spambot,smitfraud,bluescreen,winlogon error

Discussion in 'Malware Help (A Specialist Will Reply)' started by letmesee, Feb 1, 2007.

  1. letmesee

    letmesee Private E-2

    Hi, and thanks for looking,
    I have obviously been somewhere I shouldnt. I now have - spambot,smitfraud, a blue desktop, winlogon.exe error on close down, and machine wont turn off just keeps rebooting until manually turned off.
    I am running the full Mcafee internet suite 8.
    I have been trawling these sites for the last 2 days attempting all the fixes to no avail. I have maticously completed all your preperation steps.
    I am frankly at my wits end as to what to do next, any assistance would be appreciated.
    I am not the most computer savey person around so plain english please and I'll do my best.
    Thanks in advance.
    Mark (letmesee)
     
    letmesee, Feb 1, 2007
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    HI Mark, welcome


    As you have completed the steps in the Read ME prep steps, you will have a set of logs? please attach those logs and the malware guys will be able to help you remove these malwares.
     
    DavidGP, Feb 1, 2007
    #2
  3. letmesee

    letmesee Private E-2

    Ok, I think I have done that. Attached logs.
    Also just started getting "party" websites just opening up at random. I eagerly await your next instructions. Although it is late here in Australia and I might have to answer tomorrow morning. But I will hang out as late as I can.
    Mark
     

    Attached Files:

    letmesee, Feb 1, 2007
    #3
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi Mark, we will also need the other three logs as in ShowNew Getrunkeys and Hijackthis.
     
    DavidGP, Feb 1, 2007
    #4
  5. letmesee

    letmesee Private E-2

    OK , for some reason having trouble uploading the 3 logs requested. It says in progress. what should I do, I have attached the log of the error log.
    Mark
     

    Attached Files:

    letmesee, Feb 1, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Next time this happens exit the Managing Attachments window and try the below (assuming you are using IE as your browser)
    1. Click Tools and select Internet Options
    2. then on the General tab, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    3. Now click Refresh
    4. Now try uploading your attachments again.
    If this still does not work tell us how large each file is!
     
    chaslang, Feb 1, 2007
    #6
  7. letmesee

    letmesee Private E-2

    Ok that worked,
    Here are the runkey,newfiles and hjt logs you requested
    Mark
     

    Attached Files:

    letmesee, Feb 2, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below are not typical default Policies. Did you set these policies yourself?
    You must install HijackThis where we requested and you must rename it as requested. You have it installed exactly where we specify not to install it and you did not rename it. You must correct this now. You have it here:

    C:\Documents and Settings\USER\Start Menu\Programs\analyse.exe\HijackThis.exe

    It must be here:

    C:\Program Files\HJT\analyse.exe
     
    chaslang, Feb 2, 2007
    #8
  9. letmesee

    letmesee Private E-2

    Hi,
    I mentioned in my first post that I am not particularly computer savy. So In answer to your question I dont know what "default policies" are let alone how to set them, if I did change them then it was accidential.
    As far as the hjt log goes I thought I did follow the instructions and I refer to my first sentence I'm not particularly computer savy. I have deleted all references to hjt from the computer, then follow your insructions downloaded it and tryed again, new hjt log is attached.
    Mark
     

    Attached Files:

    letmesee, Feb 2, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have HijackThis installed incorrectly. You have this:

    C:\Program Files\analyse.exe\HijackThis.exe

    You need to rename the analyse.exe folder to HJT

    Then you need to rename the actual HijackThis.exe file to analyse.exe


    When you are finished it should look like I previously told you:

    C:\Program Files\HJT\analyse.exe
     
    chaslang, Feb 2, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Once you get HJT installed and renamed properly, continue onto the below!


    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\USER\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6


    Now download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Continue by downloading two tools we will need
    Extract them to their own folders somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of instcat.dll once and then click the kill button. After you have killed all of the instcat.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of instcat.dll and kill it. (If you do not find the dll, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of instcat.dll and kill it. (If you do not find the dll, just continue on.)


    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O1 - Hosts: localhost 127.0.0.1
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe/asinst.cab
    O18 - Protocol: bw+0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {BF47CF26-9128-4E9D-A058-D251E10A24CB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
    O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: COM+ Messages - C-Media Inc - (no file)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\CMMGR32.EXE
    C:\WINDOWS\system32\vidaccess1253.exe
    C:\WINDOWS\system32\instcat.dll
    C:\WINDOWS\system32\13.tmp
    C:\WINDOWS\system32\14.tmp
    C:\WINDOWS\SYSTEM32\DGFLIB.DLL
    C:\WINDOWS\system32\directprt.sys
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete if found:
    C:\Documents and Settings\USER\Application Data\AVG7
    C:\Documents and Settings\All Users\Application Data\AVG7
    C:\Program Files\Avg Anti Virus v7.0.143 Keymaker-Core (works)
    C:\Program Files\Common Files\{84615596-0823-1033-0125-050117050001}

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 2, 2007
    #11
  12. letmesee

    letmesee Private E-2

    Ok Chaslang,
    I appogise for my ingnorance with this machine. I have had another go at redoing hjt and I think I have the result you wanted.
    .
    As far as the other steps went I:
    Uninstalled and cleaned up Sunbelt no problems.
    Uninstalled J2SE runtime no problems.
    Downloaded Hoster no problems.
    Downloaded Process explorer & killbox no problems
    Didnt find any instcat.dll in any of the places you said.
    Think I marked all the registery things you listed.
    Did the fixme.reg thing.
    Ran killbox as listed.
    Deleted the 4 programs you listed.
    I have run the 3 programs for the new logs.
    .
    I can indicate that my machine seems far more stable I havent had any websites popup since the last reboot and I can see that my modem isnt particularly active where as before it was going flatout with its lights blinking all the
    time.
    .
    I do get a message on shutdown that says:
    .
    Iexplorer.exe dll Initilazation failed
    The application failed to initalize....?????(I missed the rest)
    .
    It only comes up for a second then disapears and the machine continues to shutdown. Since your adjustments the machine actually does shutdown rather than just restarting which it was doing before.
    .
    So to sum up...looking good just that 1 little problem on shutdown.
    .
    logs are attached.
    Mark
     

    Attached Files:

    letmesee, Feb 3, 2007
    #12
  13. letmesee

    letmesee Private E-2

    I am getting the odd pop up still it seems to happen everytime I open internet explorer, sorry I was a bit hastly before
    Mark
     
    letmesee, Feb 3, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a new item that just showed up on Feb 1st it was not in your log before. It is this:
    O4 - HKCU\..\Run: [Blah about] C:\DOCUME~1\USER\APPLIC~1\DVDENC~1\infoseeksite.exe

    The below folder is where it really is located:
    Code:
    "C:\Documents and Settings\USER\Application Data\
DVDENC~1      Feb  1 2007              "Dvd Enc"
    Also I see this folder which is new:
    Code:
    "C:\Documents and Settings\All Users\Application Data\"
MEETWI~1      Feb  1 2007              "meetwindowlivefour"
    What have you installed? You must make sure that while we are trying to fix your PC that you do not install anything new at all. Only do what we request. If the above are not things you knowingly installed then we will need to fix them by having HJT fix the O4 line and then you should delete the shown Dvd Enc and meetwindowlivefour folders.


    You can have HJT fix the below left over that did not finish getting fix in the previous procedure.
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)


    Also we have one more registry fix to do for another policy.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    chaslang, Feb 3, 2007
    #14
  15. letmesee

    letmesee Private E-2

    Thanks Chaslang,
    I only downloaded what you told me and I think there might have been a security update also come in. Anyway I have :
    Removed all you told me to no problem.
    Cleaned up the inscat.dll no problem.
    Added the additional registery thing no problem.
    .
    Computer is stable. Although I cant get into the windows firewall settings and still getting error screens at shutdown.
    .
    hjt log attached.
    Mark
     
    letmesee, Feb 3, 2007
    #15
  16. letmesee

    letmesee Private E-2

    If it helps you, I was able to get most of the wording from the error messages.
    .
    Explorer.exe application error
    The instruction at "0x01F014e7" reference memory at "0x01F014e7" The memory could not be "read".
    Click OK to terminate the program
    Click CANCEL to debug the program
    .
    CTFMON.exe Not responding
    (then other stuff I couldnt catch)
    .
    End program - explorer.exe
    The system cannot end the program because its waiting for a response from you.
    To return to windows and check the status of the program click CANCEL
    If you choose to end the program immediately you will loose any unsaved data. To end program now, click END now.
    .
    Hope that helps
    Mark
    .
    doesnt look like i attached hjt log to last post so its here
     

    Attached Files:

    Last edited: Feb 3, 2007
    letmesee, Feb 3, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not supposed to be able to get into the Windows firewall settings. You have McAfee firewall installed.

    Let's see if the below addresses your error at shutdown. The below is taken from a Microsoft Knowledgebase article ( http://support.microsoft.com/kb/282599 ) I pasted in here the specifics you need to be concerned with.

    Step 1:
    1. Quit all Office programs.
    2. Click Start, point to Settings, and then click Control Panel. NOTE: In Windows XP, click Start and then click Control Panel.
    3. In Control Panel, double-click Add/Remove Programs.NOTE: In Windows XP, click Add or Remove Programs.
    4. In the Currently installed programs list, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Change.
    5. In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
    6. Click the plus sign (+) next to Office Shared Features to expand it.
    7. Click the icon next to Alternative User Input, and then select Not Available.
    8. Click Update.
    Step 2: Remove Alternative User Input Services from Text Services
    1. Click Start, point to Settings, and then click Control Panel.
    2. In the Control Panel, double-click Text Services.NOTE: In Windows XP, click Date, Time, Language, and Regional Options, and then click Regional and Language Options. On the Languages tab, click Details.
    3. Under Installed Services, select each input item that is listed, and then click Remove to remove the item. All items must be removed, one by one, except the following input service:
      • English (United States)- default Keyboard United States 101
    Step 3: Run Regsvr32 /U on the Msimtf.dll and Msctf.dll Files
    1. Click Start and then click Run.
    2. In the Run dialog box, type the following command: Regsvr32.exe /u msimtf.dll
    3. Click OK.
    4. Now Click Start and then click Run
    5. In the Run dialog box, type the following command: Regsvr32.exe /u Msctf.dll
    6. Click OK.
    Now let me know if you still have that error message! Double check after trying to shutdown/reboot.

    Attach a new HJT log.
     
    chaslang, Feb 3, 2007
    #17
  18. letmesee

    letmesee Private E-2

    Chaslang,
    I didnt relise that mcafee blocks windows firewall, so thats no problem.
    In relation to the 3 microsoft procedures you asked i do:
    Step 1. I tryed to do but got the message,
    .
    The feature you are trying to use is a network resource that is unavailable.
    Click OK to try again or enter an alternative path to a folder containing the instalation package "PRO11>MSI" in the box below.
    .
    I clicked to try again several times and got the same result.
    .
    Step 2. I have similar but not the same as described by microsoft, mine says :
    EN English (United States)
    keyboard
    .US
    .
    Step 3. Completed no problems.
    .
    I have shut down and also restarted twice without incident. Latest hjt log attached.
    Mark
     

    Attached Files:

    letmesee, Feb 3, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good news! And your log is okay! I just wanted to veryify that ctfmon.exe was no longer trying to load.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 4, 2007
    #19
  20. letmesee

    letmesee Private E-2

    Ok Chaslang,
    I have :
    Cleaned all the precesses used no problems.
    Done the system restore thing no problems.
    Gone through "how to protect yourself" and made a few of the recommended changes no problems.
    I downloaded & installed the recommended "Spyware blaster" with "auto updates"
    .
    Do you feel an update to vista would be of assistance with its apparent added protection ?
    .
    Is there anything else that you personally recommend that would assist me. ?
    .
    Finally the Tech that built my machine, disabled the "privacy service" section of my McAfee program saying that it was more trouble than it was worth as it conflicted with other programs. What are your thoughts and should I reinstall it. ?
    Mark
     
    letmesee, Feb 4, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not necessarily! It is too soon to know judge Vista. Also you are running VM Ware for multiple boot partitions I assume. I'm not sure if it is compatible. I'm sure that many people are going to like the new interface and easy of use offered by Vista; however, my attitude is that I will buy it only when I really need it. Also I will still keep most of my PCs running WinXP and Win2K since much of the software and hardware I have may not be supported under Vista.
    .
    It is all in the How to protect thread.

    Actually as far as we are concerned, all of McAfee is more trouble than it is worth, and it slows down PCs too much. But if you like it and feel comfortable with it, stick with! As far as the Privacy Service is concerned, your best bet would be to enable it and see how you feel about it. I honestly don't have an opinion on it. If you have children and think this feature would be of use, by all means check it out. Perhaps reading the below would be of use to you:

    http://familyinternet.about.com/cs/productreviews/gr/mcafeeprivacy.htm

    On the last three PCs that I had with McAfee on it (shipped that way), I uninstalled it in less than a week because it slowed the PCs down tremendously, interfered with everyday operation of email, and was in general a waste of system resources since other free tools worked to provide the protection I needed and did not impact the system so harshly.
     
    chaslang, Feb 4, 2007
    #21
  22. letmesee

    letmesee Private E-2

    Chaslang,
    Ok then, I take onboard everything you have said about Vista, I agree with all you have said about McAfee my computer used to fly along until the day that series of programs was installed, removing the "Privacy Service" helped slightly.
    .
    The situation I'm in is that I used to have all the free protection programs, but was advised to purchase a full program that covered everything hence the McAfee. Is there a well know licensed program that I should get to replace the functions of McAfee, that isnt resource hungry that you might recommend.?
    .
    In the mean time thanks so much for all your trouble, I know I'm slow and your patience is appreciated.
    Mark
     
    letmesee, Feb 4, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We do not recommend full security suite packages as they all are resource hogs. Some are worse than others. We actually recommend separate tools as given in the How to protect link I gave you. I would uninstall ALL of McAfee and install the below:

    - AVG Antivirus
    - ZoneAlarm firewall
    - Spybot with SDhelper and use the Immunize feature as given in the READ ME
    - SpywareBlaster and activate all protection
    - SpywareTerminator for a free realtime spyware blocking tool!

    With free tools you can try before you make up your mind to buy! ;) If you don't like them, you can uninstall and try something else without cost to you. If you like them, you should buy them to get more features and support if needed.
     
    chaslang, Feb 4, 2007
    #23
  24. letmesee

    letmesee Private E-2

    Chaslang,
    Thanks for all your help, I have a copy of that list and I will definately grab them all tonight. Then dump McAfee, they dont mention the problems when you go to buy these things.
    .
    Again, thanks for all the help and Halo too, and I'll be intouch next time I run into problems, signing off for now..
    Mark
     
    letmesee, Feb 4, 2007
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! If they told you the problems with the software, they would not make any money selling it too you. ;)
     
    chaslang, Feb 4, 2007
    #25
  26. letmesee

    letmesee Private E-2

    Chaslang,
    I'm sorry that I have to bother you again by this morning after my computer is all fixed I sat down to get back to work and found that the dvd/cd-rom isnt working. It worked the day before the infection. I checked in the device manger section and it says.
    .
    Windows cannot load the device driver for this hardware. The driver may be corrupted or missing (code 39).
    .
    The cd rom is listed as "LITE-ON DVDRW SOHW-1673S"
    .
    Is that your department or do I need to go somewhere else.
    Thanks
    Mark
     
    letmesee, Feb 4, 2007
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually it should be asked in the Hardware Forum but here are two ideas.

    Delete the drive from Device Manager and then reboot and let Windows try to reload the drivers automatically.

    If that does not work or it cannot find the drivers, you may need to reinstall whatever software you installed for it previously or you may need to just allow Windows to find the drivers on the CD.
     
    chaslang, Feb 5, 2007
    #27
  28. letmesee

    letmesee Private E-2

    Chaslang,
    Thanks I tried that the uninstall and reboot didnt work and the dvd part isnt working so I cant use the disc, I will post in the right forum. Thanks
    Mark
     
    letmesee, Feb 5, 2007
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have the CD and if you can locate the folder/files you need from it on another PC, you could copy to a USB flashdrive or share drives on a network etc, to get them to the PC that needs them.
     
    chaslang, Feb 5, 2007
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds