Mucho Malware

Re: Mucho Malware Hijack This Log

Welcome to Majorgeeks!

You did not get your HJT log attached. Before trying to attach one, please do the below.

Based on your GetRunKey log, you skipped step 2 of the READ ME or you did not complete all of it properly. Please do step 2 again and make sure you do all steps. I will ask for a new log later.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Think-Adz Search Assistant removal <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\aaf.exe
C:\WINDOWS\invupd.exe
C:\WINDOWS\invupdi.exe
C:\WINDOWS\system32\edaabe_s.dll
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\swinnpem.exe
C:\WINDOWS\system32\swinnpes.exe
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\analiz.exe
C:\WINDOWS\system32\msfyir.exe
C:\WINDOWS\system32\specialfile.exe
C:\WINDOWS\system32\kyhwp.exe
C:\WINDOWS\system32\uctmtdfxf.exe
C:\WINDOWS\system32\wvsvc.exe
C:\WINDOWS\system32\systemwin32s.exe
C:\Documents and Settings\Owner\lc2.html
C:\Documents and Settings\Owner\Local Settings\Temp\sahagent.exe
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr1D4B
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frC6C7

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You must attach all of the logs I requested before we can continue.

You also need to answer my question about how things are working.

 

That's hard to understand considering all the malware and other issues you had/have.

You still seem to have multiple antiviris/security suites installed. We asked that you not do this in step 3 of the READ ME. Please choose which one you want. Either CA eTrust or Symantec and then uninstall the other. This is a massive waste of system resources and can make either program less effective. It is also making it difficult to fix some of your problems. Some of what I asked you to fix did not get fixed.

When you added the fixME.reg patch into the registry by double clicking on it, did you get a success message? Did you get a popup warning from your protection software about a change being made? You need to allow this to run or obviously the fix will not work.

Let's start again (with some new steps too) BUT make sure you have uninstall one of the antivirus applications now before continuing.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Make sure you save it exactly as requested (all files) and save it to your Desktop. You did not do this last time.

Make sure you tell me if you get a success message for doing the above. Or if you get a failure of some kind, tell me the message. DO NOT let you protection software block the change.

Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software"
C:\Program Files\Sunbelt Software

Also delete the below folder:
C:\Documents and Settings\The Real John Wright\Start Menu\Programs\Startup\Think-Adz.lnk

Run HijackThis and select the following lines (some may not be found if the above fixME.reg patch works) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Bar Ding lolt] analiz.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinnpem.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

After clicking Fix, exit HJT.
Now reboot in normal mode


Now right click Start and select Explore. Navigate to the below files and delete them if found:
C:\WINDOWS\system32\analiz.exe
C:\WINDOWS\system32\swinnpem.exe

Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

I'm note sure how you are looking for them but the first two are gone;however the ThinkAdz.lnk file is still there. See for yourself in the newfiles.txt log you just uploaded. You MUST use Windows Explore to look for it. Do not use Windows Search if that it what you are doing. You still need to delete this file.

Also delete the below folder from a rogue tool that you should not use:

Code:

"C:\Program Files\
SPYWAR~1      Feb  9 2007              "SpywareBot"

Note: The fixME.reg patch merged in this time properly. The last times it did not. I know this based on the contents of your GetRunKey log.

Not True! Look at the HijackThis log you just posted!

I asked also asked you to uninstall CounterSpy, but it still shows in your HJT log as being installed. It is however not showing in the newfiles.txt log which means it was uninstalled. These problems may be occurring due to the multiple security suites still running. Registry entries (including the malware ones we are trying to fix) are not getting cleaned up.

Let's go thru your HJT log and point things out! I will show Symantec/Norton AV in BROWN, Norton Ghost in BLUE, CA eTrust in PURPLE and other malware (some I ask you to delete a few times & one is new) in RED. They are in your HJT log. If I can see them, you should be able to see them.

The below are directly quoted from you current HJT log! If Symantec AV did not exist, it could not be running as it is!

It seems to be uninstall now based on your last newfiles.txt log.

Running CCleaner on his account may be the least of the problems. He could have malware infections in his account.

My proposal at this point is that we start working on removing all the Symantec Antivirus stuff to make sure it is not the cause of our difficulties in fixing things. Due to the fact that both it and CA eTrust are still running it may really be necessary to uninstall (temporary) both of them to get this fixed properly.

What do you think?

I will start posting things later tonight, but in the mean time relook at the malware which you said you did not see in your HJT log and fix it (all the RED items from above). Also fix the O4 line for CounterSpy. Also delete the below file:

c:\windows\system32\crsss.exe <---- Becareful!!!!! Do not confuse this with csrss.exe which is a valid file. Notice how the first rs is reversed from the valid file.

 

No! My Computer is Windows Explorer. As I said the first two are gone, but ThinkAdz.lnk is not.

No there is a lot more involved since there are running processes and services. Yes HJT will be used in some steps but it is not so straight forware. I will start posting steps for you as soon as I can. Been too busy to get started on it yet and it will take some time to work up the procedure.

I'm going to work up manual stepsl however, give the following a try and see it can help us get rid of some of it. NOTE: Before running the following tool, I want to warn you that it will try to remove ALL Sysmantec products (including Norton Ghost). See the list on the download page. You can always reinstall Norton Ghost after we get your problems resolved (but make sure you only install Norton Ghost and nothing else). Run this Norton Removal Tool (SymNRT) Attach a new HJT log afterwards!

No! Unless the logs were not obtained in the correct order in the procedures. The logs do not lie. As I said CounterSpy is uninstalled but one startup is trying to load (seen in HJT). I still feel that the multiple antivirus applications are making it difficult for things to be removed properly (even uninstalls are not working properly - the AVs are probably blocking registry changes).

You must be in the user account that you posted the logs for.

No! There is a lot more to it than that! Each user account has their own registry data too.

 

As stated in step 0 of the READ ME, you must remain in Normal Startup mode for us to be able to help you. Yes this can be the cause of discrepancies and it is the reason for step 0 saying what it says. Please get in Normal Startup mode, check for the items mentioned in your HJT log and fix them if found.

Now I will give you steps to remove the Norton stuff that is probably the reason for you PC being so slow.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Event Manager
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • Symantec Password Validation
  • Symantec Settings Manager
  • Symantec Core LC
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ccEvtMgr into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • ccPwdSvc
  • ccSetMgr
  • Symantec Core LC
• Now exit HJT and reboot when it tells you it needs to.

After reboot, attach the below new logs while in Normal Startup mode

• GetRunKey
• ShowNew
• HJT

If there are any other programs that you can uninstall (i.e., you don't need them - consider doing so).

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinnpem.exe GID002
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\crsss.exe
C:\WINDOWS\system32\swinnpem.exe
C:\WINDOWS\System32\IPX32d56.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You have on more left over line to fix with HJT. Fix this:
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

I would uninstall all of the below if they show in Add/Remove Programs.

LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Norton Ghost 10.0
Notifier

Then reboot! If you really need Norton Ghost, then reinstall it but make sure that you only install Norton Ghost and none of their other junk! It does not make sense that they should require all that garabage to be installed and running just to use Norton Ghost. If they do, you should find another product to replace Norton Ghost.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!