Thought it had gone but it's all back!!!!

hazlegs · Jul 5, 2007

Hi

I’l apologise now if I’ve missed something out, done something in the wrong order or whatever, but I’ve had 2 very late nights trying to get rid of the c**p on my pc and I’m feeling a bit tired!!

Brief summary of what’s happened:

- Problem started Monday
- Full virus scan (NIS 2007) was clean!
- Installed Spyware Doctor which removed loads of rubbish but not everything
- Tuesday. Followed the steps in the “READ & RUN ME FIRST” thread, up to and including step 7, running HijackThis (had to use AVG Anti-Spyware as CounterSpy wouldn’t run for some reason or other) Also took several attempts to install SpyBot as something appeared to be killing off the installer!). Unfortunately all the good work done by the various tools has all been rendered useless. Something disabled my Norton Internet Security – it had been blocking something called Downloader. Downloader was still there and all the junk is now back again.

Symptoms:

- desktop hijacker changing the desktop to "Your Privacy is in Danger..." A red logo kinda resembling the old Quake logo.
- A popup from Spyware Doctor (about every 10 seconds!) saying: Malicious Action Blocked. Spyware Doctor has blocked an application Explorer.EXE attemting to write to the registry. Path: HKEY_USERS\S-1-5-21-1202660629-1284227242-725345543-1004\Software\Microsoft\Internet Explorer\Main, Start Page=http://gomyron.com/NiU2NA==/2/3560/homepage/
- A popup saying: “Windows Security Alert. Warning! Potential Spyware Operation. Your computer is making unauthorized copies of your system and internet files. Run full scan now to prevent any unauthorized access to your files. Click here to download spyware remover…”
- A popup saying: “System Alert. System detected virus activity. These may impact the performance of your computer. Please use recommeneded antispyware software to protect your system from parasite programs”
- A popup saying: “Malware Alert. Warninng. Trojan Adware.W32.ExpDwnldr spyware detected” There’s quite a bit more in this popup but hopefully this is all that’s needed.
- 3 icons appear on my desktop. The url in brackets is from the prperties of the particular icon. 1) “Spyware & Malware Protection” (p://onlinesecurityworld.com/shandler.php?sg=2) 2) “Privacy Protection” (p:// onlinesecurityworld.com/shandler.php?sg=0) 3) “Error Cleaner” (p://onlinesecurityworld.com/shandler.php?sg=1)
- Browser windows occassionally open up. I’ve closed these immediately but have spotted a couple of urls: www.amaena.com and www.onlinestability.com

The various log and text files from the steps in “READ & RUN ME FIRST” will hopefully be attached to this post and the next.

Any help and assistance would be most appreciated, although I am preparing myself for a complete re-install of XP Pro!!!!!!!

Cheers.

Graham.

hazlegs · Jul 5, 2007

The remaining 2 txt files.

chaslang · Jul 5, 2007

Welcome to Major Geeks!

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htmIMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

hazlegs · Jul 6, 2007

Chaslang

Many thanks for the response.

Attached is the 1st rapport.txt.

The search through up a couple of errors though. A box appeared headed "16 bit MS-DOS Application". In it was:
C:\WINDOWS\system32\cmd.exe
The NTVDM.CPU has encountered an illegal instrucion
CS:10fe IP:0121 OP:0f 79 88 6e 46 Choose 'Close' to terminate the application

This appeared twice. Once during Scanning ApplInit_DLLs and once during Scanning Winlogon:System

I clicked close each time and it carried on.

2nd rapport.txt file and other logs will follow shortly.

Cheers.

Graham

hazlegs · Jul 6, 2007

Chaslang

2nd rapport.txt attached.

The 16 bit MS-DOS Subsystem popup appeared again during the Deleting Temp files... phase.

Cheers.

Graham

hazlegs · Jul 6, 2007

Chaslang

Attached logs from GetRunKey, ShowNew and HJT.

And the good news - the system is fine! Background to my desktop is blank but that's easily fixed.

Norton Internet Security still won't start though. I think I'll have to re-install that.

Many thanks for your help.

Graham

chaslang · Jul 6, 2007

hazlegs said: ↑

Attached logs from GetRunKey, ShowNew and HJT.
Click to expand...

I'm not sure what you attached but these are not proper logs. Take a look at what you attached.

hazlegs said: ↑

And the good news - the system is fine!
Click to expand...

I'm not so sure based on those logs. I wonder if you have registry corruption.

hazlegs · Jul 7, 2007

Chaslang

Don't know what happened to those logfiles I'm afraid. I was using my second pc to post to this forum and transferring the logfiles using a memory stick. I've just had a look at them and they're garbage!!! All bar the first rapport.txt are still on this pc and are readable so I'll post them now.

Cheers.

Graham

hazlegs · Jul 7, 2007

HijackThis log

chaslang · Jul 7, 2007

That looks much better! And these logs are also clean but you do have a couple things to do.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below folders which may be left behind by the uninstall:
C:\Documents and Settings\Dad\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now uninstall the below old versions of of Sun Java:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

You can also optionally have HJT fix the below startups. They are not malware, but you just don't need them to run at startup which is waste of system resources:
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

How is everything working?

hazlegs · Jul 8, 2007

Chaslang

Did everything in your last post and everything's working fine.

Once again, many thanks for all your help.

Cheers.

Graham

chaslang · Jul 8, 2007

You're welcome. If you are not having any other malware problems, it is time to do our final steps:

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Thought it had gone but it's all back!!!!

hazlegs Private E-2

Attached Files:

Activescan.txt

bdscan.txt

hijackthis.log

hazlegs Private E-2

Attached Files:

newfiles.txt

runkeys.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

hazlegs Private E-2

Attached Files:

rapport01.txt

hazlegs Private E-2

Attached Files:

rapport02.txt

hazlegs Private E-2

Attached Files:

runkeys.txt

newfiles.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

hazlegs Private E-2

Attached Files:

rapport02.txt

runkeys.txt

newfiles.txt

hazlegs Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

hazlegs Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member