Can't get rid of Maulware

Discussion in 'Malware Help (A Specialist Will Reply)' started by stuck64, Jan 27, 2006.

  1. stuck64

    stuck64 Private E-2

    After giong thru all the steps recommended by Major Geeks, something is still redirecting my active browswer window, opening new browser windows, displaying ads that are not in a rectangular box (eg. a car), putting icons on my desktop that link to URLs, and adding new viruses, trojans, etc. to my system.

    The steps I took were: reenabled system restore, already had hidden files, extensions, etc. visible. I'm running Symantec AV and Firewall, no others, and they are up to date. Then downloaded, updated, and ran as instructed...
    CCleaner, Ad-Aware SE, SpyBot, MS AntiSpyware & Malicious Software Removal Tool, CWShredder, and Kill2me. These were all done in Safe Mode, no networking. My cable modem was unplugged. I also ran Hijack This, and RegVac to clean my registery. I believe I followed all your instructions carefully.

    Then I rebooted again in Safe Mode, but with Networking. Using IE I ran BitDefender. I tried running Panda ActiveScan, but after downloading the ActiveX stuff, I clicked on the icon to check "my computer" but nothing happened. Then tried "hard drive", again nothing. Started over from scratch, still nothing, so I gave up.

    After being online I ended up with more "junk", so I ran all of these again, in Safe Mode. Yep... found more. Killed 'em. So here we are!

    My system is a Dell, running XP Home, 256MB ram, 2.2Ghz processor. Typically I run Firefox, not IE.

    I'll attach the logs from bitdefender and hijack this.

    I sure hope you can help! Thanks so much for all the information so far.
     

    Attached Files:

    stuck64, Jan 27, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HJT logs must be posted for scans performed in normal boot mode as requested in the READ ME! Also you must not use msconfig to control startups. See the link given in step 7 of the READ ME which explains this. Before attach a new one, please run the steps below which will help fix a few stubborn problems that you have.

    Running Spy Sweeper

    Attach the spysweeper.txt file log afterwards. Then make sure you are in normal boot mode (without msconfig) and get a new HJT log and attach it so we can work thru the remaining problems.

    Also did you put the below in settings in your system yourself?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
     
    Last edited: Jan 27, 2006
    chaslang, Jan 27, 2006
    #2
  3. stuck64

    stuck64 Private E-2

    To answer your last question first, No I didn't put those 2 settings in.

    Now the good news.... The problem seems to be solved. I went back and ran most of the tools again. This time avoiding the use of msconfig (I misunderstood that instruction the first time thru). Then I ran SpySweeper which found icannnews, cws-about blank, clkoptimizer, whenu, and targetsaver. After that I ran Ewido which found 18 objects. Last, I ran Avast Cleaner, which found nothing. It took a lot of time, but I think it's clean, i.e., no symptoms. Thanks again for all the information and guidance. I hope to avoid all this in the future, and will be studying up!

    I've attached the final copy of the HijackThis log in case anyone wants to see it.
     

    Attached Files:

    stuck64, Jan 28, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Not yet! We still have more to do as I said in my previous message.

    Do you know what the below service is for?
    O23 - Service: (null) - Unknown owner - C:\IBI\desktop436\home\bin\tscom300.exe

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\hpsw.exe
    C:\WINDOWS\System32\wgse.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
    O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
    O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
    O4 - HKCU\..\Run: [womu] C:\Program Files\Common Files\womu\womum.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
    O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
    O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\Common Files\VCClient <--- the whole folder
    C:\Program Files\Common Files\womu <--- the whole folder
    C:\Program Files\Jalmp <--- the whole folder
    C:\windows\system32\ssldr32.dll
    C:\windows\system32\htproc32.dll
    C:\windows\system32\doser.exe
    C:\WINDOWS\System32\hpsw.exe
    C:\WINDOWS\System32\wgse.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 28, 2006
    #4
  5. stuck64

    stuck64 Private E-2

    Yes, it's used by Focus, a DBMS from IBI.

    It's looking better, I've posted the newest log from HJT. What do you think now?
     

    Attached Files:

    stuck64, Jan 30, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to fix these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

    Or did you not allow the changes to be made when either MS Antispyware and/or Spy Sweeper popped up warning about the changes. You must allow the changes to be made or you must disable the protections of the two programs while making the change.

    In fact you must consider whether you want all three of the below installed:
    Ewido
    MS Antispyware
    Spy Sweeper

    If you have purchase or plan to purchase Spy Sweeper, I would keep it and uninstall Ewido and MS AS. Having too many full blown applications like this installed can eat up a lot of system resources and slow things down.
     
    chaslang, Jan 30, 2006
    #6
  7. stuck64

    stuck64 Private E-2

    Glad you asked... No, I didn't forget, nor did I disallow the fix. I checked the box for these as well as the others, did the fix, etc. But when I ran HJT again, they appeared. I assumed (incorrectly) that they were supposed to re-appear as a result of using "Reset Web Settings" in IE. Obviously that's not true.

    You mentioned
    " when either MS Antispyware and/or Spy Sweeper popped up warning about the changes." Neither of these programs popped up any kind of warning today.

    I will uninstall the MS product and Ewido then run HJT again (using your most recent procedure instructions) and fix these again. I'll clear out \Prefetch again, run Ccleaner, then HJT again to see if they are gone. I'll post the new log.
     
    stuck64, Jan 30, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does this mean you have purchased Spy Sweeper or will purchase it? Without buying it you will not get updates and it will stop working when the trial ends.

    You do not need to do all of those steps. After uninstalling Ewido and MS AS, reboot, and then shutdown Spy Sweeper my right clicking on the icon in the tray and select to exit/close etc. The run HJT and fix those lines. Then Reset Web Settings" in IE.

    Then check a new log.
     
    chaslang, Jan 30, 2006
    #8
  9. stuck64

    stuck64 Private E-2

    ok... the about:blank entries are gone... HJT log attached.

    I haven't decided yet whether to buy SpySweeper. I need to figure out which product is going to be best long term. Any suggestions?

    Right now I've got Norton AV and Firewall, Spybot, and RegVac
    As a result of doing all this cleanup I've added
    AdAware SE Personal
    Avast Cleaner
    CCleaner
    CWShredder
    HiJackThis
    SpySweeper (trial)

    I'd like to keep and continue with a compliment of tools that will work effectively and efficiently together. And I'm open to your recommendations.

    I really appreciate your patience and assistance. Thank you very much!
     

    Attached Files:

    stuck64, Jan 30, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Spy Sweeper is the best but you must buy it. If you are looking for a free program then you should uninstall Spy Sweeper and go back to MS Antispyware which is still currently free.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 30, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds