Can't remove spyware

Discussion in 'Malware Help (A Specialist Will Reply)' started by letsgojets, Jul 4, 2006.

  1. letsgojets

    letsgojets Private E-2

    I have some nastiness that I can't seem to remove: Pop-ups going off like crazy. I have gone through the steps to remove tha malware that are requested to be run before posting for help. Ad-Aware comes up with some stuff that it can't remove labeled: inicfg32.dll

    Spybot also lists a couple of things that it can't remove.

    I have attached the HJT log. If anyone can help me out, I'd appreciate it.

    Thanks,
    John
     

    Attached Files:

    letsgojets, Jul 4, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a whole bunch of problems! Please note that we require standard cleaning procedures to be followed before accepting HijackThis logs. However, before we get to the standard cleaning steps, I want you to run the below. My next message will contain standard cleaning steps to follow.

    • Please download the below file from one of the two links:
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log for you. Attach that log in your next reply
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
    chaslang, Jul 4, 2006
    #2
  3. letsgojets

    letsgojets Private E-2

    Thanks for the reply Chaslang.

    I ran combofix and attached is the log.

    Thanks,
    John
     

    Attached Files:

    letsgojets, Jul 4, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this tool: E2TakeOut


    - Extract the file to your Desktop
    - Double click E2TakeOut.exe
    - Click the Begin Removal button
    - Wait until the program is finished scanning
    - Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
    - Reboot your computer
    - Once your computer has rebooted E2TakeOut will open and produce a report
    - Upload the report here as an attachment.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\system32\wmeora.exe
    C:\DOCUME~1\John\LOCALS~1\Temp\nein.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
    O2 - BHO: (no name) - {BCA7654F-88E9-41D8-A63D-90DA0BFE6B48} - C:\Program Files\Messenger\hozet.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\system32\1201.exe
    O4 - HKLM\..\Run: [qmffnx] C:\WINDOWS\system32\qubona.exe reg_run
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\Run: [ms0513708-7919] C:\WINDOWS\ms0513708-7919.exe
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdatek
    O4 - HKCU\..\Run: [wmeora] C:\WINDOWS\system32\wmeora.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [wallp2.exe] C:\WINDOWS\system32\wallp2.exe
    O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
    O4 - HKCU\..\Run: [1201.exe] C:\WINDOWS\system32\1201.exe
    O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
    O4 - HKCU\..\Run: [mjlho] C:\WINDOWS\system32\qubona.exe reg_run
    O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt yazb
    O4 - HKCU\..\Run: [Oqijvgwz] C:\WINDOWS\SYSTEM32\RACLE~1\dllhost.exe
    O4 - HKCU\..\RunOnce: [wmeora] C:\WINDOWS\system32\wmeora.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O20 - AppInit_DLLs: inicfg32.dll,repairs303169590.dll msdtc.dll <--- you will get an error from HijackThis about fixing the AppInit_DLLs line. Just ignore it! Click OK and continue on!

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\webHancer <--- the whole folder
    C:\Program Files\rdso <--- the whole folder
    C:\Program Files\E2G <--- the whole folder
    C:\Program Files\Zango Programs <--- the whole folder
    C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe
    C:\WINDOWS\system32\1201.exe
    C:\WINDOWS\system32\adrotate.dll
    C:\WINDOWS\system32\adrot-uninst.exe
    C:\WINDOWS\system32\icon_justin.exe
    C:\WINDOWS\system32\iexplore.exe <--- only if found in system32. Do not delete the one in C:\Windows
    C:\WINDOWS\system32\inicfg32.dll
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\msdtc.dll
    C:\WINDOWS\system32\nodeipproc.dll
    C:\WINDOWS\system32\nsq72.dll
    C:\WINDOWS\system32\qubona.exe
    C:\WINDOWS\system32\ssqbn.exe
    C:\WINDOWS\system32\ts_justin.exe
    C:\WINDOWS\system32\UnIrimon.exe
    C:\WINDOWS\system32\uninstIcn.exe
    C:\WINDOWS\system32\VSL13.exe
    C:\WINDOWS\system32\wallp2.exe
    C:\WINDOWS\system32\wmeora.exe

    C:\WINDOWS\chadch.exe
    C:\WINDOWS\justin_bundle.exe
    C:\WINDOWS\ms0513708-7919.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\pi1_36.exe
    C:\WINDOWS\pphuf.dll
    C:\WINDOWS\Tagasuarus2.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\unstall.exe
    C:\WINDOWS\YOINSI.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    You really should start working thru this Sticky thread: READ & RUN ME FIRST Before Asking for Support

    You had a load of bad stuff and I wanted to get rid of a bunch of it quickly but there could be a lot that we missed. Running the READ & RUN ME will help us be sure we got everything.
     
    chaslang, Jul 5, 2006
    #4
  5. letsgojets

    letsgojets Private E-2

    I extracted E2TakeOut.exe to my desktp and ran it. It did remove something (I didn't make a note of it - sorry), but also gave the following:

    Error Removing! C:\WINDOWS\system32\inicfg32.dll
    Removed directory and files! C:\Program Files\E2G
    Removed orphaned leftovers
    AppInit key reset

    After clicking finish, it never produced the popup to reboot.

    John
     
    letsgojets, Jul 5, 2006
    #5
  6. letsgojets

    letsgojets Private E-2

    I'm heading off to work now, so I won't be touching this for a few hours. Let me know if I should just continue with your instructions or if I need to do something else to get the E2TakeOut log file.

    Thanks,
    JB
     
    letsgojets, Jul 5, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just continue with the rest of the instructions!
     
    chaslang, Jul 5, 2006
    #7
  8. letsgojets

    letsgojets Private E-2

    OK........ I went forward with your instructions:

    I did not the two processes in the HJT process manager:
    C:\WINDOWS\system32\wmeora.exe
    C:\DOCUME~1\John\LOCALS~1\Temp\nein.exe



    I fixed the lines in HJT that you mentioned except the following that I could not find:
    O4 - HKLM\..\Run: [qmffnx] C:\WINDOWS\system32\qubona.exe reg_run
    O4 - HKLM\..\Run: [ms0513708-7919] C:\WINDOWS\ms0513708-7919.exe
    O4 - HKCU\..\Run: [wmeora] C:\WINDOWS\system32\wmeora.exe
    O4 - HKCU\..\Run: [mjlho] C:\WINDOWS\system32\qubona.exe reg_run
    O4 - HKCU\..\RunOnce: [wmeora] C:\WINDOWS\system32\wmeora.exe



    In safe mode, I deleted the folders & files that you mentioned except the following that I could not find:
    C:\Program Files\webHancer <--- the whole folder
    C:\Program Files\E2G <--- the whole folder
    C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe
    C:\WINDOWS\system32\1201.exe
    C:\WINDOWS\system32\iexplore.exe <--- only if found in system32. Do not delete the one in C:\Windows
    C:\WINDOWS\system32\qubona.exe
    C:\WINDOWS\system32\wallp2.exe
    C:\WINDOWS\system32\wmeora.exe
    C:\WINDOWS\ms0513708-7919.exe


    I deleted the contents of c:\windows\Prefetch and ran Ccleaner


    I Reset my Web Settings as you listed
    Make sure you tell me how things are working now.



    Then, I went throughthe READ & RUN ME FIRST sticky the best I could:
    - the Microsoft Windows Malicious Software Removal Tool did not find anything
    - Ad-Aware SE found some stuff & removed it successfully
    - Spybot Search & Destroy found some stuff & removed it successfully
    - I ran Windows Defender, but can't exactly remember what the result was - I think it was successful (sorry)
    - I ran BitDefender and the log is attached
    - I ran Panda and the log is attached

    I am still getting a bunch of pop-ups...... I actually wrote about 3/4 of this reply and then some pop-ups came and one (unknowingly to me) actually hijacked my browser window, so when I closed the window, I lost everything I typed......... ugh!! So, I'm typing my response in Notepad first.

    I have now run HJT after going through everything and have attached the log

    Thanks for the help,
    John
     

    Attached Files:

    letsgojets, Jul 5, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some items I ask you to fix are still in your log and some have mutated into new file names. Are you sure your selected and fix everything last time.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\win32098-79191370.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - Default URLSearchHook is missing
    O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\system32\v199.dll
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsn38.dll
    O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O4 - HKLM\..\Run: [win32098-79191370] C:\WINDOWS\win32098-79191370.exe
    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe"
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://C:\Pirates\components\wmvhdrating.ocx

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\v199.dll
    C:\WINDOWS\system32\nsn38.dll
    C:\WINDOWS\system32\nodeipproc.dll
    C:\WINDOWS\win32098-79191370.exe
    C:\WINDOWS\system32\bdpn.exe
    C:\WINDOWS\SYSTEM32\xd7ehbkw.exe
    C:\avenger\backup.zip
    C:\Documents and Settings\John\Local Settings\Temp <--- delete all file in this Temp folder. Windows will block delete a couple from the current date.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. DO NOT REBOOT OR POWER DOWN after attaching this log. You problems could be mutating at each reboot.

    Make sure you tell me how things are working now.
     
    Last edited: Jul 6, 2006
    chaslang, Jul 5, 2006
    #9
  10. letsgojets

    letsgojets Private E-2

    Chaslang,

    I am pretty sure I selected everything I could fix last time. There were those that I could not find though.

    Now this time, right from the start, I am not able to finf the process you instruct me to delete in the HJT process mgr:
    C:\WINDOWS\win32098-79191370.exe
    I do have the viewing of hidden files enabled. Is there something I can be doing wrong here?.... I run HJT, click on 'Open the Misc Tools section' and click 'open process manager', which lists the running processes in the middle of the window labeled 'Itty Bitty Process Manager'


    Could it possibly have morphed?

    I have just now created and attached a new HJT log.

    John
     

    Attached Files:

    letsgojets, Jul 6, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The process is now: C:\WINDOWS\ms04913708-7912006.exe

    But all the other items from your log are there as indicated in my last message:
    Kill the new process and then follow the rest of my instructions. Also add that new file name to the list of things to delete if found. By now you should be able to easily spot and new forms of the malware process.

    Make sure you don't power down or reboot after attach your new log.
     
    chaslang, Jul 6, 2006
    #11
  12. letsgojets

    letsgojets Private E-2

    I was able to kill that process with HJT and delete I fixed the lines listed.

    In safe mode, I deleted the files you listed except the following I could not find:
    C:\WINDOWS\system32\v199.dll
    C:\WINDOWS\system32\nsn38.dll
    C:\WINDOWS\system32\nodeipproc.dll
    (I did set it to show hidden files)

    I deleted the contents of c:\windows\Prefetch and ran Ccleaner

    Attached is the new HJT log. I will not reboot until instructed to. As I type this, no pop-ups have popped up...... that seems good.

    Thanks for your help,
    John
     

    Attached Files:

    letsgojets, Jul 6, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think you may have missed a couple items John!

    Have HJT fix the below lines:

    O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe"
    O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll

    Then boot into safe mode and doublem check for the below files and delete if found:
    C:\WINDOWS\system32\bdpn.exe
    C:\WINDOWS\system32\v199.dll

    Then empty your Recycle Bin and then reboot in normal mode.

    Now attach a new HJT log. And again do not reboot.
     
    chaslang, Jul 7, 2006
    #13
  14. letsgojets

    letsgojets Private E-2

    I fixed the 2 items in HJT, but in safe mode I could not find the 2 files in C:\WINDOWS\system32\
    (I did have it set to show hidden files)

    I tried to do a search for the files, but the 'search companion' wasn't working (it came up blank)

    The same thing with the recycle bin - just came up blank - couldn't delete everything

    I ran Ccleaner for kicks

    I rebooted in normal mode and attached is the new HJT log. I will not reboot until instructed.

    Thanks,
    John
     

    Attached Files:

    letsgojets, Jul 7, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good now.

    Is your copy of Spyware Doctor a free or paid version? If free, uninstall it and keep Windows Defender. If it is a paid version, keep Spyware Doctor and uninstall Windows Defender.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 7, 2006
    #15
  16. letsgojets

    letsgojets Private E-2

    Chaslang,

    This may sound weird, but I don't have Spyware Doctor Installed. I did a search and found a shortcut file in the 'Unused Desktop Shortcuts' folder. I deleted the contents of that folder and also emptied my recycle bin.
    I did a search for "Spyware Doctor" and "swdoctor" and it comes up with nothing...... I do know that I never had a paid version of it though


    I turned off system restore & reboot. Then I turned it on and reboot again.
    I created a new HJT log in case that is needed.

    I will go through the "How to Protect yourself from malware!" link.

    Thanks a lot again,
    John
     
    letsgojets, Jul 7, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was trying to load so it must have been installed at one time. Just have HJT fix the below line:

    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
     
    chaslang, Jul 7, 2006
    #17
  18. letsgojets

    letsgojets Private E-2

    Chaslang,

    I had HJT fix the following:
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

    I went through the "How to Protect yourself from malware!" sticky and have installed Avast and now have that running.

    It now appears that we did not completely rid the pc from malware, because Avast keeps going off saying that I have a virus. Also, I am still getting pop-ups (not as many as before, but a significant amount).

    I am at work right now, so I don't have the info handy on the filename and virus name that Avast reports. When I get home, I will find out exactly what Avast reports and post it. If it's OK with you, I will start fresh and run though the "READ & RUN ME FIRST.." sticky and then post a new HJT log

    Thanks,
    John
     
    letsgojets, Jul 10, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I need to know the name of the virus, the filename that it finds, and the path to the file (i.e., where it is located on your hard disk).

    You do not need to start over with the READ ME. Just get me a new HJT log and then do the below very fast scans.

    Now run the below procedure and attach the runkeys.txt log.
    Now run the below procedure and attach the newfiles.txt log.
     
    chaslang, Jul 11, 2006
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds