check up after infection

I was alerted to a possible infection by my firewall which flagged pviever.exe.

I have worked through the read and run me thread.

I was unable to run panda scan in safe mode but ran it in normal mode. There were no infections, hence no report.

Bitdefender gave me a message indicating it may not have updated correctly. but offered me a "scan anyway" option which I used.

hjt is located in a folder in the root directory (C:/) not C:/Program files

I have turned sys restore off and not yet activated it again.
OS is winxp sp 2

Please advise if I have performed any action incorrectly and or if you require further information

 

bit defender and hjt log files

I bring the following to your attention and request your advice.
I no longer require yahoo tool bar and have removed it via add/remove programs. however it still shows in hjt albiet with a file missing (etc) note.

020 winlogon notify:winwly32-winwly32.dll (file missing)

021 SSDL.... I do not recognise this entry.

In counterspy some items were not quarantined as this option was unavailable. I selected remove for these items. All items were quarantined where this option was available.

Thank you for your time and expertise

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Download and Install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]

To take ownership of the key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the registry key and select delete
• Repeat for all three registry keys
• Tell me the results. Any errors??? If so, make sure you tell me the exact error message and exactly on which keys it occurs.
• Then if there was an error, boot into safe mode and retry all of the above.
• Again keep track of errors and give a report of the results.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKeys
3. HijackThis

Results and any errors from running Registrar Lite

 

I have uninstalled j2re5.0 update 10
i have sucessfully installed jre6.
NB it may have been easier to install JRE6 then uninstall j2re5.0 upd 10

I have downloaded reglite but been unsucessfull in installing this program.
error message reads....
An I/0 error occored whilst installing this file this is normally caused by bad installation media or a corrupt installation file.

A second message reads...
Corrupt installation file.
I have not proceeded further and await your advice.

 

I have now succeeded at installing regedit. I believe the problem may have been associated with downloading whilst my firewall, A/V and spyware protection were active.

I as unable to successfully use the method you desribed to enter the keys into the address bar of regedit.

copy/paste and enter caused the program to "hang" and eventually (3 minutes?) return to having "registry" in the address bar.

I was however succesfull in navigating to each key via extending the folders and by carefully following the paths you supplied.
I sucessfully took control of each key.

No error messages were encountered.


I have successfully deleted the hjt files you suggested.

I ran killbox, pasted the files and succesfully auto rebooted.
No messages were recieved.

Please advise if you require further information.

Thank you for your time.

 

You did not delete these registry keys as rquested.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]

Using Registrar Lite navigate to each of the above keys, take ownership of them and then delete the registry key.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKeys
3. HijackThis

Results and any errors from running Registrar Lite

 

I have rerun the whole of post #3 as I was concerned I had not copy/file>paste from clipboard the killbox files as requested.

results for reglite
(identical for each key) Message: User keith has succesfully taken control of key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
right click Delete
Access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
Access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]
Access is denied

In safe mode
Administrator

(identical for each key) Message: User administrator has successfully taken control of key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
Access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
Access is denied
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]
Access is denied

Pocket Killbox post #6
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\system32\REN32F.tmp
C:\WINDOWS\system32\REN330.tmp
delete on reboot: Auto rebooted successfully:

files attached.
thank you for your time.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

These are the ones that are typically more stubborn because they are owned by the System (the operating system) which makes it harder to remove.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR

I want you to use Registar Lite again to navigate to each key (one at a time) by pasting them into the Address Bar and hitting return. Now this time click the Security menu item and select Edit Permissions. Here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKeys
3. HijackThis

Results and any errors from running Registrar Lite

 

cannot import C:\documents and settings\keith\desktop\FixReg.reg. The specified file is not a registry script. You can only import binary registry files from within registry editor.

in normal mode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
acess is denied.
Nb: in the group or user name, ONLY Everyone appears. No permission boxes are checked. After checking only the "Full control" box, "full control" and "read" are auto checked. After clicking APPLY, SYSTEM appears in the group or user name box and "read" and "full control" are checked in the permissions for everyone box.
After recieving the first Acess is denied message I tried unchecking the "read" box, rechecking the full control box and selecting "apply" This also gives me an acess is denied. I have also tried uncheck read, check full control >apply> >take permission>delete this also results in Access is denied.

same result in safe mode
I did not attempt to delete all keys. Two keys in each mode (Different keys each time) were tried

Killbox: delete temp files and >copy>File>paste from clipboard. delete on reboot. Successfully auto rebooted.

NB: I have been completing the killbox actions in Normal mode. Should I be completing the killbox action in safe mode?

 

New files as requested

 

Thank you for your time and expertise.

I re-ran killbox several hours after posting the previouse show new txt for my own interest and education

I copy>paste from clipboard> the most recent files list.

These two files were still present
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
I deleted them using pocket killbox
rebooted, no errors or messages, and rechecked to see if pktkillbox could find them again. They were not present.
I am attatching a new set of logs

 

I have successfully merged REGEDIT4 with the registry after following your instructions properly

In case it is usefull for viewers of this thread the instruction is to copy the contents (the whole contents) of the quote box. That includes the words REGEDIT4 as well as the key.

I also note that some of the .sqm files have returned according to pkt killbox
I now await instruction.

Sorry to mess you round shadow dude.

 

EDIT: I have successfully deleted the keys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR
By deleting the subfolder 000 first, then the folders for each key

new files attatched.

In addition i have learned that the .sqm files appear to be associated with Windows live messenger.

 

Disable the Customer Experience Improvement Program feature of Windows Live Messenger and the delete all the sqm files. This is another example of piss poor programming and quality control on the part of Microsoft.

Otherwise your logs are clean. How is your system running?

 

Everything seems to be running fine.
I have been unable to find a method yet of turning off the customer improvement experience. I personally dont use live messenger my (older) kids do.
It starts during start up and I just shut it down. If you have advice on disabling this I would happily accept it. Otherwise I will continue to research and explore the program until I do find something.

Thank you and all at MG for your assistance and paitience.

 

You can enable and disable that feature:

• Under Help, Click on the "Customer Experience Improvement Program" menu option.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Shadow_dude;
My computer runs well. I have not yet removed the programs/files we have used. I will do so once I have overviewd each user.
In the meantime I notice a yahoo toolbar is present when my daughter logs in via firefox.

There is no yahoo entery in her add/remove programs.

I note some (4) enteries associated with yahoo in a fresh hjt log.
08 extra context menu items

I would like to remove this toolbar if possible

If you prefer me to start a new topic for this problem please tell me. Please also advise me if I should work through the read and run me thread again.

For convenience sake i have attached a fresh hjt log to this post. if you require further information please advise
Thank you for your time.

 

meh~!

For convenience sake I have attatched a fresh HJT log run from user2

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

The Toolbar should be gone now.

 

No joy on the tool bar.

as requested I removed the items
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

The toolbar is still present after reboot.

I can see the yahoo folder in Crogram files. Is it suitable to just delete this?

Further hjt attatched

 

Have you tried these instructions from Yahoo! http://help.yahoo.com/l/us/yahoo/toolbar/troubleshootie/toolbar-08.html

 

Well that was simple!

I'm done here.

Thank you again for all your patience time and trouble.

regards
K

 

You're welcome