Need help with Malware & Virus removal

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winexz32.dll once and then click the kill button. After you have killed all of the winexz32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
byxvsrr.dll

Next double click on explorer.exe and again click once on each instance of winexz32.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
byxvsrr.dll

Next double click on iexplore.exe and again click once on each instance of winexz32.dll and kill it. (If you do not find the dll, just continue on.)


Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
byxvsrr.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - C:\WINDOWS\system32\byxvsrr.dll
O4 - HKLM\..\Run: [saujzun.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\saujzun.dll,ecwsdq
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: byxvsrr - C:\WINDOWS\SYSTEM32\byxvsrr.dll
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\byxvsrr.dll
C:\WINDOWS\system32\saujzun.dll
C:\WINDOWS\system32\winexz32.dll
C:\WINDOWS\system32\ccc3.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

IE7 is not required to access the online scan sites. IE6 will work just fine.

I'm not sure what you mean. What problems exactly are you having?

That means you are trying to attach the same log as you attached last time. You need to get a NEW log and attach it.

 

Does your other computer also have the below items installed and running:

Embarq TotalAccess
McAfee (all of the software)

If you run in safe mode, can you connect to the internet. If so, do you have the same problems connecting to MGs in safe mode.


Let's Reset Web Settings and clear your cache:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now click Start, Run and enter ipconfig /flushdns and click OK!

Did the above steps change any symptoms?

Now run HJT and have it fix the below lines:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wootwywi.dll (file missing)
O2 - BHO: (no name) - {1FAED6CF-B47B-46D8-A081-DE6B8A75BE10} - C:\WINDOWS\system32\ddabb.dll (file missing)

Attach a new HJT log.

 

It is unlikely that this is a malware problem! It would really be very unlikely that malware would only cause a problem like this on Majorgeeks! It could be related to some setting in your McAfee software including the firewall and SiteAdvisor. Try shutting down/disabling or uninstalling all of McAfee and see what happens.

However even after saying the above, let's also dig a little deeper for malware!

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Attach a log from Spybot! It is probably just finding a couple of benign registry keys!

Did you try disabling or uninstalling all of the McAfee software to see what happens?

 

Yes but that does not mean that they are both setup the same. Since your system has been malware free since completing message # 7, I was just looking to see if it was a settings type issue. Also since your other PC appears to work fine, it would seem to rule out something at a higher level in your network or beyond. It does seem to mean something on this PC has been changed. Figuring out what, is the problem.

You have to realize that just because your PC appears malware free based on the scans and logs, it does not guarantee that there is no malware. Potentially there is some new form of malware on your PC that is not known or detected. Also it's possible that the malware we removed already, changed some settings on your PC and now even with the malware removed, it could be causing issues. But on the other side it still could be something in your own software. I have seen many people that have big issues with that Earthlink Total Access software. Many have said it should have been called Totall No-Access. But I don't know it that is your problem or not. The same is true for McAfee. Some times the best thing to do, is to uninstall software like this and see what happens. Trying to stop the software usually does not work and you cannot easily stop all of it from loading and running since services are also used.

 

A reset of web settings has nothing to do with any firewall. It just resets IE to be the default browse and changes a few other related settings. I'm not sure how your Window Firewall was renable, but it was not from a reset of web settings.

And in addition, we did not even reset web settings until message number 7. You were already complaining about problems accessing Major Geeks in message # 4.