A Really Nasty Little Bug!

Hello Folks,

Thanks once again for a great site and a great forum. I have learned a great deal from you about fighting malware infections. I hereby solemnly swear that I have followed your requested procedures before making this post. AdAware, Spybot and the Microsoft Antispyware tool have removed tons of bad stuff and are currently showing no problems. Norton has removed the W32.Spybot.Worm and the Backdoor.Ranky virus. Yet a very nasty browser redirector and popup machine still persist. Bitdefender has cleaned up a ton of stuff, but there is one file: c:\windows\system32\guard.tmp that it cannot delete. I have tried to use Killbox to delete this file to no avail. And there are some persistent entries in Hijack This that I have a very strong feeling are bad news. Thanks to this forum I have learned a bit about what is good and bad in HJT. I will await further instructions. I am running Windows XP Home Edition SP2, 256 MB of RAM on a Pentium 4 1.8GHz processor. Thanks and I'm looking forward to hearing from you.

Luciano

 

Sounds as if you have a Look2Me infection, attach the two logs from the online scans with a current HJT log.

 

Thanks for the quick reply. Here are my HJT and Bitdefender logs. Panda Active Scan is a pain where I sit down. I have never been able to get it to work. Grrr.

Thanks again.

Cheers,

luciano

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Next see the below thread on running the L2MeFix Tool.

• Look2Me VX2 Removal

After you complete both of the steps above, attach the logs from each with a fresh HJT log.

 

Good Morning,

I have attached the logs you requested. I am not currently experiencing any browser redirection or unusual popups or any unusual behavior of any kind. I'll keep my fingers crossed.

Thanks!

luciano

 

Now, please see the below threads on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.

• Running Spy Sweeper...
  
  
• Running Ewido Security Suite ...

 

Continuing to appreciate your continuing assistance. Logs appended as requested. Looking forward to hearing from you.


Luciano

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Click Start > Run > type services.msc and Click OK

Locate Service 8 (Service Filter) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ObjectLoader] C:\WINDOWS\system32\1.tmp
O4 - HKCU\..\Run: [kbddgk] C:\WINDOWS\system32\kbddgk.exe

O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mvjul9191.dll (file missing)

O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\system32\RpcSs.exe (file missing)
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, proceed with the rest of this fix...

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\smncs.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\kbddgk.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\1.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hello again,

Well, I did everything you asked and the hijackthis log you requested is attached. I am experiencing no problems and the system is running great. Everything went pretty much as you predicted except the files you wanted me to kill with the kill box were not found on the system.

Thanks again for the help. You guys are the best.

luciano

 

I would like to confirm nothing is hiding, so please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

Your wish is my command. Thanks. Looking forward to hearing from you.

luciano

 

Download the attached file and save to your desktop. Extract the contents to it's own folder.

Now reboot into Safe Mode and navigate to and delete the following folders:

C:\Program Files\Common Files\VCClient

C:\Program Files\SurfSideKick 3

C:\Program Files\Viewpoint

C:\Program Files\AWS

C:\Program Files\webHancer

C:\Program Files\rdso

After you have removed the above directories, please locate the files from the ZIP file you downloaded. Locate the file "lucianofix.bat" and double click to run the fix. After you have completed the above steps, reboot and attach a new WinPFind log.

 

Here you go. Thanks for hangin' in there with me.

luciano

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

After you complete the above, things will be good to go. Reboot and let me know how things are running.

 

Thanks. I have done as you instructed. It looks like everything is running smoothly. I had to reinstall some Kodak software and there have been some other minor signs of damage but overall the machine runs great, and there's no sign of bugs. I can't thank you enough. Keep up the great work.

luciano

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!