Malware help

Welcome to Majorgeeks!


You did not follow the instructions about not using MSconfig. See step 0 of the READ ME. Get in Normal Startup mode and attach a new log from HJT.

Please download the current version of GetRunKey which was just updated yesterday. Attach a new log from it. After that, we will be able to get started.

 

Better! Take a look at the end of it and you will see why I wanted you to run it. Notice the Trojan.Peacomm stuff.


Also attach the new HJT log I requested. You may have missed that comment since I could have been editing my message while you were already reading it.


Then uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Mikel Buckmaster\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

 

Neither can we!

Hang on while a work up the first stage of fixes! Yes it will take a few stages due to what Trojan.Peacomm hooks into your registry.


In the meantime, please download and install the following. We are going to need it later! Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

 

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\game1.exe
C:\WINDOWS\SYSTEM32\game2.exe
C:\WINDOWS\SYSTEM32\game3.exe
C:\WINDOWS\SYSTEM32\game4.exe
C:\\WINDOWS\\system32\\taskdir.exe
C:\\WINDOWS\\system32\\taskdir.dll
C:\WINDOWS\SYSTEM32\zlbw.dll
C:\WINDOWS\SYSTEM32\wincom32.ini
C:\WINDOWS\SYSTEM32\wincom32.exe
C:\WINDOWS\SYSTEM32\wincom32.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\80b9f0f3bf5557ae9c

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Mikel Buckmaster\Local Settings\Temp

Now goto Add/Remove programs and uninstall the below:
My Way Search Assistant

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

That's probably because backweb is running somewhere. Just skip it for now and continue.

It is probably due to the below Kodak junk!
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe


Why are you running this PC with NO PROTECTION?

 

It is still in the registry! Run the below tool so I can figure out exactly what is there and I will give you a fix.

Run this Getting Uninstall Programs List From The Registry and attach the log.

Does Bsafe really contain an Antivirus, a realtime antispyware/,malware blocking tool, and a firewall? Were you running the Filer or the full Security Suite?

Their security suite is really just McAfee!


If it prevents you from running IE in safe mode, then you need to ask them for a fix. It should not do this and at a minimum should not be necessary to uninstall inorder to run IE in safe mode.

 

Click refresh and read again!

 

Let's continue to fix the issues from Trojan.Peacomm

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!

 

Okay looks like we got all of Trojan.Peacomm! How are things working?

Let's get rid of the My Way Search Assistant.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Attach a new log from ShowNew.

 

Also answer my question about Bsafe from message # 13.

 

I suggest you reinstall it and then attach the below two logs:

ShowNew
HijackThis

From this we should be able to tell!

 

Attach a log from Spybot if this still shows up!


Since I believe you are really basically clean now, it is time to do our final steps (That is if you are not having any other malware problems):

If we used Pocket Killbox during your cleanup, do the below

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Back in message number 8 I had you delete C:\WINDOWS\SYSTEM32\zlbw.dll This is relate to what Spybot is reporting as Tibs.vq. It is also know as Trojan.Abwiz.E

You can use registrar Lite to delete the below registry keys if found. You may need to use the Ownership or Permissions trick again.

HKEY_USERS\.DEFAULT\ColorTable19
HKEY_USERS\.DEFAULT\ColorTable20
HKEY_USERS\S-1-5-18\ColorTable19
HKEY_USERS\S-1-5-18\ColorTable20

Spybot did not report the below two, but look for them too since they are typical locations this trojan also uses.
HKEY_CURRENT_USER\ColorTable19
HKEY_CURRENT_USER\ColorTable20

 

This is not a malware problem! I would bet it is related to the Kodak software you are running at startup.

 

Use HJT to fix the below two lines:
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

Do the messages in the following order 26, 23 & 24.

 

All you seem to have from Bsafe is a popup blocker! You need an antivirus, antispyware blocker, and a real firewall. My final steps give a link (see below) which include steps and links for all of these.

Please click Start,Run, and enter notepad C:\WINDOWS\SYSTEM32\ver.ini and click OK. Copy and paste the information that is shown in the notepad window that opens with the contents of ver.ini back here.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

The ver.ini file is OK!


You are running Win XP SP2. See the beginning of your HJT log. Also you can right click on My Computer and select Properties and you will see this info and more.