Aaaaaahhhhhhhhhhhhh!!!!!!!! / Followed directions, here are logs

Discussion in 'Malware Help (A Specialist Will Reply)' started by TinaS, Jan 25, 2005.

  1. TinaS

    TinaS Private E-2

    Aaaaaahhhhhhhhhhhhh!!!!!!!!

    I'm doing this for a friend. He has a Compaq Presario with Windows ME on it. He was complaining of popups. He has a cable modem. I got it here and he was right!! I installed Spybot which said it removed 348 entries. However, there were still popups (there's this dog in the lower right corner that won't go away even when I hit exit). I also downloaded CWShredder, but I don't know what is what, so I left it alone. I also downloaded Hijack This, but again, left it alone. Then I read somewhere to download AdAware, which I did and Spyware Blaster, which I also did. On Spyware Blaster, I hit for protection against everything. When I tried to run a scan on AdAware, I keep getting a window popping up saying Explorer needs to shut down. There are still popups all the time. I re-ran Spybot, and there are soooo many still coming up. It's like it's multiplying! Then I went to TrendMicro to try and do a scan, but it just freezes and won't scan. It says it's scanning the memory and registry, then when it gets to scanning files, it just freezes. HELP!!!!!!!!!!!!!!!
     
    TinaS, Jan 25, 2005
    #1
  2. Publius

    Publius Sergeant

    Re: Aaaaaahhhhhhhhhhhhh!!!!!!!!

    Although I am not the one to help you, I can save you some time be telling you that the first thing you are going to be asked to do is complete all of the steps in the sticky thread below.


    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Try to make it through all the steps in the tutorial and make notes of the results of each scan. If you have problems with any of the steps in the tutorial, make note of that as well in your next reply. After going through all of that, reply here and describe any symptoms that remain on the machine and one of the more experienced users will offer some advice.
     
    Publius, Jan 25, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Aaaaaahhhhhhhhhhhhh!!!!!!!!

    Complete the steps in the link Publius gave to you. If still have a problem after that, follow the guidelines below and paste your HJT log.


    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Jan 25, 2005
    #3
  4. TinaS

    TinaS Private E-2

    Re: Aaaaaahhhhhhhhhhhhh!!!!!!!!

    I followed directions and uploaded my Hijack log. I also followed the other directions and this is what happened:

    Downloaded everything.
    When trying to do virus scan using TrendMicro got message saying: Trend ActiveUpdate did not update successfully. It may result from busy server or bad network traffic.
    Error Code: 28
    Error String: Generic source network failure.
    Do you want to retry?

    Symantec found the following:
    c:\WINDOWS\bundles\shopinst.exe is infected with Download.Trojan
    c:\WINDOWS\SYSTEM\IdleUI.dll is infected with Trojan Horse

    Spybot Results:
    Search-Exe 156 entries
    BookedSpace 4 entries
    Common hijacker 2 entries (was unchecked)
    CoolWWWSearch.Bootconf 1 entry
    CoolWWWSearch.Loadbat 1 entry
    CoolWWWSearch.Msconfd 1 entry
    CoolWWWSearch.Oslogo 1 entry
    CoolWWWSearch.Tapicfg 1 entry
    CoolWWWSearch.Xmlmimefilter 1 entry
    DSO Exploit 1 entry
    DyFuCA.InternetOptimizer 1 entry
    Elitum.EliteBar 2 entries
    eXact Advertising.BargainsBuddy 38 entries
    eZula HotText 80 entries
    IE Plugin 1 entry
    IGetNet 1 entry
    Network Essentials.ScBar 1 entry
    Network Essentials.Search-Exe 18 entries
    Netword Essentials.WindowEnhancer 13 entries
    Network Essentials 1 entry
    PeopleOnPage 3 entries (not checked)

    I checked the two that were unchecked and hit Fix Selected Problems.

    I got Error message: Unexpected error in fixing problems (Cannot open file "C:\\WINDOWS\hosts". The process cannot access the file because it is being used by another process)

    I clicked OK and it said it fixed 161 problems; however, there were still entries in the window:
    Common hijacker 2 entries (was unchecked)
    CoolWWWSearch.Bootconf 1 entry
    CoolWWWSearch.Loadbat 1 entry
    CoolWWWSearch.Msconfd 1 entry
    CoolWWWSearch.Oslogo 1 entry
    CoolWWWSearch.Tapicfg 1 entry
    CoolWWWSearch.Xmlmimefilter 1 entry
    DSO Exploit 1 entry
    DyFuCA.InternetOptimizer 1 entry
    Elitum.EliteBar 2 entries
    eXact Advertising.BargainsBuddy 38 entries
    eZula HotText 80 entries
    IE Plugin 1 entry
    IGetNet 1 entry
    Network Essentials.ScBar 1 entry
    Network Essentials.Search-Exe 18 entries
    Netword Essentials.WindowEnhancer 13 entries
    Network Essentials 1 entry
    PeopleOnPage 3 entries (not checked)

    I rechecked everything and hit Fix Selected Problems again.
    It told me some problems couldn't be fixed, could it run on my next system startup? I hit yes, it said 157 problems fixed, 5 could not be fixed. please restart. The problems that could not fixed were the CoolWWWSearch. I hit to fix selected problems again, it fixed one more; again, two more; again and they were all with the big fat green check next to them. I closed it out.
    I got several popups again, a Virtual Bouncer that would not let me close it out.

    Ran CWShredder and got message You have a variant of the Coolwebsearch trojan (CWS.Smartsearch.2) that has attempted to close CWShredder. To counter this, CWShredder is now starting with a random string of text in the title bar. CWShredder is still functioning fine, it has not been corrupted.
    Got message saying the main executable of the Windows Media Player was infected with the CWS trojan and has been deleted by CWShredder.
    Report:
    Done!
    Removed from your system:
    - CWS.Bootconf
    - CWS.Smartsearch
    - Hosts file redirections

    Ran Kill2Me - said it was not infected.

    -- Scan 1 ---------------------------
    About:Buster Version 4.0
    Reference List : 19


    ADS not scanned System(FAT)
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 4.0
    Reference List : 19


    ADS not scanned System(FAT)
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
     

    Attached Files:

    TinaS, Jan 25, 2005
    #4
  5. PhilliePhan

    PhilliePhan Guest

    Re: Followed directions, here are logs

    Hi Tina,

    You've got a boatload of malware including a couple toughies. I think Chaslang is on the case. So he doesn't get confused and grumpy ;), please remain in one thread - I'll merge your 2 threads.

    PP :)
     
    PhilliePhan, Jan 25, 2005
    #5
  6. TinaS

    TinaS Private E-2

    Re: Followed directions, here are logs

    Thanks for the merge. I wasn't sure if I had to put it back in here or if I had to do a new thread! I hope it isn't too difficult to work out...I'm still getting the popups every few seconds!
     
    TinaS, Jan 25, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Followed directions, here are logs

    Yes, there are a whole bunch of issues here. You are what we call a spyware collector. :)

    I'm deleting the duplicate post that PP merged in.

    After we resolve your current problems, you need to go to Windows Update and get the updates for your system. You are severely out of date with your Internet Explorer version and I cannot tell how many updates for WinME you are missing.


    Please download the following tool: LSP - Fix

    Now run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move aklsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.


    Please download and unzip Find It 9x/ME to a folder of your choice and run Find.bat.
    Post the log that it creates back here as an attachment.

    Now look in Add/Remove programs for uninstall to Web Offer and Virtual Bouncer. Uninstall if found.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
    Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    KRVWWO
    CSV10P070
    SCHK32
    WSTCM
    AUTOUPDATE
    WSXSVC
    SECURE
    KALVDXG32
    REDIAL32
    WO
    WINUPDT
    VIRTUALBOUNCER

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\krvwwo.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
    O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
    O4 - HKLM\..\Run: [gketpc] C:\WINDOWS\SYSTEM\gketpc.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [Ahwtw] C:\WINDOWS\schk32.exe
    O4 - HKLM\..\Run: [evxuvc] C:\WINDOWS\SYSTEM\evxuvc.exe
    O4 - HKLM\..\Run: [ot6V37P] WSTCM.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SECURE.exe
    O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVDXG32.EXE
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKCU\..\Run: [ZAp9RXj3h] REDIAL32.EXE
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: ntkhhp.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\PROGRA~1\IEMENU~1 <--- the whole folder
    C:\PROGRAM FILES\AUTOUPDATE <--- the whole folder
    C:\PROGRAM FILES\CSBB <--- the whole folder
    C:\WINDOWS\SYSTEM\WSXSVC <--- the whole folder
    C:\PROGRAM FILES\WEB OFFER <--- the whole folder
    C:\PROGRAM FILES\VBOUNCER <--- the whole folder
    C:\Program Files\CashBack <--- the whole folder
    C:\Program Files\NaviSearch <--- the whole folder
    C:\Program Files\BullsEye Network <--- the whole folder
    C:\WINDOWS\BXXS5.DLL
    C:\WINDOWS\KRVWWO.EXE
    C:\WINDOWS\SCHK32.EXE
    C:\WINDOWS\SYSTEM\WSTCM.EXE
    C:\WINDOWS\SYSTEM\WSXSVC
    C:\WINDOWS\SYSTEM\SECURE.EXE
    C:\WINDOWS\SYSTEM\KALVDXG32.EXE
    C:\WINDOWS\SYSTEM\REDIAL32.EXE
    C:\WINDOWS\SYSTEM\WINUPDT.EXE
    C:\WINDOWS\SYSTEM\winupdtl.exe
    C:\WINDOWS\SYSTEM\gketpc.exe
    C:\WINDOWS\schk32.exe
    C:\WINDOWS\SYSTEM\evxuvc.exe
    C:\WINDOWS\WSTCM.EXE or C:\WINDOWS\SYSTEM\WSTCM.EXE

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jan 25, 2005
    #7
  8. TinaS

    TinaS Private E-2

    Alright! I followed directions and when I rebooted, everything seems to be a lot better! No more pop ups. I've attached my HJT log after reboot and also the other log you asked for. I will also make sure the updates are done. He would like to go to Windows XP, but I wanted to fix all of this crap first!
     

    Attached Files:

    TinaS, Jan 25, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Glad to hear it's looking better but we are not done yet. You still have a nasty VX2 infection we have to take care of. This will take some work. You can see a few lines in your HijackThis log related to this problem:

    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    But you cannot just fix them with HJT. They will keep coming back and could increase in number if you do that. I'll post the start of those fixes as soon as I get a chance in the mean time, download the below. We will need them later:

    Pocket KillBox

    VX2Finder9x
     
    chaslang, Jan 26, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Extract the files from PocketKillbox into their own folder.

    1. Double-click on KillBox.exe to run it

    2. Click "Replace on Reboot" and check the "Use Dummy" box.

    3. Paste this file into the top "Full Path of File to Delete" box.


    o C:\WINDOWS\SYSTEM\MXVCP60.DLL


    4. Click the "Delete File" button which looks like a stop sign.


    5. Click "Yes" at the Replace on Reboot prompt.

    6. Click "No" when asked if you want to REBOOT now.

    7. Repeat steps 2-6 above for these files:

    C:\WINDOWS\SYSTEM\CTET16.DLL
    C:\WINDOWS\SYSTEM\IGSCLASS.DLL
    C:\WINDOWS\SYSTEM\MOIMSG.DLL
    C:\WINDOWS\SYSTEM\WR2THK.DLL
    C:\WINDOWS\SYSTEM\MJXBDE40.DLL
    C:\WINDOWS\SYSTEM\MPVCP60.DLL
    C:\WINDOWS\SYSTEM\MCCAT32.DLL
    C:\WINDOWS\SYSTEM\MTJT3032.DLL
    C:\WINDOWS\SYSTEM\WEADRVUD.DLL
    C:\WINDOWS\SYSTEM\MJI.DLL
    C:\WINDOWS\SYSTEM\SRC.DLL
    C:\WINDOWS\SYSTEM\CMRDS.DLL
    C:\WINDOWS\SYSTEM\WYNALIGN.DLL
    C:\WINDOWS\SYSTEM\VGB32.DLL
    C:\WINDOWS\SYSTEM\MQAPSSPC.DLL
    C:\WINDOWS\SYSTEM\rwoc3260.dll
    C:\WINDOWS\SYSTEM\JOVACYPT.DLL
    C:\WINDOWS\SYSTEM\JMMD400.DLL
    C:\WINDOWS\SYSTEM\MEEXCL40.DLL
    C:\WINDOWS\SYSTEM\MHDMO.DLL
    C:\WINDOWS\SYSTEM\WRADEFUI.DLL
    C:\WINDOWS\SYSTEM\CRDIAL32.DLL
    C:\WINDOWS\SYSTEM\CLET16.DLL
    C:\WINDOWS\SYSTEM\DKBAND.DLL
    C:\WINDOWS\SYSTEM\IBSCONFG.DLL
    C:\WINDOWS\SYSTEM\SALSTR.DLL
    C:\WINDOWS\SYSTEM\ASVIEW32.DLL
    C:\WINDOWS\SYSTEM\RKASETUP.DLL
    C:\WINDOWS\SYSTEM\MIIOLE.DLL
    C:\WINDOWS\SYSTEM\IGMFILTER.DLL
    C:\WINDOWS\SYSTEM\SKRMDLL.DLL
    C:\WINDOWS\abieeu.dll
    C:\WINDOWS\qwlhhm.exe
    C:\WINDOWS\polccz.dll
    C:\WINDOWS\vbwppy.dat
    C:\WINDOWS\System\guard.tmp
    C:\WINDOWS\Start Menu\Programs\StartUp\ntkhhp.exe


    8. Click "Replace on Reboot" and check the "Use Dummy" box.

    9. Paste this file into the top "Full Path of File to Delete" box.


    o C:\WINDOWS\krvwwo.exe


    10. Click the "Delete File" button which looks like a stop sign.


    11. Click "Yes" at the Replace on Reboot prompt.

    12. Click "Yes" when asked if you want to REBOOT now and allow your PC to reboot.

    Note any error messages you get upon reboot. Write down the EXACT message. And post it back here for me to see.

    After it reboots get another find.bat log and post it.

    Also post a new HijackThis log.

    Important:
    Also run Windows Explorer and look in C:\WINDOWS\System for the file guard.tmp. Tell me if you see it or not. Even more important DO NOT REBOOT your PC at this point because the problem files could mutate and spread.

     
    chaslang, Jan 26, 2005
    #10
  11. TinaS

    TinaS Private E-2

    Did not find the guard.tmp in Windows System

    On rebooting:

    Windows could not upgrade the file %1 from %2
    %1 : %2

    Windows could not upgrade the file %1 from %2
    %1 : %2

    Windows could not upgrade the file %1 from %2
    %1 : %2

    Windows could not upgrade one or more system files before starting

    Windows may not start or run properly.

    If Windows fails to start, run SETUP again.

    Press any key to continue

    Here are logs.
     

    Attached Files:

    TinaS, Jan 26, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are those the exact complete error messages? Do you get them at each reboot? I assume you are not having a problem running Windows?


    Run Vx2Finder9x click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Then do the following:

    Run VX2Finder9x.exe again.
    Click the "Click to find VX2 BetterInternet Button".
    (If any files are there) select all those files then click Delete files.

    Then click "User Agent$" which will restore the proper one.

    Then "Restore Desktop" (Dont be alarmed. The desktop will disapear then reappear again.)

    Next click "Import Reg"

    Then close VX2 finder.


    Next, open Hijackthis, click Scan, then put a check next to the following entries:

    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch


    Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

    Then reboot and please post new HJT and VX2Finder logs. (You will have to post a second message to get all three logs uploaded).

    Tell me how things are working?
     
    chaslang, Jan 26, 2005
    #12
  13. TinaS

    TinaS Private E-2

    Okay, yes that was the only error message I got the last time and I didn't have any problems after that. It let me into windows without a hitch.

    When I ran the VX2 finder, I didn't get any files in the bottom window to delete. It only said:

    Files Found---


    User Agent String---
    {E15C2E85-A6B5-47FA-A989-0651741D5F84}

    Other than that, I haven't had any popups and all seems to be well other than when I ran that virus scan last night and it said there were those 12 trojans that were not able to be removed. Here is my HJT log after reboot.
     

    Attached Files:

    TinaS, Jan 26, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE before running HJT!


    Have HJT fix the below lines:

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    Now you need to go and do all the steps in the below link ASAP before you run into problems again. You are running without sufficient protection.

    How to Protect yourself from malware!
     
    chaslang, Jan 26, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds