need help with my malware please!

Discussion in 'Malware Help (A Specialist Will Reply)' started by guyontheleft, Jan 23, 2007.

  1. guyontheleft

    guyontheleft Private E-2

    My computer was starting to run slower, and I noticed a lot of processes running. Also, with msconfig set to normal startup, there are some extra things starting including two things with nothing but squares as a name (can't read the name, shows squares where characters should be). These display four errors whenever windows is started.

    I did all of that was asked in the "READ & RUN ME FIRST". After seeig zlob a couple times, I took a stab and did the "SpywareQuake & SpyFalcon Removal Procedure" but that didn't appear to find anything. I also tried the "About:Blank and HSA Hijacker - Simplified Removal" since I've seen browser windows titled "about:blank"

    While I'm at it, not malware, but I'm also having problems with windows installer. Ever since I borrowed a printer, and even while I was using the printer, windows installer pops up every time I plug in a device or put in a disc. It says something like please wait while Windows configures to hp psc 1200 series. If somebody can help me stop that too, I'd be thankful.

    Attached:
    Couterspy log
    Bitdefender log
    Panda ActiveScan log

    The rest is to come.

    Thanks for looking!
     

    Attached Files:

    guyontheleft, Jan 23, 2007
    #1
  2. guyontheleft

    guyontheleft Private E-2

    Attached:
    GetRunKey log
    ShowNew log
    smitRem log
     

    Attached Files:

    guyontheleft, Jan 23, 2007
    #2
  3. guyontheleft

    guyontheleft Private E-2

    Attached:
    -The two about:Buster logs. The first one was ran in normal mode, the second in safe mode.
    -HijackThis log


    Thanks!
     

    Attached Files:

    guyontheleft, Jan 23, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You may have noticed that much of your malware is coming from Messenger Plus, eDonkey, and NewDotNet Browser Plug-in.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Go to Start / Run and type "cleanmgr" without quotes ....have it clean Temp. Internet files, and Temp files.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F3 - REG:win.ini: load=????
    F3 - REG:win.ini: run=????
    O4 - HKLM\..\Run: [Pure dead part move] C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead\Sign Open.exe
    O4 - HKLM\..\Run: [Pure dead part move] C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead\Sign Open.exe
    O4 - HKCU\..\Run: [Kou9RRJqW] mmcodak.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    After clicking Fix, exit HJT.

    Please attach a new:
    GetRunKeys
    ShowNew
    HJT


    Be sure to tell us how things are running.
     
    TimW, Jan 23, 2007
    #4
  5. guyontheleft

    guyontheleft Private E-2

    Thanks.

    That stopped the four errors from popping up when Windows starts, but the computer is still running slow. Also, I noticed that all the same programs loaded on startup, but their icons didn't remain on the taskbar notification area as usual (not sure if that really matters).

    I attached the new logs
     

    Attached Files:

    Last edited: Jan 24, 2007
    guyontheleft, Jan 24, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger.

    Uninstall the below old versions of software:
    J2SE Development Kit 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 1.1: Sample Files
    Java 2 SDK Standard Edition v1.2.2

    Make sure to reboot after uninstall the above.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp


    I see Ewidoe Anti-Malware and Ewido Security Suite installed. Are these paid versions or free trial verions?

    Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Did you install Select Cashback?

    Do you know what the below file is for?
    Code:
    "C:\WINNT\"
cadkas~1.exe  Mar  9 2006       74752  "cadkasdeinst01e.exe"
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [5F5V35l] mmkntz.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} - http://www.grokster.com/rdx/RdxIE.cab
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    c:\winnt\system32\mmkntz.exe
    C:\Program Files\Messenger Plus! 2 <--- the whole folder if found
    C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead <--- the whole folder if found


    Now reboot in normal mode

    Now run Ccleaner.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now! Also be sure to answer questions!


    Things to think about since you are complaing of perfomance!
    1. Do you use Kontiki Secure Delivery? If not, uninstall Secure Delivery.
      • O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
    2. Do you use the below DIGStream stuff?
      • O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
      • O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    3. Did you knowingly install/setup the below on your network and do you use these? Are they working properly?
      • O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
      • O23 - Service: dev4_423 - Unknown owner - C:\phpdev\Apache\Apache.exe" --ntservice (file missing)
      • O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
      • O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
    chaslang, Jan 24, 2007
    #6
  7. guyontheleft

    guyontheleft Private E-2

    Done, and installed the current Sun Java Runtime Environment

    They are free trial versions. I was planning on uninstalling them (haven't yet).

    Done. Also uninstalled X-Cleaner

    No. When I tried to uninstall this, it said the files weren't found.

    I have no idea.

    None of these three existed. There was a C:\Program Files\Messenger

    It has definitely got better. Thanks!

    uninstalled

    No, does checking these in HJT remove them?

    yes to these two
    no to these.


    Thanks for the help! I have a couple questions for other problems I'm having.
    What is ccApp? Whenever I shut down windows, a window pops up asking me if I want to wait for it to end or end now. How can I stop this?

    I also have that problem I mentioned in the first post of the printer trying to be installed every time I load windows and every time I put a disk in or connect a device. I noticed this line
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    Would removing this help? Or cause problems?
     

    Attached Files:

    guyontheleft, Jan 26, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since they are only trial versions and you were going to uninstall them anyway, uninstall them now!


    The normal procedure is to uninstall programs first! However these do not seem to be installed so just have HJT fix those DigStream lines.


    This is for Symantec Antivirus. It is not malware. Your software may be corrupted. You may need to uninstall, reboot, and then reinstall but personally I would dump it permanently.

    Don't know! I'm not sure what that .lnk is supposed to do. This is not malware. You may have an incomplete or corrupted installation of your printer software and may need to uninstall, reboot and reinstall. You can also try the below but questions like this belong on the Software or Hardware Forum:

    Windows Installer CleanUp Utility



    Also download and run this Your Uninstaller! 2006 See if Your Uninstaller can uninstall the below two programs:
    Select CashBack
    Window Searching

    Let mw know what happens!



    Delete the below file which is of unknow origin:
    C:\WINNT\cadkasdeinst01e.exe


    Are you sure you did not install the Picture Taker service? This is from: LANovation's PictureTaker Enterprise Edition 3.1 lets administrators create software update packages and deploy them to network PCs through a third-party network management suite


    Attach a new log from ShowNew and also run the below procedure and attach the requested log:

    Getting Uninstall Programs List From The Registry
     
    chaslang, Jan 26, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds