Reinfected

This is a friend's computer that is back again.rolleyes I cleaned it for her in August and it's reinfected. She has protection installed, so I'm not sure how she is still getting Trojans, dialers, viruses, etc.

The logs are attached:

 

The rest of the logs:


Thank you in advance!

I told her after the last time I wouldn't do it again and here I am.

eta...the scans helped because the PC-Cillin was doing constant warnings of Trojans trying to access the internet.

 

Not proper protection. There is no realtime antispyware blocking tool installed as stated in the How to protect yourself thread. And did your friend read and understand that that thread? No amount of protection can protect the end user from themselves if they do the wrong thing.

Do the below while I look thru all the logs!

Uninstall the CounterSpy trial now since we are finished with it.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Now install Comodo BOClean Anti-Malware which provides free realtime protection. too.

 

After you complete the instructions in message # 3, continue with the below.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Print Spooler Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteliogyqateyaaoub into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [yhp] C:\WINDOWS\system32\yhp.exe
O4 - HKLM\..\Run: [evaxuxz] C:\WINDOWS\system32\evaxuxz.exe
O4 - HKLM\..\Run: [pontgquqxurh] C:\WINDOWS\system32\pontgquqxurh.exe
O4 - HKLM\..\Run: [uhpfhbxahcmg] C:\WINDOWS\system32\uhpfhbxahcmg.exe
O4 - HKLM\..\Run: [jkwojuummxmq] C:\WINDOWS\system32\jkwojuummxmq.exe
O4 - HKLM\..\Run: [wfjarjvq] C:\WINDOWS\system32\wfjarjvq.exe
O4 - HKLM\..\Run: [cmprd] C:\WINDOWS\system32\cmprd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [srowwm] C:\WINDOWS\system32\srowwm.exe
O4 - HKLM\..\Run: [dnj] C:\WINDOWS\system32\dnj.exe

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I explained it to her since I did it for her last. I installed spybot and spyware blaster last time. I thought those were real time blockers.

So I should totally remove it? I thought Outlook needed it. I had disabled it before.

Done

 

First, after downloading Comodo it said to reboot. I think that must have changed the names on some of the files in your hijack this instructions.

A screen popped up saying that it was in use and needed to close first. (just in case that is not the error message you were talking about)

I couldn't find some of them as noted above. A few of them looked funky, but you hadn't mentioned them so I didn't delete.

Chas, I'm really sorry, but I can't find the avenger log. The only two that are there are the ones from August that I guess were not deleted. Should I redo the avenger step? Also, should I delete all of the old stuff first?

 

Read the How to protect link again.

I repeat, do not confuse Windows Messenger with MSN Messenger. Does your friend use MSN Messenger? I did not see it installed.

Did you miss fixing the Print Spooler Service? I still see it. I did say to ignore error messages!

 

haha...I did after your post. Did you change your info?? jk

hmmm...I don't think so. ::going to delete it::

I did do that part. I'll go back and do it again.

 

Did you run Avenger? It does not look like it based on your logs. Yes repeat the previous procedure (including the Print Spooler Service removal) and then attach all new logs. Also add the below to the HJT ffix part since these need to be fixed:

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [zwxyjpdoiqzk] C:\WINDOWS\system32\zwxyjpdoiqzk.exe

 

Yes, I did run it. It seemed to go well, but then a log wasn't generated. So, I guess maybe I screwed up except I ran it again. This time there were error messages (it was also the log) so I have no idea if it took.:

I deleted Windows Messenger and disabled the Print Spool Service (I had disabled plain Print spool before, so I re-enabled that).

 

It is not running properly. Shutdown your antivirus program and Comodo BO Clean and try again right now. Do this before continuing on to the below.

You still did not get this service STOPPED and Disabled and then Deleted with HijackThis. There are 3 steps (Stop, disable, delete). Make sure you are referring to the service name I gave. ......... In fact let's take another approach which may do this automatically.


Download this file - combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply See: HOW TO: Attach Items To Your Post

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. the ComboFix log

Make sure you tell me how things are working now!

 

I ran your first instructions for stopping, disabling and deleting print spool service. It was back on reboot so I ran combofix.

Avenger ran after I disabled comodo and pc-cillin.

Logs attached.

 

hjt
shownew
getrunkey


eta...I have not rebooted. Also, I am not getting anymore warnings from Trendmicro or Comodo...so far, anyway.

 

Okay that Print Spooler Service may be coming back because it keeps changing file names. There were about a dozen or more processes associated with it. Thus we will have to keep repeating steps until we get all of them.

Make sure that when you do the below steps that you follow the directions exactly. It is critical that you Stop, Disabled and then later Delete the NT Service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Print Spooler Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteliogyqateyaaoub into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [zwxyjpdoiqzk] C:\WINDOWS\system32\zwxyjpdoiqzk.exe
O23 - Service: Print Spooler Service (liogyqateyaaoub) - Unknown owner - C:\WINDOWS\system32\zwxyjpdoiqzk.exe


After clicking Fix, exit HJT.

• Now run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Everything went fine except I couldn't find:

 

HJT Log

 

And that is good because it means it finally got removed by the other steps.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks again Chas!


Alright...so on her computer she has:

PC-cillin Firewall/antivirus (subscription good thru 2009)
Spybot
Adaware
Spyware Blaster
and now Comodo BOclean

Is that sufficient or should I add something else to the laptop?

I have already told her many times (after the first cleaning) that she has to watch where her boys go. That obviously didn't work, so I'll do it again and email your Protect yourself link.

 

You are using the old version of Spybot. Uninstall it, and use the new version 1.5 given in the READ & RUN. It will add a lot more items when you use the Immunization feature. Since you have Comodo BOclean, make sure you uncheck the install of Spybot's Teatimer becaue the new version will have it checked to use during installation.

Is Windows update to date with all updates? Are the other settings in the How to protect thread setup?

 

I'll go through that too.

Thank you!

 

You're welcome!