Auto Restarting

Since AbbySue is not around right now and one of your multiple problems is very serious. Let me butt in!

IMPORTANT NOTE: You have a Password StealingTrojan!


See: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/


You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction
information.

Didn't CounterSpy warn you about this Trojan????

There is nothing wrong with the version of Windows you are using? It could be that your copy of Windows is not activated or is not legal.

Since you cannot run the online scanners or Windows Defender, run the below and attach the Ewido log.

Running Ewido Anti-Malware

Now Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the Blacklight log file here.

Then attach a new HJT log!!

 

I don't know what you mean! There is nothing wrong with the link! You need to run it and attach the log.


Since Ewido fix a load of problems, you should go back and try to run the steps you could not run before in the READ & RUN ME include MS Windows Defender, Bitdefender, and PandaActiveScan. You had a load of serious infections and really need to run all these tools.


I hope you are taking the info I gave you about passwords seriously. We have had several people who did check with the banks or credit card companies who found out illegal activity had been going on.


Also please run the steps in the below link and attach the runkeys.txt log.

Using GetRunKey

 

Okay! So please attach the log.

 

No! You attach the log from GetRunKey.bat (runkeys.txt) . You have not attached the log from BlackLight.

Did MS Windows Defender work okay now?

Let's continue with your cleanup!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\rpaenh.dll (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Chris\Local Settings\Temp\RarSFX0\ImmortalHacks.exe <--- it would be best to delete all files in this temp folder
C:\Documents and Settings\Chris\Local Settings\Temp\GLBC0.tmp
C:\Documents and Settings\Chris\Local Settings\Temp\GLB69F.tmp
C:\WINDOWS\SYSTEM32\azebar.xml
C:\WINDOWS\uniq
C:\gimmysmileys1.exe
C:\newname2.exe

Additional step to delete azesearch.inf:
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s azesearch.inf
del azesearch.inf
exit

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What about the rest of the steps in message # 12? Complete all of message number 12 and the below too before coming back with any messages inbetween. You need to catch up!

Also here is some more stuff you need to do.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Reboot into safe mode and locate the below file and delete it using Windows Explorer.
C:\WINDOWS\SYSTEM32\DRIVERS\SYSBUS32.SYS

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

sysbus32

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and post in this thread. If it is very long, an attachment would be better.

 

Let's worry about the malware first!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous one). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

We may need to use some other special tools to remove some of the remaining problems you have. However, let's try the easy approach first and see what happens. Looks like some new problems appeared too.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\TWFpbg\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\iibwm.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TdTC] C:\WINDOWS\iibwm.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname3.exe
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\sjcpack.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFpbg\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\DH.dll
C:\WINDOWS\iibwm.exe
C:\windows\newname3.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad3.EXE <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\KEYBOARD3.EXE <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\windows\GIMMYSMILEYS3.EXE <--- delete any files using the starting with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too
C:\Program Files\ISTsvc <--- the whole folder
C:\WINDOWS\TWFpbg <--- the whole folder
C:\Program Files\Network Monitor <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I still see the below. Did you miss fixing these?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [newname] C:\WINDOWS\newname3.exe

FIx them and make sure you find and delete all forms of the nenameX.exe file (where X is any number). Let me know what you find.

Afterwards check you HJT log to make sure nothing came back. If it did, shutdown all antispyware applications and try fixing again.

Then attach a new HJT log.

 

This is not an issue for this forum. Try the Game Forum. Or just tell Norton to always allow whatever it is that you are doing.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!