Definitely pipmon,and some other stuff.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Merkava, Sep 12, 2007.

  1. Merkava

    Merkava Private First Class

    My desktop,task bar,start menu are all gone.

    I can see them sometimes like when I try to run something.They will all appear and remain as AntiVirus warnings pop up,but as soon as I close the warnings,they all disappear.
    I found one other thread that mentioned this virus,but there was just the "read and run me first",which is fine.

    My problem is that this virus has invaded to such a degree that the only way I can access anything is through the task manager,then the "start new task" prompt.Like I said,no desktop,no start menu,nothing.I can browse from there,so I can get to my desktop and files,but some things won't work.

    For example I downloaded GetRunKey,but I can't open it.I can find it in the window from the "start new task"(run) browse option,but right clicking doesn't bring up a context menu,so all I can do is choose it for the run prompt.I click run and an error message pops up saying that Windows can't find it,along with several antivirus warnings.

    Basically I can't get very far with the normal removal procedures.I'm not sure how to get to the quarantine section of AntiVir to clean it out,and I don't know how to open explorer so that I can get to my folder settings to set it to show hidden stuff for CCcleaner.

    Can anyone take me by the hand and guide me through this thumb sucking ordeal?:cry
     
    Merkava, Sep 12, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if you can manage to do the below somehow!

    Download MGTools.exe to your Desktop.

    run the MGTools.exe program by double clicking on it.
    • It will create a folder named MGTools in the root folder of the hard disk where Windows is installed ( typically C:\MGTools ).
    • It will also automatically extract a bunch of files into this folder.
    • It will the automatically start running three batch ( .bat files are batch programs ) programs in that folder.
    • It will sequentially run GetRunKey.bat, ShowNew.bat, and GetUnKey.bat. Each of these programs will create logs respectively named runkeys.txt, newfiles.txt and GetUnKey.txt. You will notice a command prompt window open and messages will appear in this window. This window will close when the scans are complete for all Win 2K and XP users. Win 9x and ME users will have to close this window manually but only when the scans complete.
    • These log files while be placed in the root folder of your Windows drive. The log file will also automatically be put into a ZIP file name MGlogs.zip which you will be uploading as an attachment to your message in the forum. Unlike older versions of the programs, no popups of the logs will appear when they finish running during this initial installation. At a later time, running any of the individual batch files will still cause the logs to automatically pop up.
    Don't forget to attach the MGLogs.zip file to your next message.

    At a later time to get new logs as requested, you can individually run any one of the three batch files by double clicking on them from a Windows Explorer window. Windows Explorer is easily opened by right clicking Start and selecting Explore. The batch file will create a new log and will also update the MGlogs.zip file with each new log created. The person helping you my either request the MGlogs.zip file or the individual logs named runkeys.txt, newfiles.txt and GetUnKey.txt.


    Notes: Possible Error Messages

    Error Message Type 1

    If any of your logs appears to be empty or semi-empty or if you get an error message similar to the below when running any of the three batch files and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS.
    To fix the above error message, choose the download below which is appropriate for your system and extract the files into the default folder which will be either C:\Windows\system32 or C:\Winnt\System32 depending on how you installed windows. Do not extract the below fix files to the MGTools folder as it will not help to fix the problem that way.
    • For Windows XP Pro: download and run XPproFix
    • For Windows XP Home: download and run XPHomeFix
    • For Windows 2000: download and run: W2KFix
    Error Message Type 2
    Error Message Type 3


    The below error message is not a problem and you could see none of these or a few of these. It just means a registry key we are checking for does not exist. The scan will continue after any of these occur.
    After attempting to fix Error Types 1 & 2, run batch file again and attach the log.

    The skip to step 7 of the READ & RUN ME and follow the instruction for HijackThis and attach a log from HJT.
     
    chaslang, Sep 12, 2007
    #2
  3. Merkava

    Merkava Private First Class

    Alrighty then.Here are the logs.
     

    Attached Files:

    Merkava, Sep 13, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you have a bunch of problems! I'm trying to determine the best approach since it is difficult for you to run many things. So first let's see if we can make a little improvement in your problems to make it easier for us to continue. Some of the below fix will not work properly (i.e., certain infections we fix will come back), but as I said, we are just trying to make some small improvements so other steps can be more easily run.

    Get started with this while I look at all of your logs!

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to RdnaoFlSvc
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
     
    chaslang, Sep 13, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you are downloading with this PC or where you are surfing but you need to stop doing whatever you have been doing. You are very badly infected.

    After doing what I requested in message number 4, see how much of the below you can do. For any step that you cannot do, just note it, and then continue on to the next step until you get thru to the end. Tell me when you come back, exactly what you could and could not do.


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\nnnnopm.dll
    O2 - BHO: (no name) - {A3D589DB-37E0-461E-871B-4027749C9EA4} - C:\WINDOWS\system32\mlljj.dll
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.196 85.255.112.149
    O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
    O20 - Winlogon Notify: nnnnopm - C:\WINDOWS\SYSTEM32\nnnnopm.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Sep 13, 2007
    #5
  6. Merkava

    Merkava Private First Class

    Desktop,start menu and task bar are back!!!!!!!!!!:D

    Everything seems to be working fine now.

    I think pipmon,nnnnopmwhatever,and maybe 1 or 2 others tried to start up again,cuz AntiVir warnings popped up at startup.

    Seems there was something like error messages saying they couldn't be found.Don't remember.

    Anyway,here are the logs you requested.
     
    Last edited: Sep 13, 2007
    Merkava, Sep 13, 2007
    #6
  7. Merkava

    Merkava Private First Class

    Here,rather.
     
    Merkava, Sep 13, 2007
    #7
  8. Merkava

    Merkava Private First Class

    My attachments aren't coming through.
     
    Merkava, Sep 13, 2007
    #8
  9. Merkava

    Merkava Private First Class

    One more time.
     

    Attached Files:

    Merkava, Sep 13, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note from now on the below should not be running when using HJT to get a log or to fix anything. That is assuming you have a Desktop now.
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\HP_Owner\My Documents\My Programs\utorrent.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\notepad.exe
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Automatic LiveUpdate Scheduler
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • LiveUpdate
    • Click OK until you get back to Windows.
    Uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2_03
    Symantec Network Drivers Update

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {01CDFC7E-8F70-4E61-9C4D-20DA5513F90D} - C:\WINDOWS\system32\mlljj.dll (file missing)
    O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\nnnnopm.dll (file missing)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
    O20 - Winlogon Notify: nnnnopm - nnnnopm.dll (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    • Now run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Sep 13, 2007
    #10
  11. Merkava

    Merkava Private First Class

    Okay,this should do it.I hope.
     

    Attached Files:

    Merkava, Sep 13, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to uninstall this: Symantec Network Drivers Update

    Or does it not show in Add/Remove programs?

    Does the below still show right now in HijackThis? If so, fix it and delete the file being referenced.
    O4 - HKLM\..\Run: [erciwjeg] C:\thbnqfxa.bat
     
    chaslang, Sep 13, 2007
    #12
  13. Merkava

    Merkava Private First Class

    I thought I got Symantec update with Ccleaner.Maybe one of those logs is from before I ran it.thbnqxfa.bat is gone now.I think I'm all good,thanx to you!:celebrate
     
    Merkava, Sep 13, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Sep 13, 2007
    #14
  15. Merkava

    Merkava Private First Class

    Well,I've done all that.Which log did you find the symantec thing on?I'm getting a BSOD and the code given might be related to it.I'd like to see if it still comes up.I used the uninstall feature of Ccleaner,and I still had to remove the entry,so I wonder if it was thorough enough.
     
    Merkava, Sep 14, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the log from ShowNew (newfiles.txt). You will see it in the uninstall list at the end of the log.

    If still there, I doubt that it has anything to do with a BSOD.
     
    chaslang, Sep 14, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There were actually a few items from Symantec that you may still need to remove from the registry. I saw them in the GetUnKeys.txt log that was in your first MGlogs.zip file attached to message # 3. If you want to remove all of these which will also remove the item from the newfiles.txt log then do the below.


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    chaslang, Sep 14, 2007
    #17
  18. Merkava

    Merkava Private First Class

    Well,I stumbled onto something here.When I try to open AntiVir from the tray icon,I get this message:

    The application module c:\program files\antivir personaledition classic\avcenter.exe cannot be found or has been modified or destroyed.The AVCENTER.EXE cannot be started.Please check your installation!

    So I figured I'd try to reinstall it,but when I clicked the remove button on the programs list,I got this:

    The CRC sum of C:\Program Files\AntiVir PersonalEdition Classic\SETUP>EXE has been changed!This could be due to a virus!Do you want to shut down Setup?

    Any ideas?:(
     
    Merkava, Sep 14, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First make sure you have the current installation file for AntiVir on your PC. You can get it here: AntiVir Personal Edition

    Now try to uninstall it again and select not to shut down the setup and allow it to uninstall AntiVir. Then reboot your PC.

    After reboot, reinstall AntiVir.
     
    chaslang, Sep 15, 2007
    #19
  20. Merkava

    Merkava Private First Class

    Okay,I'm now replying from the library because I have apparently picked up something even worse,or I never completely got rid of what I had in the first place.

    The situation to date is that beside my antivirus being crippled(the only option at the uninstall error message was to shut down setup-I couldn't proceed,and I downloaded the AntiVir file you suggested,but I just got the same error message),now all my network connections are GONE and the connection wizard has the PPPoE option greyed out so that I can't click on it,and the only option is a connection that is always connected which it says should already be running,but isn't.So I can't connect to the internet.

    I thought maybe I should just set back to my last restore point,but apparently that has been disabled as well.I turned system restore off as part of this whole cleaning process,but I turned it back on per the instructions before this all happened.Now when I try to run it,I get a message that says something like,"System Restore cannot help you now..."

    Dun dun dunnnn!!!!!!!

    I would've run HJT and MGtools and whatnot,except that now the paste function is disabled on the context menu,so that I can't move the logs to a flash memory card to upload them here at the library.

    My only idea is perhaps to run them,copy the logs by hand,them type them into a notepad on the library comp,then upload them,and vice versa for any fixes you might suggest.

    Unless there are any other ideas.

    I haven't gotten the BSOD anymore,by the way.
     
    Last edited: Sep 15, 2007
    Merkava, Sep 15, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs were clean at the point I gave you final steps.

    All you said was you downloaded what I told you to download. Did you uninstall the old version first as requested. Did you then install the new version? Downloading is not the same as installing. I need to know exactly what you are doing. Download and installing Antivir or any other program has nothing to do with your network connections. Perhaps you have done something else or installed something else.

    You need to tell me the exact word for word message you are getting. You should have at least one restore point from the point of my final instructions where system restore was toggle and that restore point should be reasonably clean unless you got reinfected before doing my final steps.

    You don't need a paste function. Just copy the whole file from one drive to the other using Windows Explorer.

    Can you run in safe mode better than in normal boot mode? Do you have internet access in safe mode?

    Back in message number 13, you said the below line was gone:
    O4 - HKLM\..\Run: [erciwjeg] C:\thbnqfxa.bat

    Are you sure it is gone? Did anything similar show up?
     
    chaslang, Sep 15, 2007
    #21
  22. Merkava

    Merkava Private First Class

    Well,the prospects presented in that last message are a little daunting,I'm sure.

    I have a clean drive,so I'm gonna see what options I have for setting it up so that I can continue this little pursuit from my own house.I'll check for other threads about this.Thanx for all the help.I'm sure I'm not a hopeless case in any event.:eek:

    I'll post any progress.
     
    Merkava, Sep 15, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome, but have you any answers to any of my questions?
     
    chaslang, Sep 15, 2007
    #23
  24. Merkava

    Merkava Private First Class

    Yeah,sorry.I posted that reply before noticing that there was a second page.

    I might not have put it correctly.The AntiVir error message that popped up when I tried to uninstall at the programs list only had a "close" button,so I couldn't proceed with the uninstallation.I tried in safe mode but it didn't work.However,I forgot to try to just delete the folder from program files.Dunno if that would achieve the desired result or not.

    As for the system restore error message,I'll have to get back to you.I think that I did indeed get re-infected before I was finished,or something.I checked and I definitely re-enabled system restore,it just says something to the effect that it can't be accessed and to restart the comp and try again - which I tried.I'll relay it to you verbatim as soon as I can.These last two replies are from my sister's house,and I'll be leaving soon to go back home.

    Lastly,the whole paste thing apparently applies to dragging and dropping - the files just won't move for some reason.

    I'll try accessing the web from safe mode(safe mode with networking,perhaps?).

    I just so happen to have recently purchased a hard drive,so I figure if that doesn't work,I can hook it up and format it,do a system recovery and proceed from there.I made a recovery disc set early on,but I dunno if I still have them.My drive is partitioned from the factory,and there was no Windows disc included when I bought my comp.I assume that when I format the new one,the partition will be included.I've heard that the partition could be infected,too,so I'll just have to see what happens.

    I was wondering if it is possible to format from the partition in BIOS.I guess it wouldn't be necessary,if system restore gets rid of the problem,and if the partition is infected,I'll have to wipe it anyway.Hope I have those discs.
     
    Merkava, Sep 15, 2007
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Deleting the folder will not uninstall it and if the program files are still running you will not be able to delete the folder since it is in use.

    Okay let me know after retrying. Also attempt a restore in safe boot mode and see what happens?

    Are you trying to copy between 2 Explorer windows or one? If using one, try open 2 windows to do the copying to and from. Can you still install any software at all? Like try this: ExplorerXP


    Yes let me know what happens.
     
    chaslang, Sep 15, 2007
    #25
  26. Merkava

    Merkava Private First Class

    Okay,I'm just now able to get back to the library.

    So here's the system restore message:

    "System Restore is not able toprotect your computer.Please restart tour computer,and then run System Restore again."

    Both system restore and the network connections/wizard are in the same state in both modes.Nuthin' doin'.

    I cannot move any files in any manner under any circumstances at present,be it between on window and the desktop,or between two windows,they jsut won't budge.

    I tried formatting the new HDD,but it wasn't detected and I got this message from the Local Disk Manager:

    "The RPC server is unavailable."

    Myabe I can get a flash memory device of some sort to swap downloads between comps,but I doubt it will be detected upon connecting it.
     
    Merkava, Sep 20, 2007
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is difficult to help you when you do not answer all the questions being asked. Back in message # 21 I asked these:
    Please answer those questions now!


    Also in message # 25, I said:
    Please answer this directly but I assume the answer will be no since you seem to have problems copying files but I'm not sure if that means you cannot download in safe mode since the first question above was not answered.


    Can you get a new HijackThis log to attach?
     
    chaslang, Sep 20, 2007
    #27
  28. Merkava

    Merkava Private First Class

    I apologize.In relpying,I've had to make changes and start my messages over,and I apparently forgot to include these things in the final draft.

    The batch file was gone with the first cleaning phase,I'm sure.I'll check again for it or anything similar.

    The situation with my network connections and connection wizard is identical in both modes.The connections that were set up have vanished and the wizard doesn't allow for another connection to be set up.

    As for being able to download software,the only possibility I can see is tranferring files with a flash device.I just need to make sure it will be detected before I buy it,unless I can borrow one.
     
    Merkava, Sep 26, 2007
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Unless you can get me new logs (the MGlogs.zip) from running GetLogs.bat and also a new HijackThis log. There is not much I can do for you. I'm not sure what happened to your PC but at the time of message # 14 you were free from malware. And all we did afterwards was remove some left over registry keys from an incomplete Symantec uninstall and this would not cause problems like you are experiencing. In fact at this point it is not even clear to me exactly what all your problems are anymore. Please list and describe them. You may be looking at a reinstall.
     
    chaslang, Sep 26, 2007
    #29
  30. Merkava

    Merkava Private First Class

    Okay,I ran system recovery,and I'm back online,but I'm still having some problems.I try to install AntiVir and I still get the same error message that doesn't give the option to continue -

    The CRC sum of C:\Program Files\AntiVir PersonalEdition Classic\SETUP>EXE has been changed!This could be due to a virus!Do you want to shut down Setup?

    Here are the latest logs.
     

    Attached Files:

    Merkava, Oct 7, 2007
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete any copies you have of this program now and then follow the below instructions.


    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to ASP.NET State Service aspnet_statewinmgmt
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • Distributed Link Tracking Client TrkWksShellHWDetection
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste aspnet_statewinmgmt into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • TrkWksShellHWDetection
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\makehm.exe,
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    Now download and install the below:
    AntiVir Personal Edition

    You also need to install SpyBot-Search & Destroy since it seems to be gone:

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 8, 2007
    #31
  32. Merkava

    Merkava Private First Class

    By this do you mean "Distributed Link Tracking Client" AND "Distributed Link Tracking Client TrkWksShellHWDetection"?Because they are both listed.:confused
     
    Merkava, Oct 8, 2007
    #32
  33. Merkava

    Merkava Private First Class

    I went through a couple of steps but I thought I should update you on the HJT and MGLogs,since I don't have any malware protection - just in case I might have picked something else up along the way.I have ceased all web activity excluding this site,until I resolve the present issue.
     

    Attached Files:

    Merkava, Oct 8, 2007
    #33
  34. Merkava

    Merkava Private First Class

    Disregard the last post,these are the latest logs.Please bear in mind that I've had no anti virus.The AntiVir was attacked,I assume,because the guard wouldn't start,and the .exe file was corrupted(according to an error message.
     

    Attached Files:

    Merkava, Oct 8, 2007
    #34
  35. Merkava

    Merkava Private First Class

    Scratch that...THESE are the latest!!!
     

    Attached Files:

    Merkava, Oct 8, 2007
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! I meant only the exact one specified! The other is valid!

    Did you complete all of my previous instructions exactly as given? If so, where is the Avenger log?

    Are you sure these new logs are from the same PC????? You have a ton of stuff in these logs that was not in your previous logs. And most of the items I asked you to fix in my previous message are still there too.

    If they are from the same PC, what else have you been doing besides working on this malware?
    Have you been surfing and downloading anything?
    Have you installed any software at all?


    We need to start over!!!


    Download this file - combofix.exe
    1. Double click combofix.exe & follow the prompts.
    2. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply See: HOW TO: Attach Items To Your Post

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    4. the ComboFix log
    Make sure you tell me how things are working now!
     
    chaslang, Oct 8, 2007
    #36
  37. Merkava

    Merkava Private First Class

    Okay,no worries,I left the other alone.Yeah,it's the same comp.:eek:

    I've been overrun.I could tell for myself that there were a lot of new additions by comparing.I've always had antivirus software,so I realize I REALLY can't go surfing around at all without it now.

    I was messing about a bit,but I can see now that I can't without the proper protection.I've only downloaded and installed AntiVir(which didn't work),Avenger,Ccleaner,even XP SP2,which didn't install.I tried to start over again with system recovery,but I got a BSOD.This looks like my only option.
     
    Merkava, Oct 8, 2007
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I just edited my previous message because the message got corrupted as I save it. Please re-read the last part with ComboFix instructions.
     
    chaslang, Oct 8, 2007
    #38
  39. Merkava

    Merkava Private First Class

    Well,I took it to a shop and they re-installed.It was all screwed up.It got to my connection again,so I got fed up.Thank you so much for your effort in trying to help me.
     
    Merkava, Oct 15, 2007
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 15, 2007
    #40

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds