says the following: "Cannot import cleanup.reg:Error accesing the registry.
Click to expand...

Just move on to the rest of my instructions and we will see how things look.

pieman · Jan 3, 2007

ok well i did the rest as well as i could. First of all when i used fix it in HJT i got this error

"An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan."

Anyway it still seemed to run through the rest without problems i guess. Next problem i went to delete wwvch.dll and it wasn't there. I even checked hidden files and folders were on, looked at the properties of a hidden file, saw the checkbox "hidden" ticked. Then i did a search on C: for wwvch.dll just to be sure and no luck ... anyway i'll attach the logs.

I'm still getting and having to kill the resource hungry svchost process in normal boot mode.

chaslang · Jan 5, 2007

pieman said: ↑

I'm still getting and having to kill the resource hungry svchost process in normal boot mode.
Click to expand...

svchost.exe is a valid and necessary system process that you will see running multiple times. As long as it is running from the C:\WinNT\System32 folder as you will see in your HJT log process list, then it is a valid process. You should not be trying to kill it and in most cases the Windows OS will not even let you.

I'm not sure how you got so badly infected many many Winfixer aka Virtumonde infections but you need to rethink whereever the heck you have been surfing and what you are downloading especially if you have been using P2P or torrents.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.12/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.19/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.24/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.31/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.4/USYP_0002_N91M1708NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.5/USYP_0002_N91M1708NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.57/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.58/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.59/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.6/USYP_0002_N91M1708NetInstaller.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.60/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.61/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.62/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.63/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.64/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.65/UWA6P_0001_N91M1807NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.7/USYP_0002_N91M1708NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.8/USYP_0002_N91M1708NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.9/USYP_0002_N91M1708NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/UWAS6_0001_N85M1306NetInstaller.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/YazzleActiveX.ocx]
Click to expand...

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\system32\wnsapisu.exe
C:\WINNT\system32\rgdcbfbr.exe
C:\WINNT\system32\djtxfvdx.dll
C:\WINNT\system32\cbaeencv.dll
C:\WINNT\system32\wxdgnwbk.ini
C:\WINNT\Downloaded Program Files\CONFLICT.12\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.19\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.24\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.31\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.4\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.5\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.57\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.58\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.59\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.6\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.60\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.61\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.62\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.63\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.64\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.65\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.7\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.8\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.9\USYP_0002_N91M1708NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N85M1306NetInstaller.exe
C:\WINNT\Downloaded Program Files\YazzleActiveX.ocx

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

pieman · Jan 5, 2007

The steps went without a problem at all. As i said i got one from some wallpaper site i googled or something, it got on just by visiting it ... then from there heaps of popups would appear trying to get me to install more crap, some of them like winvermins just did it without giving me a choice(this is over months, i guess i just got used to it. was my gf who complained about too many popups and spybot warnings and forgetting not to use IE) ... anyway ... it *seems* to be all clear now, i'll take your word on svchost.exe ... i know its a needed process but its using more memory then i thought it should. I'll keep an eye on it; right now it doesn't seem to be affecting my system performance like it once did so i guess its alright.

I'll attach my logs. hopefully this is the end

chaslang · Jan 6, 2007

pieman said: ↑

The steps went without a problem at all.
Click to expand...

It looks like either you forgot to do the part with Pocket Killbox or that it did not work properly. Did you get any error messages. We need to repeat some steps and I'm adding some new ones because some items did not get cleaned up. I'll give the new steps further down.

pieman said: ↑

i'll take your word on svchost.exe ... i know its a needed process but its using more memory then i thought it should. I'll keep an eye on it; right now it doesn't seem to be affecting my system performance like it once did so i guess its alright.
Click to expand...

The amount of memory that svchost.exe will use varies with what function it is actually performing. As I said, it will be seen running multiple times. For example, on my system right now I have 5 of them running:
Code:
svchost.exe   SYSTEM            3,288 K
svchost.exe   SYSTEM            3,488 K
svchost.exe   SYSTEM           19,008 K
svchost.exe   NETWORK SERVICE   2,168 K
svchost.exe   LOCAL ServICE     3,908 K
Let's continue with your malware cleaning! Make sure to follow these steps exactly and complete them in the order given.

Start by downloading and installing another new tool we will need -ExplorerXP

We are going to use it later to delete a bunch of folders. It works something like Windows Explorer but it can show folders and files that Windows Explorer will not show even with hidden & system file viewing enabled.

Now look in Add/Remove Programs for Outerinfo and uninstall it. If you do not find this, make sure you tell me.

Also while in Add/Remove Programs, uninstall the CounterSpy trial from the READ & RUN ME. We are finished with it now.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.60/UWA6P_0001_N91M1807NetInstaller.exe]
Click to expand...

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\addr_file.html
C:\WINNT\Downloaded Program Files\vete._ll
C:\WINNT\system32\rgdcbfbr.exe
C:\WINNT\system32\djtxfvdx.dll
C:\WINNT\system32\cbaeencv.dll
C:\WINNT\system32\wxdgnwbk.ini

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

If you get any error messages or have any problems with running Pocket Killbox make sure you tell me!

Now after reboot, run ExploreXP and use it to locate the below folders and delete them:

C:\Program Files\Outerinfo
C:\WINNT\Downloaded Program Files\CONFLICT.44
C:\WINNT\Downloaded Program Files\CONFLICT.45
C:\WINNT\Downloaded Program Files\CONFLICT.46
C:\WINNT\Downloaded Program Files\CONFLICT.47
C:\WINNT\Downloaded Program Files\CONFLICT.48
C:\WINNT\Downloaded Program Files\CONFLICT.49
C:\WINNT\Downloaded Program Files\CONFLICT.50
C:\WINNT\Downloaded Program Files\CONFLICT.51
C:\WINNT\Downloaded Program Files\CONFLICT.52
C:\WINNT\Downloaded Program Files\CONFLICT.53
C:\WINNT\Downloaded Program Files\CONFLICT.54
C:\WINNT\Downloaded Program Files\CONFLICT.55
C:\WINNT\Downloaded Program Files\CONFLICT.56
C:\WINNT\Downloaded Program Files\CONFLICT.57
C:\WINNT\Downloaded Program Files\CONFLICT.58
C:\WINNT\Downloaded Program Files\CONFLICT.59
C:\WINNT\Downloaded Program Files\CONFLICT.60
C:\WINNT\Downloaded Program Files\CONFLICT.61
C:\WINNT\Downloaded Program Files\CONFLICT.62
C:\WINNT\Downloaded Program Files\CONFLICT.63
C:\WINNT\Downloaded Program Files\CONFLICT.64
C:\WINNT\Downloaded Program Files\CONFLICT.65

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

If some of those files we are trying to delete with Pocket Killbox do not get deleted, we are going to have to look to see if any of them have hooked into explorer.exe, iexplore.exe, or winlogin.exe which makes deleting them more difficult since we have to unhook them first.

pieman · Jan 8, 2007

No I didn't get any errors using killbox at all, last time or this time, and I definately followed the steps as you instructed. Things seem to be good. I've attached the new logs. Hope its cleaner now :major

chaslang · Jan 8, 2007

pieman said: ↑

Hope its cleaner now :major
Click to expand...

Yes it is! It worked better this time. However, part of your PurityScan infection came back on Jan 7th. Possibly due to the fact that some of the items I tried to remove the first time did not get removed for some reason. Since they are gone now, it should help to get rid of this last one. Also I had a typo (I left out a minus sign) in the last registry patch I gave to you so it did not fix what we needed to fix. I will give a new patch below.

First let's cleanup what is in the Killbox backup so we can clearly see the result of the next fix.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop (yes we are overwriting the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.60/UWA6P_0001_N91M1807NetInstaller.exe]
Click to expand...

Run Pocket Killbox and select File, Cleanup, Delete All Backups

Now use Pocket Killbox to delete the below file on reboot:
C:\WINNT\system32\wnsapisu.exe

After reboot delete the below left over folders from CounterSpy:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

I going to assume that everything worked and give you final steps to do since you need to get started on this ASAP. You need to make sure to get a firewall installed and this is covered in the link given.

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

pieman · Jan 16, 2007

Sorry about taking so long to reply. I made these logs right after I was done with the steps u last posted - everything went smoothly. I installed a software firewall as well right afterwards. My computer has been running great since then, so thanks very much for the time you spent helping me fix it. All the best for the new year

chaslang · Jan 16, 2007

You're welcome! Your logs are clean but you still need to do steps 1 thru 7 of the final steps I gave you in message # 13.

Need help removing possible virus/trojans/spyware etc..

pieman Private E-2

Attached Files:

pieman Private E-2

Attached Files:

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pieman Private E-2

Attached Files:

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pieman Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches