Browser freezing, winanitspyware pop-up, partypoker pop-up and slower than normal pc!

Discussion in 'Malware Help (A Specialist Will Reply)' started by mw7734, Sep 4, 2005.

  1. mw7734

    mw7734 Private E-2

    A friend of mine is having problems with IE freezing, winanitspyware/partypoker pop-ups and PC has slowed down. The pop-ups are happening with IE and FireFox but only IE seems to be freezing. I have painstakingly guided her through the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal section and the problem persists. I noticed a few things in the HJT log like (MyWebSearch) is this in any way like CoolWebSearch, (C:\Program Files\eMachines Bay Reader\shwiconem.exe) she has a Compaq not an emachine and (Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe) I don’t know what it is but it looks fishy in my opinion. Any of these things look bad to you? I have her PC info and the HJT log ready to attach if requested. Thanks for taking a look.
     
  2. mw7734

    mw7734 Private E-2

    Ok I've ruled out Ati2evxx.exe as it seems to be for sound card. Also C:\Program Files\eMachines Bay Reader\shwiconem.exe is a memory card flash reader so I don't guess thats causing problems even though its out of place on a Compaq machine. I saw in some other threads that MyWebSearch needs to be uninstalled but its not listed in the Add/Remove program list. I'll wait for guidance on how to best manually uninstall it before having her attempt to romove it. Some other things in the HJT log caught my eye so I'll see what I can find out about them before mentioning them here.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ati2evxx is for an ATI Video Graphics card.

    If you have run ALL the steps in the READ ME (including the online scanners) then follow the steps below exactly. You must make sure HJT is installed and run properly.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  4. mw7734

    mw7734 Private E-2

    Ok chaslang here it is and thanks.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a few problems. One is a real nasty called Virtumundo. But before we get to that, tell be if you know what the below is:


    C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also look in Add/Remove programs for any of the below and uninstall if found:

    MyWay
    MyWaySearch
    MyWayBar
    MyWebSearch
    MyWebSearch Email Plugin

    Let me know what you find. Then do the below:

    Download the following tool and save it where you will be able to find it.

    L2MeFix Tool

    Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

    Exit Browsers now before continuing

    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. You will need to post this log back here later when you come back.

    NOTE: Please do not run any other options or files in the l2mfix Folder!

    L2MeFix will help us to locate potential Look2Me VX2 infections which it looks like you may have. This needs to be fixed before Virtumundo.
     
  7. mw7734

    mw7734 Private E-2

    She has no idea what that is for. She doesnt have a digital camera and her printer is a Lexmark. I tried Google search for it but only came up with HJT logs. It would be nice if other sites followed your example and didnt post those logs inline. Ok I'm done bitching. What is the next for her to take?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See Message # 6!!!

    She is not using a Web Cam? Then look for an uninstall for Icatch(VI) or SnapDetect or another similar name.
     
  9. mw7734

    mw7734 Private E-2

    Yes she does have a webcam. We are about to do the #6 stuff right now so ill post results in a little bit. Ill wait on doing anything about SnapDetect yet till you get this info. Thanks
     
  10. mw7734

    mw7734 Private E-2

    #6 info. My websearch buddy icons was only thing in Add/Remove programs list and it has now been removed.
     
  11. mw7734

    mw7734 Private E-2

    #6 L2MeFix info.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Browser freezing, winanitspyware pop-up, partypoker pop-up and slower than normal

    Leave SnapDetect alone. It is probably for the web cam.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZBxdm031YYUS
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete
    :
    C:\Program Files\MyWebSearch <--- the whole folder


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. Then we will move on to the Virtumundo problem.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Browser freezing, winanitspyware pop-up, partypoker pop-up and slower than normal

    After finishing the cleanup of MyWebSearch in my previous message do the below and then post another HJT log.

    DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

    Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

    Please don't run any other files in the L2MFix folder.
     
  14. mw7734

    mw7734 Private E-2

    #12 info.
     

    Attached Files:

  15. mw7734

    mw7734 Private E-2

    #13 info. She is going to bed now but we are caught up for now so I will look here and resume with her tomorrow. Thanks again chaslang.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Browser freezing, winanitspyware pop-up, partypoker pop-up and slower than normal

    Okay let's start by downloading two tools we will need:

    - Process Explorer 9.2

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of dbdns.dll once and then click the kill button. After you have killed all of the dbdns.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    The repeat looking in winlogon.exe for the below DLL's and kill them if found:
    imgdisk.dll, runeula.dll, webac.dll, andsstqp.dll

    Next double click on explorer.exe and again click once on each instance of dbdns.dll

    The repeat looking in explorer.exe for the below DLL's and kill them if found:
    imgdisk.dll, runeula.dll, webac.dll, andsstqp.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AU_Log\dbdns.dll
    O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\sstqp.dll
    O20 - Winlogon Notify: dbdns - C:\WINDOWS\AU_Log\dbdns.dll
    O20 - Winlogon Notify: imgdisk - C:\WINDOWS\Web\Wallpaper\imgdisk.dll
    O20 - Winlogon Notify: runeula - C:\WINDOWS\Cursors\runeula.dll
    O20 - Winlogon Notify: sstqp - C:\WINDOWS\SYSTEM32\sstqp.dll
    O20 - Winlogon Notify: webac - C:\WINDOWS\Cursors\webac.dll

    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.



    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

    C:\WINDOWS\SYSTEM32\pqtss.ini
    C:\WINDOWS\SYSTEM32\pqtss.ini2
    C:\WINDOWS\SYSTEM32\pqtss.bak
    C:\WINDOWS\SYSTEM32\pqtss.bak2
    C:\WINDOWS\SYSTEM32\pqtss.tmp
    C:\WINDOWS\SYSTEM32\sstqp.dll

    C:\WINDOWS\Cursors\cabew.ini
    C:\WINDOWS\Cursors\cabew.ini2
    C:\WINDOWS\Cursors\cabew.bak
    C:\WINDOWS\Cursors\cabew.bak2
    C:\WINDOWS\Cursors\cabew.tmp
    C:\WINDOWS\Cursors\webac.dll

    C:\WINDOWS\Cursors\aluenur.ini
    C:\WINDOWS\Cursors\aluenur.ini2
    C:\WINDOWS\Cursors\aluenur.bak
    C:\WINDOWS\Cursors\aluenur.bak2
    C:\WINDOWS\Cursors\aluenur.tmp
    C:\WINDOWS\Cursors\runeula.dll

    C:\WINDOWS\Web\Wallpaper\ksidgmi.ini
    C:\WINDOWS\Web\Wallpaper\ksidgmi.ini2
    C:\WINDOWS\Web\Wallpaper\ksidgmi.bak
    C:\WINDOWS\Web\Wallpaper\ksidgmi.bak2
    C:\WINDOWS\Web\Wallpaper\ksidgmi.tmp
    C:\WINDOWS\Web\Wallpaper\imgdisk.dll

    C:\WINDOWS\AU_Log\sndbd.ini
    C:\WINDOWS\AU_Log\sndbd.ini2
    C:\WINDOWS\AU_Log\sndbd.bak
    C:\WINDOWS\AU_Log\sndbd.bak2
    C:\WINDOWS\AU_Log\sndbd.tmp
    C:\WINDOWS\AU_Log\dbdns.dll


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log.
     
  17. mw7734

    mw7734 Private E-2

    I haven’t had a chance to get with her yet due to the holidays but probably will tonight. I have a question for you though while we are in limbo on this fix. I take all the recommended steps to keep my PC clean of malware/spyware and have never had a problem so far. My question is, if I wanted you to take a look at my HJT log just to make sure my PC is clean, do I need to go through the trouble of an online scan and all the other steps in the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus thread?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well there are many reasons for requiring the READ ME FIRST to be run. A couple of which apply to what you are asking.

    1) if every user asked this, we would not really have time to look at HJT logs just to say your log is clean

    2) just looking at a HJT log and seeing that it is clean, does not mean a PC is clean.

    3) the various scans can pickup many things that will not show in a HijackThis log and similarly HJT can show things that may not be picked up by the scanners.

    So in short, if you really want the warm and fuzzy feeling that you are clean, you should do the steps and then post a HJT log. You must remember that while the How to protect thread does help quite a bit, it does not guarantee that you will not have problems either.
     
  19. mw7734

    mw7734 Private E-2

    #16 info. Ok here is the HJT log after completing those steps. In reply to your reply to my question in post #17: I think I’ll just hold my horses and not waste your time or take you away from others who do have problems with maleware/spyware. If any problems should develop I’ll know just where to come. Hopefully I am anal enough in my precautionary measures, that day will never come. LOL. Thanks again.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like another piece of Vundo.B popped up now. I will need to work up another similar cleanup procedure (like the one in msg # 16) but it will be a little shorter since only one new item is showing. It is very important to do this in safe mode as mentioned in the steps. One thing I did not mention that could be useful is to make sure while in safe mode that you do not open any browsers and in fact it would be good to physically disconnect your cable to the internet to make sure nothing can get in or out.

    Procedure to follow soon!
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Browser freezing, winanitspyware pop-up, partypoker pop-up and slower than normal

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of imgad.dll once and then click the kill button. After you have killed all of the imgad.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of imgad.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Drivers\Intel\imgad.dll
    O20 - Winlogon Notify: imgad - C:\WINDOWS\Drivers\Intel\imgad.dll

    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

    C:\WINDOWS\Drivers\Intel\dagmi.ini
    C:\WINDOWS\Drivers\Intel\dagmi.ini2
    C:\WINDOWS\Drivers\Intel\dagmi.bak
    C:\WINDOWS\Drivers\Intel\dagmi.bak2
    C:\WINDOWS\Drivers\Intel\dagmi.tmp
    C:\WINDOWS\Drivers\Intel\imgad.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log. Let me know how these steps go!!!
     
  22. mw7734

    mw7734 Private E-2

    Ok I will get with her maybe tonight and we will continue our battle against the evil forces of malware/spyware. Need to call you Obiwan chaslang lol.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! Use the "Force"!
     
  24. mw7734

    mw7734 Private E-2

    #21 info. The Force is strong in this one.
     

    Attached Files:

  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  26. mw7734

    mw7734 Private E-2

    Yes everything is working fine now. No pop-ups or freezing. She is now taking the recommended precautions that you suggested. After seeing the positive results that your tutulage has yielded she now wants to try fixing her old Win98 machine. I told her Good Luck and ran like a bat outta hell! j/k He he :) Thanks for your help chaslang. We couldnt do without you. Keep up the good work!
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! What??? You're tired after fixing just one PC! ;) Look what I go thru everyday! :eek:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds