MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-07, 22:07
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Browser problems, need help!

Hey guys, I could use a little help. I think I have some spyware/adware/malware problems. I keep getting random pop-ups through Internet Explorer, though I very rarely use that browser.

I ran Ad-Aware, Spybot, AVG Anti-Spyware, CCleaner, Panda, etc. I've been reading through everything that I am supposed to do before posting a Hijack This log, and I hope I've done it all correctly. If not, I apologize - let me know what I'm missing. I've attached what I have right now - the HijackThis log is on the way in the next post... Thank you all so much in advance for your help.

Andy
Attached Files
File Type: txt Activescan.txt (4.7 KB, 2 views)
File Type: txt bdscan.txt (22.7 KB, 0 views)
File Type: txt runkeys.txt (20.3 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 05-20-07, 22:09
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Here is the Hijack This log. Please let me know what other info you need to help me out.
Attached Files
File Type: log hijackthis.log (5.0 KB, 2 views)
Reply With Quote
  #3  
Old 05-21-07, 17:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

Welcome to Major Geeks!

Yes you missed the requested logs from AVG Antispyware and ShowNew. Don't attach them yet. Wait until the end where I request them.

Please attach the AVG AntiSpyware log now but wait until doing the below before attach a log from ShowNew.

Please run this Virtumonde aka Trojan Vundo Removal but do not attach the VundoFix log right away. Run the procedure multiple times until it comes up not finding anything. Then attach the below logs:
  • the log from AVG AntiSpyware you forgot to attach
  • the final log from VundoFix
  • a NEW GetRunKey log
  • a NEW ShowNew log
  • a NEW HJT log
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 05-21-07, 21:47
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Here are the logs for AVG and VundoFix. The rest will be on the next post
Attached Files
File Type: txt VundoFix.txt (2.3 KB, 1 views)
File Type: txt avg.txt (2.0 KB, 1 views)
Reply With Quote
  #5  
Old 05-21-07, 21:57
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Here are the GetRunKey, ShowNew, and HJT logs.

Thank you again very much for your help!!

-Andy
Attached Files
File Type: txt newfiles.txt (34.0 KB, 1 views)
File Type: txt runkeys.txt (19.1 KB, 1 views)
File Type: txt hijackthis.txt (4.8 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 05-21-07, 22:25
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Kazaa Lite K++ v2.4.3 <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1AE65072-5D99-4A3C-AD6F-75034E44C013} - C:\WINDOWS\system32\efccyxu.dll (file missing)
O2 - BHO: (no name) - {AB050E9D-BBBA-4936-894A-54FC1B19A1CB} - C:\WINDOWS\system32\mljjg.dll (file missing)
O20 - Winlogon Notify: efccyxu - efccyxu.dll (file missing)
O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\system32\efccyxu.dll
C:\WINDOWS\system32\winmmz32.dll
C:\WINDOWS\system32\bmuorrip.ini

Now run Ccleaner

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{1AE65072-5D99-4A3C-AD6F-75034E44C013}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efccyxu]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winmmz32]
  1. Download this file - combofix.exe
  2. Double click combofix.exe & follow the prompts.
  3. When finished, it will produce a log for you. Attach this log to your next reply
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.
  1. ComboFix
  2. GetRunKey
  3. ShowNew
  4. HJT
Make sure you tell me how things are working now!


Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 05-22-07, 18:04
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Ok, I went through step by step... there were a couple of things that you asked me to delete that I was unable to find:

C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\system32\efccyxu.dll
C:\WINDOWS\system32\winmmz32.dll


I did everything else, though. Here are the new logs. The Hijack This log will be in the next post.

So far, things seem to be running pretty well. You are very good at what you do!

Thanks,
Andy
Attached Files
File Type: txt combofix.txt (5.8 KB, 2 views)
File Type: txt runkeys.txt (18.4 KB, 2 views)
File Type: txt newfiles.txt (32.2 KB, 3 views)
Reply With Quote
  #8  
Old 05-22-07, 18:07
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Here is the Hijack This log. As I mentioned, things are looking pretty good so far. I'm hoping that you've solved my problem. How does it look?

Thanks,
Andy
Attached Files
File Type: log hijackthis.log (4.5 KB, 2 views)
Reply With Quote
  #9  
Old 05-22-07, 22:09
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

Your main problems are fixed. However, it looks like ComboFix may not have removed folders from a PurityScan infection I was hoping it would remove. Please download the latest version of ShowNew which was just updated. Use it to get a new log and attach the log. Then I will give you manual removal steps based on what I see in the log.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #10  
Old 05-23-07, 13:08
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Here is the ShowNew log.

Thanks!
Andy
Attached Files
File Type: txt newfiles.txt (32.3 KB, 2 views)
Reply With Quote
Sponsored links
  #11  
Old 05-23-07, 13:36
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

Please delete the below folders?

Note that the questionmarks represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. BE VERY CAREFUL and note the date of the folders which will help you to locate them. You must take care to only delete the folder names matching this date. If you are unsure then do not delete. There are valid folder names like these that will appear in Windows Explorer. The malware is corrupting the bad folder names so that they look to be valid names in Windows Explorer, but as you can see from the listing below, the names have illegal characters in them (the ? and the ą ):
Code:
"C:\Program Files\Common Files\"
ąDOBE         May  7 2007              "ądobe"  <-- may look like adobe or Adobe
 
"C:\WINDOWS\"
SSTEM~1       May  7 2007              "s?stem"   <-- may look like system
SSTEM3~1      May  7 2007              "s?stem32"   <-- may look like system32
After deleting these, attach a new log from ShowNew.

How is everything working?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #12  
Old 05-23-07, 19:31
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

I deleted those folders. Here is the new log.

Everything seems to be running fine now. I haven't had a random pop-up in quite a while. I'll say it again - you're definitely good at what you do. Is this a full time paying job for you? Or do you just do this out of the goodness of your heart?

Thanks!
Andy
Attached Files
File Type: txt newfiles.txt (32.3 KB, 2 views)
Reply With Quote
  #13  
Old 05-23-07, 23:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

Quote:
Originally Posted by huskrthill View Post
I'll say it again - you're definitely good at what you do.
Thanks!
Quote:
Originally Posted by huskrthill View Post
Is this a full time paying job for you? Or do you just do this out of the goodness of your heart?
No and yes!

Quote:
Originally Posted by huskrthill View Post
Thanks!
You're welcome Andy!

Now on to the final steps!

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:
  1. If we used Pocket Killbox during your cleanup, do the below
    • Run Pocket Killbox and select File, Cleanup, Delete All Backups
  2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
  3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
  4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
  5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
  6. If we had you run Avenger, you can delete all files related to Avenger now.
  7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
  9. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #14  
Old 05-25-07, 20:37
huskrthill huskrthill is offline
Private E-2
 
Join Date: May 2007
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Browser problems, need help!

Thanks again, Chaslang. Everything is all better now!
Reply With Quote
  #15  
Old 05-25-07, 21:03
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Browser problems, need help!

You're welcome. Surf safely!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Browser problems thesunscreen Software 3 01-17-06 15:43
Browser problems shepherd66 Software 2 08-28-05 08:54
Browser problems alf3367 Hardware 0 06-14-05 15:25
Browser pop-up problems jdamato Malware Removal 10 04-03-05 03:19
Browser Problems Shiver Me Timbers Software 0 01-30-04 00:03


All times are GMT -5. The time now is 21:17.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger