Noob, frustrated, going crazy

Discussion in 'Malware Help (A Specialist Will Reply)' started by okn0tok, Mar 5, 2007.

  1. okn0tok

    okn0tok Private E-2

    Hi,
    .... I can't got to some certain sites, it takes me to random porn sites or just says page not found. (godaddy.com is where I was trying to go.)
    I called godaddy they had me run tracert on www.godaddy.com. It came back fine so they had me run ipconfig /all. My DNS entries reported 85.255.116.35 and 85.255.112.xx (sorry can't remember the last two numbers) Anyway I was told it was a virus called gromozone.

    So, I ran my zonealarm, it brang up a lot of stuff that is unrepairable or removelable mostly .dll's. I also ran Spybot search and destroy. It didnt fix my problem so I did a search on gromozone and found a post somewhere that led me to a download. The file was gromozoneremovetoolkit.exe. I followed the instructions and it reported it did not find that virus. confused

    So I followed the entire Malware removal guide over the period of the last two days. I still have the same problem and the same DNS numbers showing. I have a bunch of unfixable trojan viruses reported by zone alarm. I really have no clue what to do. So here the posts from the other scans I was told run in the malware removal guide on your site. :cry

    Thanks.
    p.s.(sorry if Im doing this wrong...):eek:
     

    Attached Files:

    okn0tok, Mar 5, 2007
    #1
  2. okn0tok

    okn0tok Private E-2

    here are the other log files.
     

    Attached Files:

    okn0tok, Mar 5, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 5, 2007
    #3
  4. okn0tok

    okn0tok Private E-2

    ok here are the reports/logs.
    I thought I was running with an antivirus program, what is zonealarm? A few days before that I had system suite but it would open or run anymore so I uninstalled it. Then found out my disc was ruined to reinstall it.
    I have no idea. Ive screwed this thing up so bad lol. rolleyes
     

    Attached Files:

    okn0tok, Mar 6, 2007
    #4
  5. okn0tok

    okn0tok Private E-2

    It worked!! I can get godaddy this morning. It didnt work last night though when I posted how weird.
    Thanks so much Chaslang! I am a very happy girl! Yay!!
    :wave ;)
     
    okn0tok, Mar 6, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I happy to hear that you are happy; however, we are not finished yet. You have MANY more malware problems that we need to remove.

    Please attach the log from VundoFix that I requested. If you did not run it, run it now and run it a few time because you have a very bad case of Vundo infections.

    Now please delete the below folders? Note that the Questionmarks represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. Note the date of the folders which will help you to locate them:
    Code:
    "C:\Documents and Settings\Amy\Application Data\"
YMANTE~1      Jan 15 2007      "?ymantec"   [B][COLOR=red]<-- may look like Symantec[/COLOR][/B]
PPPATC~1      Feb 16 2007      "?ppPatch"   [B][COLOR=red]<-- may look like AppPatch[/COLOR][/B]
 
"C:\Program Files\Common Files\"
FNTS~1        Feb  9 2007      "F?nts"       [B][COLOR=red]<-- may look like Fonts[/COLOR][/B]
ICROSO~1.NET  Dec  5 2006      "?icrosoft.NET"   [B][COLOR=red]<-- may look like Microsoft.NET[/COLOR][/B]
[B][COLOR=red]and [/COLOR][/B][B][COLOR=red]there may be a real valid folder with the same name.[/COLOR][/B]
    Also delete the below folders:
    C:\Program Files\VSAdd-in
    C:\Program Files\Common Files\{34A72714-069F-1033-0119-051212200001}
    C:\Program Files\Common Files\{94A72714-069F-1033-0119-051212200001}


    Now uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Then download the newest version of ShowNew and attach a new log from it.
    Also attach a new HJT log.

    As I said above we still have a lot more to do but I need you to do the above and also need thise new logs before we can continue.

    As far as ZoneAlarm antivirus is concerned, in the first logs you posted, only ZoneAlarm firewall was there. The antivirus it was not present. In your last HJT log I do see ZoneAlarm AV. What did you change?
     
    Last edited: Mar 6, 2007
    chaslang, Mar 6, 2007
    #6
  7. okn0tok

    okn0tok Private E-2

    Oh man! :tired
    OK I attached all logs/reports requested.
    Deleted the folders requested.
    Uninstalled java and installed the latest version (I thought I had the latest version but I guess I took an old link?)


    I dont know what I did with Zone Alarm. I must have unchecked the anti-virus option, although I dont remember doing it.
     

    Attached Files:

    okn0tok, Mar 7, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach a complete HJT log. Please attach a proper log. I cannot continue without it.

    I also just noticed that you did not install the current Sun Java version. You need to install this from the link I gave you.
     
    Last edited: Mar 7, 2007
    chaslang, Mar 7, 2007
    #8
  9. okn0tok

    okn0tok Private E-2

    Ha ha, I'm so retarded I downloaded Java and forgot to install it... BUT it wont install I get the error its not a valid win32 application, this has been happening the last week or so for all sorts of things.

    So...I did a search in it and didn't really find any answers on how to fix that, it just says install a 32 bit version of the software. So I went back to the site and it automatically reinstalled the same versions you asked me to remove.
     

    Attached Files:

    okn0tok, Mar 7, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the old versions! We will revisit installing the new one, after we get all the malware issues resolve. And there are alot to resolve.

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\enyws.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oigbdhe.exe
    O2 - BHO: (no name) - {320985D4-4A60-48E2-42E4-4691F1A587C6} - C:\WINDOWS\system32\wguyau.dll (file missing)
    O2 - BHO: (no name) - {4BEACC61-6FD3-24B6-31B4-05453F4FBF53} - C:\WINDOWS\system32\ombxaof.dll (file missing)
    O2 - BHO: (no name) - {8BFFAFDF-3F31-6EB7-1F31-3BC6543D3DC3} - C:\WINDOWS\system32\bdxentit.dll (file missing)
    O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
    O2 - BHO: (no name) - {D330CB1D-01D6-727F-DB38-569098A338C3} - C:\WINDOWS\system32\fulcankv.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [408809432] C:\DOCUME~1\Amy\LOCALS~1\Temp\Reg\EGAMES~1.EXE /r "C:\DOCUME~1\Amy\LOCALS~1\Temp\Reg\EGAMES~1.rpd"
    O4 - HKCU\..\Run: [Vdgs] C:\Documents and Settings\Amy\My Documents\?ppPatch\?vchost.exe
    O4 - HKCU\..\Run: [Qvwxb] C:\Documents and Settings\Amy\My Documents\?ppPatch\n?tdde.exe
    O4 - HKCU\..\Run: [Dkojmh] C:\WINDOWS\system32\F?nts\w?auclt.exe
    O4 - HKCU\..\Run: [Apsi] "C:\PROGRA~1\COMMON~1\ICROSO~1.NET\chkntfs.exe" -vt ndrv
    O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
    O15 - Trusted Zone: *.moove.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4061CCE7-08BC-4B84-8C15-6C4E75D659BF}: NameServer = 85.255.116.35,85.255.112.65
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A5365231-0E8F-4C14-9D47-6BF92EAF80B9}: NameServer = 85.255.116.35,85.255.112.65
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7815D49-061F-4367-8A1C-CF8C23CFDE1A}: NameServer = 85.255.116.35,85.255.112.65
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD066170-CAB7-4FCE-B235-83458B8580ED}: NameServer = 85.255.116.35,85.255.112.65
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
    O17 - HKLM\System\CS1\Services\Tcpip\..\{4061CCE7-08BC-4B84-8C15-6C4E75D659BF}: NameServer = 85.255.116.35,85.255.112.65
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\enyws.exe
    C:\WINDOWS\system32\oigbdhe.exe
    C:\Program Files\outlook\outlook.exe
    C:\windows\system32\abgmcwff.ini
    C:\windows\system32\adnfftrg.ini
    C:\WINDOWS\system32\aswraxrf.dll
    C:\WINDOWS\system32\aybddofb.dll
    C:\windows\system32\bfoddbya.ini
    C:\windows\system32\cdacbqos.dll
    C:\windows\system32\cvmyanam.ini
    C:\windows\system32\cxdnhjal.dll
    C:\windows\system32\dpnrwhwl.dll
    C:\windows\system32\dthqqksn.dll
    C:\windows\system32\effuoslf.dll
    C:\WINDOWS\system32\eghhk.tmp
    C:\windows\system32\egvipgei.dll
    C:\windows\system32\elthjhwq.dll
    C:\windows\system32\eommmped.dll
    C:\WINDOWS\system32\epbjqxtd.exe
    C:\windows\system32\exxbioil.ini
    C:\windows\system32\faaieskl.dll
    C:\windows\system32\fbsocxrl.dll
    C:\windows\system32\fbyewqgj.ini
    C:\windows\system32\fescdxwj.ini
    C:\windows\system32\ffwcmgba.dll
    C:\windows\system32\flsouffe.ini
    C:\windows\system32\frasjotk.ini
    C:\windows\system32\frxarwsa.ini
    C:\windows\system32\gdlsqipw.dll
    C:\windows\system32\gpjvrwrj.dll
    C:\windows\system32\grtffnda.dll
    C:\WINDOWS\system32\hh.ico
    C:\windows\system32\hhurdogt.ini
    C:\windows\system32\hljovnlt.dll
    C:\windows\system32\hoikecen.ini
    C:\windows\system32\hwbrmpxg.dll
    C:\windows\system32\iifjoavx.ini
    C:\windows\system32\iwxurvkt.ini
    C:\windows\system32\jcecwejq.dll
    C:\windows\system32\jgqweybf.dll
    C:\windows\system32\jrwrvjpg.ini
    C:\windows\system32\jwxdcsef.dll
    C:\WINDOWS\system32\kduxt.exe
    C:\windows\system32\ktojsarf.dll
    C:\windows\system32\lajhndxc.ini
    C:\windows\system32\lioibxxe.dll
    C:\windows\system32\lrxcosbf.ini
    C:\windows\system32\lwhwrnpd.ini
    C:\windows\system32\lxxocqno.dll
    C:\windows\system32\manaymvc.dll
    C:\windows\system32\mdlwsldq.ini
    C:\WINDOWS\system32\mhlaqaqs.exe
    C:\WINDOWS\system32\mhvxtjdn.exe
    C:\windows\system32\mkujmukp.dll
    C:\windows\system32\moevnjas.ini
    C:\WINDOWS\system32\msnprcss.exe
    C:\windows\system32\necekioh.dll
    C:\windows\system32\nwydldeo.dll
    C:\windows\system32\oedldywn.ini
    C:\windows\system32\onqcoxxl.ini
    C:\windows\system32\pevkokoy.dll
    C:\windows\system32\pikrqrhy.dll
    C:\windows\system32\pkumjukm.ini
    C:\windows\system32\qdlswldm.dll
    C:\windows\system32\qwhjhtle.ini
    C:\windows\system32\riuwrxny.ini
    C:\windows\system32\sajnveom.dll
    C:\windows\system32\soqbcadc.ini
    C:\windows\system32\tddkktor.dll
    C:\windows\system32\tgodruhh.dll
    C:\windows\system32\tgqkskmu.dll
    C:\windows\system32\tkvruxwi.dll
    C:\windows\system32\tlnvojlh.ini
    C:\windows\system32\toobstch.dll
    C:\windows\system32\umkskqgt.ini
    C:\windows\system32\vjxdmdej.dll
    C:\windows\system32\vrjfjjli.dll
    C:\windows\system32\vwdqevvw.dll
    C:\windows\system32\weuelqax.ini
    C:\windows\system32\wiaservc.dll
    C:\windows\system32\winfvnnx.dll
    C:\windows\system32\wvveqdwv.ini
    C:\windows\system32\xbysudet.dll
    C:\windows\system32\xnnvfniw.ini
    C:\windows\system32\xvaojfii.dll
    C:\windows\system32\yhrqrkip.ini
    C:\windows\system32\ynxrwuir.dll
    C:\windows\system32\yokokvep.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\outlook

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Mar 8, 2007
    chaslang, Mar 7, 2007
    #10
  11. okn0tok

    okn0tok Private E-2

    Im going down with my ship!

    Java is not one the machine now.

    Followed all the instructions I did get the pending file rename operations message when running killbox.
    Attached are the three reports after everything was ran, think I might have ran hjt once to many times...but if you need the one before the last one Im posting, I should have it I always save a copy cause Im screwing things up on accident.

    ok
    With that said...
    Im getting the error when I try to install Java 6.0
    and also I started getting the following errors somewhere along the process:

    touchEd error
    retreival of "thotkey" failed.
    Error code - 0x00031402, 0x00000002
    (I think this might affect my tablet pc capability because my pen doesnt work now)

    TPSODDCtl.exe - Ordinal not found
    The ordinal 19 could not be be located in the dynamic link library TPSMainCtl.dll

    I also dont have sound anymore and when I try to open the volume control panel I get this message:
    "There are no active mixer devices available. To install mixer devices, go to control panel, click mixers and other hardware, and then click add hardware.
    This program, will now close. "
    ??So I went into the sound control panel and it says no audio device. ??
    So then I went to the device manager and its completely blank! Does this have anything to do with the above errors?

    Oh, and I dont have system restore turned on....I shut it off because all my restore points were corrupt, I tried restoring a week ago and they were all bad so I turned it off to dump them...
     

    Attached Files:

    okn0tok, Mar 8, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Im going down with my ship!

    You appear to have been doing things on your own and thus you may have to fix these on your own. Let's track the services entries in all of your HJT logs thus far.

    In message number 2 HJT log you had:
    In message number 4 HJT log you had:
    In message number 9 & 11 HJT log you had:
    The question is what have you been doing on your own??? You seem to have deleted all the below services and nothing that I had you do has anything to do with these being removed.
    How did you delete these services? Did you use HJT to fix lines? If so, restore them from HJT's backups. Did you uninstall software? If so, reinstall it. Nothing that I had you do touched these and these will impact things you are complaining about.

    You also installed at least three new software items that I did not request which further confuses what we are trying to do.
    a-squared Free 2.1
    ScrypTik 1.13
    Trillian"


    Now after addressing the above questions! Do the below.
    • Please download the attached Fix.zip file and extract it to your Desktop where it will create a folder named fix
    • Open the Fix folder on your Desktop and DoubleClick on fix.bat to run the fix.
    • Now power down your PC. Wait about 30 seconds and then turn on your PC
    • After reboot, attach new logs fromShowNew and HJT
    • Also make sure you answer my questions and explain what you have been doing on your own.
     

    Attached Files:

    • Fix.zip
      File size:
      612 bytes
      Views:
      2
    chaslang, Mar 8, 2007
    #12
  13. okn0tok

    okn0tok Private E-2

    OK attached are the new logs.

    As far as what I have been doing on my own...I read on this site the speeding up your computer thing and it said to unistall programs you dont use so I did, sorry.
    All the Toshiba stuff though, I didnt uninstall that.... I dont know what happened. And I was very careful to only check off what I was told in the HJT window before running fix.
    I will try to get this missing files from Toshiba's website.

    As far as the new installs...sorry...I needed to get some work done and had to have msn messenger and a way to edit a .pdf file.... I chose trillian because my version of msn messenger froze every time I tried to use it. The other program I read was on this site, suggesting it was good to use in conjunction with your anti-virus program so I downloaded it, sorry.

    I really am not trying to be a pain in the ***.... sorry
     
    okn0tok, Mar 9, 2007
    #13
  14. okn0tok

    okn0tok Private E-2

    sorry forgot the logs.... here they are.
     

    Attached Files:

    okn0tok, Mar 9, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those logs look ok!

    Now please attach a new log from GetRunKey too!

    What exactly did you use/do to delete the Service from your PC? I did not notice that and Toshiba software was uninstalled based on your newfiles.txt log, but based on what I pointed out in that series of HJT logs, you some how removed a bunch of required services. That's is unless you are filtering info from your HJT logs!
     
    chaslang, Mar 9, 2007
    #15
  16. okn0tok

    okn0tok Private E-2

    Ok here is the new log from getrunkey.

    As far as the services I have no clue what the hell I did? All I did was uninstall a few programs I wasnt using. I would never remove and of the toshiba components because its a tablet pc and I dont want to ruin my functionality but I have managed too anyway lol.
    I didn't delete the services or uninstall them knowingly anyways.
    Super pain in the *** because my tablet functions doesn't work anymore either lol and to make problems worse I have no system disk to restore it....so I will go to their site and see what I can get back....(for free)lol.
     
    okn0tok, Mar 9, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach the log! Make sure it is a new one that you obtained just now.
     
    chaslang, Mar 9, 2007
    #17
  18. okn0tok

    okn0tok Private E-2

    sigh...sorry
    here it is.
     

    Attached Files:

    okn0tok, Mar 12, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to do our final steps. You need to get an antivirus application installed ASAP. This is covered in the How to protect link given below.
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 12, 2007
    #19
  20. okn0tok

    okn0tok Private E-2

    K thank you. :)
     
    okn0tok, Mar 13, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Mar 13, 2007
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds