Still need help - think I've followed directions

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by stylcouncl, Nov 21, 2004.

  1. stylcouncl

    stylcouncl Private E-2

    I got infected. Multiple problems. Have had the about:blank thing for a long time but all of a sudden went to a site that started downloading stuff and I couldn't stop it. Now I've got the black screen with Warning! You're in danger... Some how my wireless network drivers were lost and I couldn't get to the web, had all these annoying pop-ups, the dog icon some turkey thing... Am running Windows XP - Tried to follow the directions as posted here including safe mode with networking (reloaded network drivers) - installed and ran all of the spyware software in order and lots of files were manipulated (Over 450 with the first Ad Aware scan). Each time I scan, it seems a few more things are identified. I did hijack this but may have messed up not closing everything down on the taskbar and loading it to the desktop. Ran an auto scan on another site and deleted the ones that were "Nasty". Had some others denoted as Nasty but it said don't fix them, try to get rid of them with LSPfix from cexx.org which I ran but it didn't seem to matter. I ran Hijack this again and deleted a bunch of stuff at the end (Unknown entries) but things didn't change and they were all there again on the next post reboot scan. So, where do I go from here? Thanks. Steve (Stylcouncl@aol.com)
     
  2. stylcouncl

    stylcouncl Private E-2

    Also, when searching through the Windows/System32/dll cache... I noticed agentsvr.exe with an icon that looks suspicious. Is this part of the problem. I went in there thinking I should delete the dll files that hijack this analysis labeled as nasty but didn't thinking I might cause more harm than good.
     
  3. stylcouncl

    stylcouncl Private E-2

    Bump ^^ for help... please
     
  4. PhilliePhan

    PhilliePhan Guest

    Hi Steve,

    Sounds like you have a mess on your hands!

    Please go ahead and send us a HijackThis Log and let's see where you stand. That should tell us how you should proceed. Make sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    Send us a log and we'll go from there ;) I'll try to check back when I get a chance, but I'm tied up with work right now. Hang in there!

    Best,
    PP
     
  5. stylcouncl

    stylcouncl Private E-2

    OK, well the infection goes deep. The dreaded black screen only appears when logged in as "owner" and not on one of the kids' log in names. There remains an evil dog icon with something about cashback that comes back even after you exit. I think I expunged him. In my computer, I noted several exe files that are dated infestation day and seem suspicious "purity", "sysman" and "soft", I deleted them but I'm sure they'll return. I've tried to attach my hijack this log using manage attachments tool but I get an error message with server not found, then I copied and pasted it into the reply but again got an error message when I tried to post it so now I'll try using the quick reply.
     

    Attached Files:

    Last edited by a moderator: Nov 27, 2004
  6. PhilliePhan

    PhilliePhan Guest

    Hi Steve,

    A couple of things before we get started:
    Is that your entire HJT Log?
    How many different User Accounts are on your machine? We should probably look at them all.

    For this HJT Log:
    You have a few items that we need to deal with. However, before we do that, please download this tool: http://www.cexx.org/lspfix.zip

    Now, run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move calsp.dll into the Remove section.

    Please do the same for aklsp.dll

    Then, click the Finish Button. When the Repair Summary box appears, click OK.

    Now, Reboot and then scan with HijackThis and attach that log and we’ll attack the other problems. Chaslang or I will take a look when we get a chance.


    Best :)
    PP
     
  7. stylcouncl

    stylcouncl Private E-2

    Sorry about the long delay. I hope I haven't lost the opportunity for further assistance. I did run the LSP fix but neglected to delete the dll files you specified. I didn't have your response with me at the time so I'll go do that tonight. I was hoping that with that in mind, the new hijack this logs would still be relevant. As you suggested I ran a separate log for each user on the machine. O is owner, is the administrative login and seems to be the worst one. That is the one with the black overlay warning screen on the desktop, the others don't have that. Thanks. Steve stylcouncl@aol.com
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    stylcouncl,

    Please post HJT logs as they created. That is as .log files. Please do not post them as .doc files. They are easier to work on when viewed in notepad rather than in Word.


    Each of the logins still have the problem that Phille pointed out with the O10 lines:

    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll


    FIx them as requested with LSP-fix and delete the files in safe mode.


    Then get the lastest version of HijackThis 1.99and post a new log file for each (as a .log file).

    Also on your admin account, look in Add/Remove programs for an uninstall to CashBack. If found, uninstall it.

    Note: Your current logs do not look like complete logs. They all end at the O10 lines which is not usually the case. This would also mean that you have never completed the required prerequisites for posting HJT logs and that is the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    I know you mentioned possibly having problems with this but you really should try to complete that thread including the online scanners (even if you have to do them in normal boot mode). Make sure you update each program. They have changed since you were last here.
     
    Last edited: Dec 21, 2004
  9. stylcouncl

    stylcouncl Private E-2

    OK, I redownloaded and updated all of the scanner/cleaner files as described in the sticky thread. I really had done them all the first time although my hijack this logs may not have reflected that. This time through, it seemed more things were identified and deleted. The most obvious remaining issue is that the owner/administrator logon background screen continues to have a black overlay screen that says Warning... you may be infected.... I reran the hijack this logs for the 3 different users with the latest hijack this app and will attach them below as native log files. Thanks again guys. For some reason, 2 of the logs won't upload so I'll try to generate them again and send them in the next post. Steve
     

    Attached Files:

  10. stylcouncl

    stylcouncl Private E-2

    Second log, I hope
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You MUST put HijackThis back into the proper directory. You are now running it from the ZIP file. That is a bad thing. You will not get backups. Put it in c:\Program Files\HJT where we had you put it the first time. Do this before continuing!!!

    Notice that the logs are longer now! They have information beyond the O10 lines that we already fixed.
     
  12. stylcouncl

    stylcouncl Private E-2

    Third log (seemed it wouldn't upload because the .log file extension had dropped off and once I renamed it with the .log it opened and uploaded fine. Hope this is useful. Steve
     

    Attached Files:

  13. stylcouncl

    stylcouncl Private E-2

    Fast response, OK< I'll replace the hijack this and rerun.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Make sure you locate it correctly then do the below for the O account:

    You need to uninstall SpyBlocs! It is on a list of rogue/suspect spyware removal tools and is doing you more harm then good.
    O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe

    REMEMBER TO: Always exit browsers before using HJT. It can cause problems getting fixes to work.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\Qcv.exe
    C:\WINDOWS\System32\??chost.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Bfv.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Bfv.exe
    O4 - HKCU\..\Run: [Ine] C:\WINDOWS\System32\??chost.exe
    O15 - Trusted IP range: 67.19.178.84
    O15 - Trusted IP range: (HKLM)

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\Bfv.exe
    C:\WINDOWS\Temp\WTuninst.exe
    C:\WINDOWS\System32\Qcv.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working for this account!
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    On Jaime's account:

    Also make sure your uninstall of SpyBlocs is noticed here. Otherwise uninstall it again.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    Sao.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Ang.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove

    Fix the SpyBlocs line too in necessary. I left it out on the other account.
    O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Ang.exe
    O15 - Trusted IP range: (HKLM)


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\Sao.exe
    C:\WINDOWS\System32\Ang.exe
    C:\WINDOWS\Temp\WTuninst.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working for Jaime's account.
     
  16. stylcouncl

    stylcouncl Private E-2

    I assume I am to use add remove programs to uninstall the spy blocs program?
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! If it has an uninstall. Otherwise we will fix the run line in HJT.
     
  18. stylcouncl

    stylcouncl Private E-2

    It didn't have an uninstall but I did fix the run line in hijack this as directed. I didn't see the processes running. I fixed the designated hijack this lines except for the paired ones ending in bfv.exe. Each time I rerun hijack this, similar lines are there but the three letters before exe are different as you can see from this most recent log. The only obvious sign of ongoing infection is the black overlay screen on the owner account "Warning... You're in danger"... I'll work on the Jamie account next.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NO! Stay on this account. You need to work it right now before file names can change. The processes that appear in the list should appear when using TaskManager. If not we need to use ProcessExplorer or HJT to kill them.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\Rjp.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Oed.exe
    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Oed.exe


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\Rjp.exe
    C:\WINDOWS\System32\Oed.exe

    Tell me if you have a problem finding these files and deleting them. If so, run HJT in safemode and see if the process name and the Win32SystemMonitor filenames have changed. If so, kill the new process and delete the new names.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  21. stylcouncl

    stylcouncl Private E-2

    I'm sorry. I did jump back to the other account. I'll repeat the process as you described for the main account, re-post and wait. I assume you want me to delete the files even if the file name has changed. I have confirmed that restore is off, and that hidden files are set appropriately. Along those lines, I have not unchecked the box about operating system files below the designated one.
     
  22. stylcouncl

    stylcouncl Private E-2

    This is the newest hijack this log BEFORE I've gone back in to fix things or back into safe mode.
     

    Attached Files:

  23. stylcouncl

    stylcouncl Private E-2

    I see that you're logged in viewing the thread and so I'm waiting to see your response. Steve
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must uncheck that too or you will not see the files that malware creates. They will make them any combination of read only, hidden, and or system to avoid having you see them. Also, the option to Hide extensions for known file types must not be checked.
     
  25. stylcouncl

    stylcouncl Private E-2

    Shit. Well, its obviously getting very late for you. I'll uncheck that box, then should I rerun some or all of the other programs or just uncheck that box and rerun a hijack this log?
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Notice they have changed again!

    C:\WINDOWS\Iud.exe

    O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\Rgc.exe
    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\Rgc.exe
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    From now on when trying to fix these lines (that means while following any of the steps in normal or safe mode) make sure you physically disconnect (unplug cable - important) from the internet
     
  28. stylcouncl

    stylcouncl Private E-2

    OK, I have a wireless connection and I can just unplug the D Link. What should I do next? Uncheck the hidden box, rerun hijack this and post the log or take some action based on that last log?
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If the log is still the same, just use what I pointed out already. I'm starting to worry that they may have a hidden process or DLL that respawns this. Make sure after fixing the lines in HJT and deleting the files (and they have to be located - look for other similar filenames, sort by date and look at the most recent entries. There could be lots of them.) in safe mode that you still do not reconnect of open any browsers. First reboot to normal mode and run HJT again and see if the problem has already come back. Then reconnect the cable (no browsing), has it come back. Now run a browser, has it come back. I think you get the idea.
     
  30. stylcouncl

    stylcouncl Private E-2

    OK, thats what I'll do. They have already changed however since I last scanned. I'll give it a try.
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  32. stylcouncl

    stylcouncl Private E-2

    No, I'm not terribly familiar with it although I've tinkered in the past with someone directing it. Here's where I'm at. I searched by date modified/created and found about 80 of those ABC.exe files throughout windows all from the day and time the problems started. I also found multiple dll files including additional copies of the two you had me delete independently. I also found a few other suspicious executable files from that day and deleted them. I also found and deleted the image file for the black warning screen, since that time, instead of the black screen, there is a white screen that overlays the windows background and thats the only remaining issue functionally. If I enlarge the windows toolbar at the bottom and then drag it back to the regular size, you can see the appropriate background screen "underneath" and then the white screen refills the "uncovered" area. Right now I'm rerunning the steps in the main pre-screening thread with all files revealed in safe mode and I'll look at the link you included above. I'm also searching the web on another computer because I've seen links about that black "Warning - You're in danger..." screen because I think that is the biggest problem. I also curiously found a file in Windows/Temp several numbers.tmp listed as "unknown application" as a read only created the date this stuff all happened. I couldn't delete it in safe mode but I could delete the whole temp folder in a normal boot so I did that. I think I'm close. Steve
     
  33. stylcouncl

    stylcouncl Private E-2

    OK, so following instructions in a similar thread in a similar forum, I was able to at least temporarily fix the screen problem by going into desktop settings, web tab and unchecking the box (someone explained in another help session that "an active desktop was set as the wallpaper". The respondent mentioned that for him the fix was only temporary and the black screen returned after a few hours. I've since rerun spybot, adaware and the cleaner program, searched for all. tmp files and removed them and have not yet allowed that PC to have web access. I've rerun hijack this logs for all three users and will post them here in case you have any other suggestions before I allow this PC to have net access again. So far so good. Thanks again. I think the logs will come in two (or three) posts. (Having trouble uploading the logs)
     

    Attached Files:

  34. stylcouncl

    stylcouncl Private E-2

    3rd log
     

    Attached Files:

  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    O5 Logfile looks okay but you should Reset Web Settings:

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The A5 Logfile still shows one of the problems we having been fixing. Use the same methods to fix the below.

    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\Imb.exe

    Also do the Reset Web Settings for this user too.
     
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The J5 Logfile still shows one of the problems we having been fixing. Use the same methods to fix the below.

    O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\Iud.exe

    Also do the Reset Web Settings for this user too.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds