surfsidekick

Discussion in 'Malware Help (A Specialist Will Reply)' started by kaneda_z, Dec 29, 2006.

  1. kaneda_z

    kaneda_z Private E-2

    when i run spybot it says this is problem and that it will be fixed, but it never is

    also lists
    Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

    Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

    Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

    Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

    Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

    Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

    Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

    Microsoft.WindowsSecurityCenter.SP2Update: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

    Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

    SurfSideKick: User settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-1003\Software\Microsoft\Internet Explorer\Security\sox_ver

    SurfSideKick: User settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-1003\Software\Microsoft\Internet Explorer\Security\sox_id

    SurfSideKick: User settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-1003\Software\Microsoft\Internet Explorer\Security\rpt


    --- Spybot - Search && Destroy version: 1.3 ---
    2006-12-08 Includes\Cookies.sbi
    2006-12-08 Includes\Dialer.sbi
    2006-12-08 Includes\DialerC.sbi
    2006-11-24 Includes\Hijackers.sbi
    2006-12-08 Includes\HijackersC.sbi
    2006-10-27 Includes\Keyloggers.sbi
    2006-12-08 Includes\KeyloggersC.sbi
    2004-05-12 Includes\LSP.sbi
    2006-12-08 Includes\Malware.sbi
    2006-12-08 Includes\MalwareC.sbi
    2006-10-20 Includes\PUPS.sbi
    2006-12-08 Includes\PUPSC.sbi
    2006-12-08 Includes\Revision.sbi
    2006-12-08 Includes\Security.sbi
    2006-12-08 Includes\SecurityC.sbi
    2006-10-13 Includes\Spybots.sbi
    2006-12-08 Includes\SpybotsC.sbi
    2005-02-17 Includes\Tracks.uti
    2006-12-08 Includes\Trojans.sbi
    2006-12-08 Includes\TrojansC.sbi

    i tride doing the regedit as described in your threads but when i go into the HKEY_CURRENT_USER etc i cant find any ssk,surfsidekick entries

    please help
     
    kaneda_z, Dec 29, 2006
    #1
  2. kaneda_z

    kaneda_z Private E-2

    here is my hijack log

    EDIT: Removed inline log

    i was wondering what this is

    [mthjjiul]

    seems new and i cant turn it off

    finally, when i caught this last night it deleted all my restore points...
     
    Last edited by a moderator: Dec 29, 2006
    kaneda_z, Dec 29, 2006
    #2
  3. Sailor

    Sailor First Sergeant

    Spybot log says that something has completely disabled your Windows Security Centre. Seems like you have some malware so better post in the malware removal forum. Before posting read the Read and Run guide. If you had you wouldn't post an in-line HJT log ;).
     
    Sailor, Dec 29, 2006
    #3
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    kaneda_z Hi and Welcome to the fourm as Sailor mentions above to fully assist you in the removal of malware off your PC follow the Read and Run link he posted as I have already moved your thread to malware forum.

    but the bullet points to the read me are below in the steps we need from you and attached logs.


    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    DavidGP, Dec 29, 2006
    #4
  5. kaneda_z

    kaneda_z Private E-2

    thanks guys im going to work now and ill have this tonight, should i post in this thread or make a new one in the malware forum?

    mike
     
    kaneda_z, Dec 29, 2006
    #5
  6. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    Post in this thread as it now in the Malware Forum and also has some maybe needed info in what was left in your first post.

    best to keep everything together :)
     
    DavidGP, Dec 29, 2006
    #6
  7. kaneda_z

    kaneda_z Private E-2

    theres the 1st 3
    i followed the instructions the best i could, i couldnt run the counterspy while still in safe mode
     

    Attached Files:

    kaneda_z, Dec 31, 2006
    #7
  8. kaneda_z

    kaneda_z Private E-2

    heres all but the hijack file
     

    Attached Files:

    kaneda_z, Dec 31, 2006
    #8
  9. kaneda_z

    kaneda_z Private E-2

    and here be the last one

    if i F'ed anything up(othe rthen my computer) please let me know

    thanks guys
     

    Attached Files:

    kaneda_z, Dec 31, 2006
    #9
  10. kaneda_z

    kaneda_z Private E-2

    so does the lack of a response mean im in deep poo or that noone has tried to figure out the problem?

    thanks everyone
     
    kaneda_z, Jan 1, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It just means we are busy with the holidays, real life and other threads. Posting this message is a bump and it cost you 3 days of wait time. Did you read this sticky: Don't Bump! It Only Hurts You!!!

    Please follow the directions in the sticky thread and use the proper version of Spybot. You are using a version that is almost 3 years out of date. Uninstall version 1.3, reboot, and then install the version we asked you to install in the READ ME. This time make sure you do not use TeaTimer. You had it running and we specifically request that it not be used in the READ ME. Then run a new scan and report what is found.

    Also you need to uninstall this very old Sun Java version ( Java 2 Runtime Environment, SE v1.4.2_04 ) and then install the one requested in step 6 of the READ ME.

    Also you need to follow the directions in step 0 of the READ ME and set MSConfig to Normal Startup.

    Then you need to also complete the directions in step 2 of the READ ME. You did not follow step 2 exactly as specified. You have file extensions being hidden.

    Do you know what the below file is created on Dec 31st?
    C:\WINDOWS\system32\pfdnnt_actions.sys

    Did you setup this Proxy Server setting?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.123.6.122:80

    If not, please have it scanned with this: http://virusscan.jotti.org/

    After doing ALL of the above, continue with the below!

    Continue by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of pnaapna.dll once and then click the kill button. After you have killed all of the pnaapna.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of pnaapna.dll and kill it. (If you do not find the dll, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of pnaapna.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - (no file)
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: C:\WINDOWS\lbbho.dll - {3F936665-2837-4F15-B7BC-56ADBC2B5F23} - C:\WINDOWS\lbbho.dll (file missing)
    O2 - BHO: Visual Renderer - {4F8561AF-2827-9C96-797D-78507D6B1083} - C:\WINDOWS\system\mswstl32.dll
    O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6motq.dll
    O2 - BHO: (no name) - {E02B29C8-A005-4CED-B9BA-F3C435A9DA58} - C:\WINDOWS\system32\pnaapna.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Music Alarm Clock] C:\PROGRA~1\MUSICA~1\mac.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mjdwkkqw.exe
    O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\Owner\LOCALS~1\Temp\61609.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
    O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\pnaapna.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system\mswstl32.dll
    C:\WINDOWS\System32\mjdwkkqw.exe
    C:\WINDOWS\system32\pawxdepy.exe
    C:\WINDOWS\system32\vqqmsxxy.exe
    C:\WINDOWS\system32\vqsvxbqt.exe
    C:\WINDOWS\system32\ert.dll
    C:\WINDOWS\system32\hiiyzrpt.dll
    C:\WINDOWS\system32\idhvhri.dll
    C:\WINDOWS\system32\ipv6motq.dll
    C:\WINDOWS\system32\pnaapna.dll
    c:\windows\system32\hsenj.ocx
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    c:\program files\imesh
    c:\program files\Music Alarm Clock

    Also delete all files and subfolders in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Documents and Settings\Owner\Local Settings\Temp\

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Jan 3, 2007
    chaslang, Jan 3, 2007
    #11
  12. kaneda_z

    kaneda_z Private E-2

    sorry guys
    no i did not read the sticky on bumping

    also i did not know my spybot was out of date
    i did not mess wit hthe default and could find no teatime, im guessing since i was using the older version.


    Java 2 Runtime Environment was something i missed, it took me hours to try and do everything properly as i am not as computer savy as i thought.

    "Also you need to follow the directions in step 0 of the READ ME and set MSConfig to Normal Startup.

    Then you need to also complete the directions in step 2 of the READ ME. You did not follow step 2 exactly as specified. You have file extensions being hidden."

    i thought i did these correctly the 1st time, is it possible that what ever is wrong with my comp is preventing all processes from being shown?
    i'll go through the steps again.
    ill do that now and come back and just edit this post as not to bump.
     
    kaneda_z, Jan 3, 2007
    #12
  13. kaneda_z

    kaneda_z Private E-2

    ok i tried to just edit and my comp crashed, now i cant edit

    so i scanned C:\WINDOWS\system32\pfdnnt_actions.sys
    and it read
    "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

    everytime i try to scan
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.123.6.122:80

    it says
    Uploading file, please wait...
    i tried a couple times and let it sit for over 20 minutes

    should i continue with process explorer or killbox?
     
    kaneda_z, Jan 3, 2007
    #13
  14. kaneda_z

    kaneda_z Private E-2

    seems to running pretty well now
    i still cant open the controls for my firewall and things like that which worry me

    here are the files you requested

    i was not able to see the following files under hjt to fix

    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6motq.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    thanks for all your time and if you have isea as to why i cant access my firewall setting id greatly apreciate it
     

    Attached Files:

    kaneda_z, Jan 3, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No you still don't have them set properly and it is possibly due to the fact that you ignored the instructiions about not using Spybot's Teatimer. It is not turn on by default so you had to change the options to enable it and you were not supposed to do this.

    Now Disable Spybot's TeaTimer
    • Run Spybot and click Mode
    • Select Advanced Mode.
    • Then click Tools and select Resident.
    • Now in the right window pane, uncheck TeaTimer.
    • Also while this is open, in the left column now select IE Tweaks
    • and then in the right pane make sure all the Miscellaneous locks are unchecked.
    • Now quit Spybot!
    Now do step 2 of the READ ME again!

    You did not uninstall Java 2 Runtime Environment, SE v1.4.2_04 as requested. You were supposed to uninstall this before installing the new version.


    You should now also uninstall the trial version of CounterSpy that we installed. We are finished with it.


    Did you setup this Proxy Server setting? If not, have HJT fix this R1 line.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.123.6.122:80

    Now attach new logs from GetRunKey and ShowNew!
     
    Last edited: Jan 4, 2007
    chaslang, Jan 4, 2007
    #15
  16. kaneda_z

    kaneda_z Private E-2

    im sorry but this is how it is currently setup
    i didnt have to change anything
    nor did i touch any of the settings when i installed it, teatimer is and has been tunred off


    you are right about the
    i have since uninstalled this and reinstalled the new version, i also removed the counterspy


    i t hink i figured out what i was doing wrong and why some files remained hidden
    the windows XP and windows 2000 instructions are different
    i wasnt following this instruction and im sorry, it should be correct now

    - Uncheck the Hide extensions for known file types option.

    im gonna run hjt and will the 2 logs in my next post
     
    kaneda_z, Jan 9, 2007
    #16
  17. kaneda_z

    kaneda_z Private E-2

    i fixed that R1 line and here are the new logs
     

    Attached Files:

    kaneda_z, Jan 9, 2007
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I still see this:

    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    Which means Teatimer is still being run! Run HijackThis and have it fix that line. Then reboot and attach a new HJT log.
     
    chaslang, Jan 9, 2007
    #18
  19. kaneda_z

    kaneda_z Private E-2

    crap wait i didnt reboot 1st
     

    Attached Files:

    kaneda_z, Jan 9, 2007
    #19
  20. kaneda_z

    kaneda_z Private E-2

    ok here is the log after i rebooted
     

    Attached Files:

    kaneda_z, Jan 9, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now have HJT fix the below lines:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

    Did you install the below packet capture service? Was it needed for some gaming application you are playing or do you use it yourself?
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Attach new logs from HJT and ShowNew.


    Are you having anymore malware problems?
     
    chaslang, Jan 10, 2007
    #21
  22. kaneda_z

    kaneda_z Private E-2

    i still seem to be having some problems

    i'll be playing bf2142 or warhammer 40k and my screen will minimize every few minutes and everyonce in a while when it show s the desktop a porn ad will pop-up...

    here are the logs
     

    Attached Files:

    kaneda_z, Jan 25, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It took you 15 days to respond to my last message and you did not even answer all my questions. Did you knowingly download WinPcap and let me add Ethereal to that question? They are not malware but could be used by hackers soe I need to just know that you installed them and not someone else.

    In 15 days the status of your malware could have totally changed especially since you did not follow up so we could complete your fixes and get you better protected. You do have a bunch of few new infections due to waiting too long to respond and also probably due to where you have been surfing with your PC unprotected. This time make sure you work your problems more quickly and also work thru until we are finished.

    How many versions of Limewire due you have installed? Note that many versions of Limewire are bundled with malware. And something normally associated with P2P progams like Kazaa and Limewire (or perhaps from eFileGo 3.01 which you have installed and I had not got around to fixing last time) has put some bad stuff on your PC. Like the below two list a couple:
    http://www.symantec.com/security_response/print_writeup.jsp?docid=2002-112614-4025-99

    http://www.sophos.com/security/analyses/trojcimuzaj.html - this one is also called Infostealer.Bzup which is a Trojan horse that steals confidential banking information from the compromised computer.


    Read the following about eFileGo 3.01: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4623

    You need to Uninstall eFileGo now!!!!



    Start by doing the below:
    • make sure you run CCleaner and make sure that the below folder gets cleaned up when CCleaner is run:
      • C:\Documents and Settings\Owner\Local Settings\Temp
    • Now download, install and update this: AVG Free Edition (make sure you download from this link to get the current version).
    • Then reboot into safe mode and use AVG to run a full scan of ALL files and fix problems found.
    • Post a log of anything that is found.
    • Then reboot into normal mode and run a second scan and also post this log too.
    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\Service.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\Owner\LOCALS~1\Temp\75171.exe
    O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Owner\LOCALS~1\Temp\75125.exe
    O21 - SSODL: IEFilter - {CFD219CF-59D6-4022-83A7-E3321B682BC1} - C:\WINDOWS\system32\IEFilter.dll

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\Local Settings\Temp\75171.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\75125.exe
    C:\WINDOWS\system32\gpjfaaaa.exe
    C:\WINDOWS\system32\gprqobkm.exe
    C:\WINDOWS\system32\sdaekaaa.exe
    C:\WINDOWS\system32\sdganaaa.exe
    C:\WINDOWS\system32\vutbtjno.exe
    C:\WINDOWS\system32\IEFilter.dll
    C:\WINDOWS\system32\ipv6mons.dll
    C:\WINDOWS\system32\wsys.dll
    C:\WINDOWS\system32\main.sys
    C:\WINDOWS\system32\reg.sys
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Joe Santoro\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Jan 25, 2007
    chaslang, Jan 25, 2007
    #23
  24. kaneda_z

    kaneda_z Private E-2

    sorry man

    ive been traveling alot(baltimore,philly, nyc) but my ex has been taking care of my cats and obviously Fing up my computer

    ill do what you asked and post everything once completed

    thanx
     
    kaneda_z, Jan 31, 2007
    #24
  25. kaneda_z

    kaneda_z Private E-2

    ok 1st i cannot delete or uninstall eFilego
    it says theat an error has occured and that it may already be uninstalled

    2nd i cant run avg in safe mode
    i got to 58 items scanned in 10 minutes and then it sat there and did nothing for another 20, i tried doing it twice

    when i ran it in normal mode it scanned over 58,000 itmes in about 24 minutes and found/dlelted 3 trojans. i cant figure out how to copy the file but one of them was in my hjt folder under one of the backups...
     
    kaneda_z, Feb 1, 2007
    #25
  26. kaneda_z

    kaneda_z Private E-2

    i did everything else from above

    If you receive a PendingFileRenameOperations prompt"
    no i did not recieve this message



    C:\WINDOWS\Temp
    C:\Documents and Settings\Joe Santoro\Local Settings\Temp

    there was nothing in that windows folder
    i did not have a "joe santoro" folder did you mean owner?

    and here are my logs


    and it seems to be running good, but i still cant setup my firewall
     

    Attached Files:

    kaneda_z, Feb 1, 2007
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please answer my question about WinPcap and Ethereal from message # 23.

    Yes! That was supposed to be edited to say owner!


    You still have malware issues! But what firewall are you referring too. If you mean the Windows Firewall, it is not a true firewall anyway and we don't want to use it long term anyway.

    Why did you disable the below service?
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
    "ProductivITService"=dword:00000002


    You need to download and use the current versions of GetRunKey and ShowNew from now on. They have been updated since you last downloaded them.

    What did you do on Feb 1st that cause your C:\windows\system32\winlogon.exe file to be changed? Also where did the below come from? It was not in your last ShowNew log:
    Code:
    "C:\WINDOWS\system32\"
socks_~1.dll  Jan 25 2007       49152  "socks_dll.dll"
    Let's remove a new rogue service that just showed up!
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    Run HijackThis and select the following lines (some may no longer appear) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\Owner\LOCALS~1\Temp\75125.exe"
    O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\Owner\LOCALS~1\Temp\75171.exe"
    O21 - SSODL: IEFilter - {CFD219CF-59D6-4022-83A7-E3321B682BC1} - C:\WINDOWS\system32\IEFilter.dll (file missing)
    O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\system32\Service.exe
    C:\Documents and Settings\Owner\Local Settings\TEMP\75171.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey - make sure you have the new version first
    2. ShowNew - make sure you have the new version first
    3. HJT
    Make sure you tell me how things are working now!
     
    Last edited: Feb 1, 2007
    chaslang, Feb 1, 2007
    #27

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds