Serious Malware issue

I've been trying to fix my system defender problem by reading through one of your forums # 1111091 to no avail. I've downloaded and tied to run all of the software in the "read me first" thread. Today is Feb 22nd, and the problems started on Feb 20th when I downloaded an executable from a now obviously unscrupulous source. Last night I was still able to do a system restore, but I have now lost that ability, as well as the ability to print, do a search of files through Win explorer, and who knows what all else. Combofix wold not run. After double clicking it did say "the publisher could not be verified, after clicking ok... nothing. I had spybot running before the infection, however it would not run after. I uninstalled it, and downloaded the version from your site, and that will not run either. Same with SuperAntispyware. analyse.exe and avenger worked, and I'm attaching the log files.

My symtoms are numerous, and appear to be getting worse. At the heart of the problem is the X in the red circle in the system tray that pops up "you have been infected" message constantly. It appears numerous softwares on my system are affected as well as I mentioned above. I wasn't even able to post a new thread or add attachments until I decided to abandon IE explorer, and switched to firefox.

Please please please help me.

-Jake

 

wow... glad to see the thread exists... when I clicked subit it told me "Invalid Thread specified. If you followed a valid link, please notify the administrator"

 

Hi livefree,
Welcome to Major Geeks!

To begin with please run SmitFraudFix which is in the thread called Removing Zlob aka SmitFraud, SpySheriff, Infections . This will produce two logs both called rapport.txt. Please attach the first rapport.txt here before continuing with the cleaning procedures or the 2nd log will overwrite the first log.

Thanks.
abri

 

Ok... downloaded and ran as requeted. I attached the logfiles, however I did see errors when running. I wasn't able to copy them but I was able to google it, and found the same errors elsewhere. Essentially two files required by SmitFraudFix were not found processlist.vbs and process.txt There is also at least one other file a .vbs file that came up not found when first run, but it scrolls off to quick. The only files I have in the SmitF*** folder are .exe and one .cmd

Some additional info since yesterday. After I posted the thread, and before I got your response I tried numerous times using avenger and analyse to clean things up, there for I'm attaching a new HJT logfile as well.

As stated I wasn't able to get spybot, AVG, and combofix to run, however I was able to run spyware terminator (which I downloaded from download.com, and was fairly well rated). to run. I don't know if that will help at all. It has detected multiple criticals that I was able to clean up.

I really appreciate your help, and look forward to using the forums more in the future for more fun tasks like installing Linux for one.

-Jake

 

wouldn't allow me to upload the MGtools.zip file again because I already have to this thread... here's the hijackthis.log file

 

Hi LiveFree,
There's no reason why you can't upload the MGlogs.zip if they are a different set of logs. Please try that again. I can work on a fix based on your first set, but it won't be as accurate. You do have some malware that needs fixing.

Also, it looks like you haven't run CCleaner. This needs to be done. Double-click on the CCleaner icon. The window which opens when you doubleclick on the icon is the default setting and will show the Windows Tab as the one of top. Click on the Run Cleaner button in the lower right hand corner and say okay when it gives the warning.
abri

 

Hi LiveFree,

Please skip the last post and go ahead and do the following:

1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\ddcyabb.dll
O2 - BHO: (no name) - {65DB152C-2671-4617-A4CA-ACB631F52DBD} - C:\WINDOWS\system32\jkkji.dll
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvbim.dll,startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [24a71cd3] rundll32.exe "C:\WINDOWS\system32\yayufbvc.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: ddcyabb - C:\WINDOWS\SYSTEM32\ddcyabb.dll
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll

After you click fix, just close hijackthis.


3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Wow... so far so good. I'm still going to reboot a couple times and run the checks and see if I can find anything suspicious, but the symptoms appear to be gone so far.

There is a couple problems that I have noticed still remain with IE explorer. It won't open the print dialog box. It also appears to be stuck trying to use the old version of Java... One of the recommendations I saw was to update to the version from Sun. Could this be why your "manage attachments' button doesn't appear in IE but does in Firefox?

In the logs you'll probably see a few items not found that I was able to kill earlier today. Thanks a ton! You guys/ladies are awesome. I'm looking forward to sticking around and use the forums and stuff.

-Jake

In about an hour or so I'll post the logs after I do some reboots, and checking.

 

Hi LiveFree,

Your computer is still infected. Please continue as follows:

Please delete everything in the following folder that your computer allows you to delete:

C:\WINDOWS\Temp

After you finish, run CCleaner in the default setting with the Windows tab as the one on top.

I would like for you to run Avenger again, only this time use the contents of this box:

After you run Avenger, please run either CCleaner or ATF Cleaner to remove all the files from the trash.

And finally run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


abri

 

Done as requested... In running various checks, I don't recall which I came across I think it was vundo trojan. I'm guessing they were there before the spyware. I think that I was able to remove it. I'm no longer having any trouble installing or using any of the tools. I have super anti-spyware and AVG anti virus running.

Attaching logfiles.

-jake

 

Hi LiveFree,

Please disable your guest account if this hasn't already been done.

After you finish, please run CCleaner at the default setting with the Windows tab as the one on top.

Then continue as follows:

1) Do you know what this service is? If not, I will ask you to disable it via services.msc and then have hijackthis fix it. Please let me know so I can post those instructions to you.

O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)


2) I missed one entry with Avenger. Please run Avenger again, only use the contents of this box:

3) Now run CCleaner again.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri,

Ok ran everything as requested, however I was not able to disable the user account. When a double click on the User accounts in control panel a blank dialog window opens. Basically the same thing happens when I try to do the system restore under msconfig. when running Getlogs.bat I get the following error:
ProcessDll.exe - Application Error
The application failed to initialize properly (0xc00000135). Click ok to terminate the application.

I'm starting to think that even if I get the system clean there has already been damage done, and I might be best to reload windows. One other symptom that remains is the time it takes to start loading a webpage after clicking a link can be very long. I really appreciate your help, and I'm learning a ton.

-Jake

 

Hi LiveFree,

Your MGlogs were okay despite the error.

As for system restore, are you able to use System Restore using the method described in the following website? http://www.bleepingcomputer.com/tutorials/tutorial143.html

I'm not sure what you are running into in these cases and I would like to look into it before you do anything drastic.

abri

 

Abri,
Sorry for the long delay, but I wanted to wait until just before I go to work so I won't be messing with the system in-between our messages. I'll be at work until 7:30am Central time Thursday morning, and if I still haven't heard from you I won't touch the system for another 8 or so hours while I sleep.

As stated before it looks like the majority of the bad stuff is off the computer, however there is still one item that keeps popping up in the HJT. It is:

017 -HKLM\System\CCS\Services\Tcpip..\{8363639FD511-4AAA-8ACD-31CFD4FCF549}:NameServer= 68.94.156.1 151.164.8.201

I have removed this a number of times. Once it's been cleaned it doesn't show up again until I open either IE or Firefox, and shortly after that 4 .tmp files show up in the WINDOWS/TEMP folder. If I kill it in HJT then I have to reconnect my DSL to go to any new pages as the browser no longer sees the internet connection. This may be the last piece of spyware/trojan/malware remaining.

Also right after your last message I ran super anti-spyware (attaching the logs), and it found numerous items, however after it corrected them, the scans have come back clean the next few times I ran it.

As far as what I'm perceiving as damage to the system... No matter how I open the "system restore" dialog (either start menu or msconfig) it opens, but to a blank white screen. The same thing with the "User accounts" dialog screen, and despite reloading yahoo messenger it's text window is also blank. I see the message as I type it but the window where it displays my messages and replys remain blank.

Also despite downloading flash 9 it doesn't appear to be working as I receive messages saying flash not installed on webpages that use flash. This could be due to the spyware or possibly due to me killing stuff a couple days ago.

Also I have received that same error message from Getlogs.bat ever time I've run it both before I mentioned it in the thread and each time since. The error message within the cmd.exe window is "could Not Find c:\Documents and Settings\Jake\Desktop\procdll.txt

Again... thanks a ton for your help.

-Jake

 

Hi LiveFree,

Please go to http://samspade.org/ and enter both of the IP addresses in the 017 HijackThis line (68.94.156.1 and 151.164.8.201) into the whois window and look at the information about them. You may be fixing something that should not be fixed.

As for the white screens, I expect you are missing files. I am looking for more information as to whether the blank screens you're getting might be related to the Avenger error you're getting.

abri

 

Yea... I see what you mean. Guess I know just enough to be dangerous. Let me know what if anything can be done about the apparent missing files. This has been an awesome learning experience for me but since I haven't done a fresh install in a couple years, I think it may be time. Figure out anything for the other problems I'm having?

 

Hi LiveFree,

The Avenger error you're getting is because you don't have the Microsoft Net Framework Software installed which is part of the Windows updates.

See if you can delete that one file C:\WINDOWS\system32\winistr.exe directly from Windows Explorer. If not, you can either try installing the missing updates or I can have you delete it using Combofix.

As for the blank screens, try the following: (thanks Matacumbie!)

Go to Start > Run and type or paste each of the following commands, one at a time while pressing enter after each one. See if it solves the blank screens.

regsvr32 jscript

regsvr32 vbscript

regsvr32 /i mshtml

Let me know how the above goes.
abri

 

I think one superantispyware deleted the winistr file because it's no longer there. Still no re-occurance of spyware, however the internet is still running very slow. The first 2 reg commands you gave me worked, however the third gave me this message:
"mshtml was loaded, but the DllRegisterServer entry point was not found.
mshtml does not appear to be a .DLL or .OCX file."

system restore, user accounts, and even yahoo no longer have the blank screens. I think it even fixed some of what was slowing up my computer, but as I mentioned it does seem to still be a little slow. AVG and SuperAS would slow things down I suppose... maybe it's just that.

Flash still doesn't work with IE, but does with FireFox. I may try to troubleshoot that through Adobe them... I did read some of their troubleshooting while at work last night.

I still think I'm overdue to reload windows, but I think I'll hold off for a little bit until I can get a hold of a newer copy or who knows... maybe even buy it! LOL After all... Looking for a crack for Office XP pro is what got me into all this trouble.

All and all things are much improved, and again I really appreciate your help.

-Jake

 

Hi LiveFree,
I think there might be a definition problem here in our communication. I only gave you one registry patch (REGEDIT4), but also 2 Avenger fixes which had registry entries in them. In which case did you get the error message? Was it the last time you tried to run Avenger? Or was it when you tried to run the registry patch (REGEDIT4) in post 11?

I don't know if there's further malware in your system, but I would like for you to run one of the online scans if you think your browser will be adequate for this. The scan is a free scan which BitDefender does, but it can only be run using Internet Explorer. You can find the instructions for this scan here: Using BitDefender Online Scan

If you're able to run this, please get the log as per the instructions and attach it to your next post.

Thanks.
abri