I Need Help W/ Malware

Welcome to Majorgeeks!

Let's first run a quick fix with ComboFix that will help get us started. It will not fix everything but it will reduce the amount or work we need to do later.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now please follow our standard cleaning procedures which will allow us to remove the rest of your remaining issues.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • ComboFix
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use three messages to attach all of these logs!

 

Okay! We will have to remove whatever remains manually after you complete the READ & RUN ME.

 

Why didn't you allow AVG Antispyware to fix what it found? There is no sense in running the scans unless you fix the problems found. You need to run it again and Quarantine or Delete what it finds. Save a new log to attach.

 

Are you sure? Look at what the log you attached says!

Also in step 0 of the READ ME we highly recommended that you uninstall Messenger Plus! Live. The Virtumonde infection you have more than likely came from this program. You should uninstall this program now. It is the cause of thousands of PCs being infected!!!


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1
Java 2 Runtime Environment, SE v1.4.2_01

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

I'm going thru the rest of your logs now.

 

Okay let the AVG scan complete and fix anything found. Attach the new log immediately before continuing. And then immediately after attaching the log continue with the below.

Then make sure you do the rest of what I put in message number 10 and then continue with the below.


Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
pmnkjij.dll
ddabx.dll
__c0096E39.dat
__c00318F4.dat
oyaopyfw.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
pmnkjij.dll
ddabx.dll
__c0096E39.dat
__c00318F4.dat
oyaopyfw.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
pmnkjij.dll
ddabx.dll
__c0096E39.dat
__c00318F4.dat
oyaopyfw.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now back at the main Process Explorer window look for the below processes and if found right click on them and select Kill Process.
C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe

Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1BF2AE94-35BD-8ACC-B98A-7D34CACECA5C} - (no file)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\pmnkjij.dll
O2 - BHO: (no name) - {4020EB93-5CDE-AC39-8399-F172089DCADD} - (no file)
O2 - BHO: (no name) - {58FD10F5-8FAC-492C-ADE3-6DDB9B7E2739} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {6D593FD6-9F18-677D-E264-9F6FE93312CD} - (no file)
O2 - BHO: (no name) - {A48F7354-2400-425F-9872-FF5D58D33C03} - C:\WINDOWS\system32\__c0096E39.dat (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\oyaopyfw.dll
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
O20 - Winlogon Notify: pmnkjij - C:\WINDOWS\SYSTEM32\pmnkjij.dll
O20 - Winlogon Notify: __c00318F4 - C:\WINDOWS\system32\__c00318F4.dat

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Then you will have to manually go an remove all of the files and folders I listed in the Avenger fix and then attach a new log from ShowNew. It is possible that some of those files and folders may no longer be found but you need to check for all of them. Some of them have tricky names that actually include unprintable characters so I may have to give you special instructions to remove them later.

You did not install the current Sun Java version as requested.

Also why didn't you run Spybot as requested in the READ & RUN ME? Does it have problems with your OS too?


You also forgot to attach the new HJT log I requested.

 

Please delete the below folders? Note that the Questionmarks and the à character represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. Note the date of the folders which will help you to properly locate the correct ones to delete since you could see other valid folders that appear to have the same names. Just go by the dates I show below.

Code:

"C:\Documents and Settings\Administrator\Application Data\"
SMBOLS~1      Jul 14 2007              "s?mbols"    [B][COLOR=red]<-- may look like Symbols[/COLOR][/B]
 
"C:\Program Files\"
CROSOF~1      Jul 14 2007              "??crosoft"   [B][COLOR=red]<-- may look like Microsoft [/COLOR][/B][B][COLOR=red]and there may be a real valid folder with the same name.[/COLOR][/B]
àPPPATCH      Jul 14 2007              "àppPatch"
 
"C:\Program Files\Common Files\"
YMANTE~1      Jul 15 2007              "?ymantec"   [B][COLOR=red]<-- may look like Symantec[/COLOR][/B]
DOBE~2        Jul 14 2007              "?dobe"     [B][COLOR=red]<-- may look like Adobe[/COLOR][/B]
 
"C:\WINDOWS\"
FNTS~1        Sep  9 2006              "F?nts"    [B][COLOR=red]<-- may look like Fonts[/COLOR][/B]
YSTEM~1       Sep 12 2006              "?ystem"   [B][COLOR=red]<-- may look like system[/COLOR][/B]
 
"C:\WINDOWS\system32\
MBOLS~1       Jul 12 2007              "??mbols"    [B][COLOR=red]<-- may look like Symbols[/COLOR][/B]

Now delete the below files:
C:\WINDOWS\system32\reginic_ingen.exe
C:\WINDOWS\system32\ggjlm.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\MsgPlusUninstall.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\removalfile.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\snapsnet.exe

Now also delete the below folders:
C:\Documents and Settings\All Users\Application Data\SalesMonitor
C:\Documents and Settings\Administrator\Local Settings\Temp\NI.UWA7P_0001_N91M0809
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\B2


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1BF2AE94-35BD-8ACC-B98A-7D34CACECA5C} - (no file)
O2 - BHO: (no name) - {4020EB93-5CDE-AC39-8399-F172089DCADD} - (no file)
O2 - BHO: (no name) - {6D593FD6-9F18-677D-E264-9F6FE93312CD} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

After clicking Fix, exit HJT.


Now run Ccleaner[/b]

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Did you miss fixing the below with HJT or did they come back?

O2 - BHO: (no name) - {1BF2AE94-35BD-8ACC-B98A-7D34CACECA5C} - (no file)
O2 - BHO: (no name) - {4020EB93-5CDE-AC39-8399-F172089DCADD} - (no file)
O2 - BHO: (no name) - {6D593FD6-9F18-677D-E264-9F6FE93312CD} - (no file)


Try again! If they still show, try shutting down your antivirus and AVG Antispyware and then fix them.

Also you missed a couple of folders I asked you to delete. You need to delete the below which are part of the PurityScan infection you had. Remember to use the Dates of the folder as an indicator or which ones to delete.

Code:

"C:\Program Files\"
àPPPATCH      Jul 14 2007              "àppPatch"
 
"C:\WINDOWS\"
YSTEM~1       Sep 12 2006              "?ystem"

 

Why can't you find those folders? They are showing in your last log from ShowNew. Are you paying attention to the folder dates and the RED text where I specified what the folder names may appear to look like. How many folders do you see with the same dates and what are the folder names?

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

• Run Registrar Lite navigate to the following key and take ownership of it (I explain how to do this further down):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

• To take ownership of the key do the following:
  • Click-on the above Registry Key
  • Click-on Security in the Menu
  • Select Take Ownership
• Now locate each of the below keys under the Browser Helper Objects key and select them (one at a time) and right click on them and select delete:

{1BF2AE94-35BD-8ACC-B98A-7D34CACECA5C}
{4020EB93-5CDE-AC39-8399-F172089DCADD}
{6D593FD6-9F18-677D-E264-9F6FE93312CD}

After deleting them exit Registrar Lite and attach a new HJT log.

 

Are the options from step 2 in the READ ME still in effect?

Please attach a new log from ShowNew.

 

Sorry to tell you but the folders are still there. You are somehow overlooking them.

 

I ask for a new HJT log after running this.

 

What do you see inside of the system folder you found? You must not try to delete the valid c:\windows\system folder.

Are you still saying you cannot see the other folder which does appear in your ShowNew log (this does not lie, it is there)?

Install this ExplorerXP see if you can find and delete the other folder with it. Hopefully it runs on your OS.

 

Your HJT log was clean too.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!