Oops, ran ShowNew early

Welcome to Major Geeks!

You just need to re-run the tools at the point where you are suppose to run them which is after all the other scan have been run. The logs will be over written with the new information.

 

Re: Another question about the Malware Removal Guide

No! Step 5 makes no mention of HijackThis. HijackThis is not run until step 7 where you install it and run it. You were only supposed to download it previously. You must Complete steps 6A, 6B and 6C before getting to step 7.

 

Re: Another question about the Malware Removal Guide

In your own quote from the READ ME is the key and I'll even emphasize again with bold RED

Also at the beginning of step 4 it also says

Step 4 is titled Downloading Tools for this reason! You are only supposed to download, install, and update them here. They are not run until later. The reason for doing this is the later you will be in safe mode and offline while running the scans. Thus they need to be downloaded and installed and updated first before rebooting into safe mode. You don't go back online until step 6 where the online scanners are run.

 

This thread please as its an active one.

 

As Shadow stated, you really need to attach all the logs we requested in the READ ME. I seriously doubt you are clean. Over the last 6 months Virtumonde infections have evolved and VundoFix never completely removes all signs of the infection. It would be in your best interest to follow our directions so we can truly remove all visible malware from your PC.

 

ShowNew did not run properly! Did you see any error messages?

I'm going to need a complete log from ShowNew before we can completely remove all of the Vundo related files. However, I will give a fix below to see if we can improve things a little.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now!

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL
O2 - BHO: metaspinner GmbH - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - C:\PROGRA~1\PRICEP~1\PRICEP~1\IEBUTT~2.DLL (file missing)
O2 - BHO: (no name) - {D3837C1E-09AA-401C-9115-2E1149FC0503} - C:\WINDOWS\system32\yfcamxrc.dll (file missing)
O2 - BHO: (no name) - {E96079A6-2EBB-4F36-9614-47D0B4D6F85D} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: metaspinner GmbH - {E9E027BF-C3F3-4022-8F6B-8F6D39A59684} - C:\PROGRA~1\PRICEP~1\PRICEP~1\IEBUTT~1.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\hewdwmqu.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - C:\Program Files\Buyertools Reminder\ReminderIE.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: tuvtqpm - tuvtqpm.dll (file missing)
NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ajqciogg.dll
C:\WINDOWS\system32\hewdwmqu.dll
F:\Media\discs\kl202e.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew - hopefully it will run all the way this time! Be sure to watch the command prompt window for messages!
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Just follow the last procedure I posted exactly in the order written and run ShowNew where I request the log.

You are not supposed to be touching System Restore at this time.

 

You still have things to fix!

Uninstall this Windows WMF Metafile Vulnerability HotFix 1.2. You should not need this anymore since Microsoft has long since released updates to fix this problem.

Also uninstall the below malware:
WONswap

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: metaspinner GmbH - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\PROGRA~1\BUYERT~1\IEBUTT~1.DLL
O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)
O2 - BHO: (no name) - {D3837C1E-09AA-401C-9115-2E1149FC0503} - (no file)
O2 - BHO: (no name) - {E96079A6-2EBB-4F36-9614-47D0B4D6F85D} - (no file)
O2 - BHO: (no name) - {E9E027BF-C3F3-4022-8F6B-8F6D39A59684} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\hewdwmqu.dll",realset
O20 - Winlogon Notify: tuvtqpm - tuvtqpm.dll (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\hewdwmqu.dll
C:\WINDOWS\system32\bccdd.tmp2
C:\WINDOWS\system32\krxkyooc.ini
C:\WINDOWS\system32\uqmwdweh.ini
C:\WINDOWS\system32\ygfjsfdh.ini

Now run Ccleaner.

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

As far as I knew it is bad! See the below:

http://www.bleepingcomputer.com/uninstall/1703/WONswap.html

However if you are sure it is related to a game you installed and that it is not bad and also that you need it, then keep it.

 

Yes but when using HijackThis you must make sure that you fix things first and then get a new log. This may explain why you said you did not see the items I just asked you to fix. You may have saved the log before fixing.


Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It is not really necessary to run any scans because disabling System Restore deletes restore points, however just to make sure that it was disabled running a full scan with your antivirus and/or a tool like BitDefender online scan could prove useful especially if they had previously showed anything in System Volume Information (which is System Restore).

 

Once you have completed all of what I gave you in message # 23 ( including all of the How to protect yourself steps), you are finished, that is unless you are still having malware problems or new malware problems have appeared.

 

You're welcome. Surf safely!

 

You will have to uninstall, reboot, and then start over again.

ZoneAlarm Internet Security Suite gets installed by default with the free firewall now. This install also includes MailFrontier ( a spam filter). During the installation you should given the choice to have ZoneAlarmFree or ZoneAlarm Internet Security Suite turned on. If you select the free version, all the components of the security suite are suppose to be turned off. I have heard rumors that this sometimes does not work. I have not experimented with this too much myself since I have a paid subscription for ZoneAlarmPro firewall.

If you run into problems with this, use one of the other free firewalls.

 

That is not a link to only the free firewall. It is the same file as what you downloaded from the link in the How to Protect thread. Current versions of the free firewall are only available with this internet security suite application. I will have to install this on a PC to see for myself if there is a way to install only the firewall. If not, it will be time to REMOVE ZoneAlarmFree from the How to protect thread. If they continue to pursue the path they are going now, they are going to be put into the bloatware class with Symantec and McAfee.


There are websites that still have OLDER versions of the firewall only version of ZoneAlarm available, but I'm not sure how long ZoneLabs (now Checkpoint) will allow this.

 

That's strange when I download from the link you gave and from the link in the How to protect thread (which is for ZoneAlarm Free 7.0.337.000 ) I get the exact same file size but a CRC test reveals something is different about the files.

I need to checkthis out.

 

The link he is giving us is the exact same one we use, downloaded and mirrored. Dont know what to tell you.

 

Okay that makes more sense now since I could not see any problems after checking it out myself and I never use the authors link.