Cleaning badly infected system

I removed a lot of spyware and viruses before doing the steps in "READ & RUN ME FIRST. Malware Removal Guide." Logs attached.

Thanks

Goliano

 

Hi goliano,
Welcome to the Malware Forum!

Your computer is still badly infected. Please use it as little as possible until I can post a set of instructions to you and try not to unboot unnecessarily.

abri

 

Hey Abri,

I gave the system back to the owner about an hour ago, however, she's still in the area and will be dropping it back off in a few. I'll await your instructions.

Perfect timing.

Goliano

 

Hi goliano,

1) Please disable your guest account if this has not already been done.

2) Do you know what the following is? (You can open it, but don't click on any files.) If you don't know what it is, right-click on it and see if there is any information in properties:

C:\Program Files\Common Files\rwuw

3) Next, unless you know what the following is, I would like for you to upload it to one of the following to be scanned:
jotti or VirusTotal or virus.org, Kaspersky or at viruschief and let me know the results.

C:\WINDOWS\BMe3aeee02.txt

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: (no name) - {B6DD756D-6142-4CA6-AEBD-FEC5136E633B} - \
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E828EC21-EAA9-44B3-8021-EE89101C6ACD} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O4 - HKLM\..\Run: [F8F9F8F7FCFAFE0] 1E1F1E1D22202.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{E09DDD31-0952-1033-1022-020816020001}] "C:\Program Files\Common Files\{E09DDD31-0952-1033-1022-020816020001}\Update.exe" te-110-12-0000213
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab
O20 - Winlogon Notify: pmnmjhg - pmnmjhg.dll (file missing)

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/207/webolr/OCX/FlashAX.cab

After you click fix, just close hijackthis.

6) Download and install Erunt. Use it to create a backup of your registry.

7) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.

[FONT=&quot]Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
----a-w            14,336 2008-02-26 16:52:46  C:\Documents and Settings\Latrice\Application Data\qfpax .exe
----a-w           446,464 2008-02-22 01:11:03  C:\Program Files\2Wire\Gateway\2PortalMon           .exe
----a-w           446,464 2008-03-04 01:52:58  C:\Program Files\2Wire\Gateway\2PortalMon        .exe
----a-w           446,464 2008-03-06 12:25:20  C:\Program Files\2Wire\Gateway\2PortalMon  .exe
----a-w            57,344 2008-02-10 18:17:41  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w            50,776 2008-02-26 14:32:58  C:\Program Files\America Online 9.0a\AOL .EXE
----a-w            50,736 2008-03-14 06:00:17  C:\Program Files\Common Files\AOL\1105447560\EE\AOLSoftware .exe
----a-w           153,168 2008-03-13 21:12:53  C:\Program Files\Common Files\AOL\1105447560\EE\SSCRun .exe
----a-w            71,216 2008-03-14 05:59:55  C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w           135,216 2008-03-14 05:59:54  C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS .EXE
----a-w           185,896 2008-03-14 00:44:51  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           270,336 2008-02-25 21:38:52  C:\Program Files\Dell AIO Printer A920\dlbkbmgr .exe
----a-w         1,670,144 2008-01-29 21:17:06  C:\Program Files\Messenger\msmsgs .exe
----a-w           282,624 2008-02-26 03:02:30  C:\Program Files\QuickTime\qttask                                             .exe
----a-w           380,928 2008-03-14 05:59:59  C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
----a-w           129,536 2008-02-26 02:23:11  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,662,776 2008-03-13 19:07:30  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w           174,592 2008-03-06 10:52:25  C:\WINDOWS\SYSTEM32\lexpps .exe
C:\Documents and Settings\Latrice\Application Data\qfpax .exe

File::
C:\WINDOWS\SYSTEM32\bubsvfxo.ini
C:\WINDOWS\SYSTEM32\chspjbit.ini
C:\WINDOWS\SYSTEM32\cwbfxytb.ini  
C:\WINDOWS\SYSTEM32\cwielkre.ini
C:\WINDOWS\SYSTEM32\ethfcgjg.ini
C:\WINDOWS\SYSTEM32\gdohiibw.ini  
C:\WINDOWS\SYSTEM32\gixriadv.ini
C:\WINDOWS\SYSTEM32\hasrtgyy.ini
C:\WINDOWS\SYSTEM32\ipjsxpad.ini
C:\WINDOWS\SYSTEM32\jfokloxd.ini
C:\WINDOWS\SYSTEM32\kfivksrs.ini
C:\WINDOWS\SYSTEM32\nefxqnyo.ini
C:\WINDOWS\SYSTEM32\vdlqjtep.ini
C:\WINDOWS\SYSTEM32\wxxyeodh.ini
C:\WINDOWS\SYSTEM32\L18C5.tmp
C:\WINDOWS\SYSTEM32\L1B69.tmp
C:\WINDOWS\SYSTEM32\L708F.tmp
C:\WINDOWS\SYSTEM32\L8281.tmp
C:\WINDOWS\SYSTEM32\L9302.tmp
C:\WINDOWS\SYSTEM32\L9F9E.tmp
C:\WINDOWS\SYSTEM32\LABCD.tmp
C:\WINDOWS\SYSTEM32\LB48E.tmp
C:\WINDOWS\SYSTEM32\LB5C1.tmp
C:\WINDOWS\SYSTEM32\LD5E0.tmp
C:\WINDOWS\SYSTEM32\LDE57.tmp
C:\WINDOWS\SYSTEM32\LE770.tmp
C:\WINDOWS\SYSTEM32\LEBA6.tmp
C:\WINDOWS\SYSTEM32\LFF81.tmp
C:\WINDOWS\SYSTEM32\winfrun32.bin
C:\WINDOWS\SYSTEM32\jkkhfge.dll
C:\WINDOWS\SYSTEM32\kcopt.dll
C:\WINDOWS\s.dll
C:\WINDOWS\strictions.dll
C:\WINDOWS\SYSTEM32\c7u3eqcm.exe

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6DD756D-6142-4CA6-AEBD-FEC5136E633B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnmjhg]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"{E09DDD31-0952-1033-1022-020816020001}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"F8F9F8F7FCFAFE0"=-

[/FONT]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


8) Now run Ccleaner!

9) Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

10) Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip
• Scan results for jotti or one of the others
  

Make sure you tell me how things are working now!

abri

 

Hey again, Abri,

I haven't worked your instructions, yet, because after booting the infected machine, the following appeared as a blue screen:

Should I simply restart, as directed?

Goliano

 

Hi goliano,
If you can get it to restart, do and carry out the instructions I gave you. Skip the first four steps and go directly to step 5. You have a lot of infected files and programs.
abri

 

Restarting to Normal Mode was taking forever, so I rebooted to Safe Mode and just finished step 4.

Already disabled.

I don't know what this is. The folder was created 2005-05-07. Delete it?

I've attached the VirusTotal.com output for the above file.

Not sure if the owner uses it, so I disabled it.

Is it okay to continue with step 5 in Safe Mode?

 

Ok, abri. Everything ran smoothly in Normal Mode. Logs attached.

Goliano

P.S. I sent "VirusTotal log.txt" in a previous reply, so it won't attach to this one.

 

Hi goliano,

It's starting to look better. I'm curious about that one file I had you scan at VirusTotal. Would you upload it here as an attachment so I can look at it? It was this one:

C:\WINDOWS\BMe3aeee02.txt

Then I would like for you to run Combofix again, with the same instructions as before where you copy the text into notepad and then drag the saved text on top of the combofix icon on the desktop. Use the instructions in post 4 step 7, only this time use the contents of this box:

Code:

RenV::
C:\Program Files\2Wire\Gateway\2PortalMon    .exe
C:\Program Files\QuickTime\qttask                                                                   .exe -atboottime

File::
C:\Documents and Settings\Latrice\Application Data\0047b24919b3e8f8441f1bacd1378c74846deb024f2690df6a.dat
C:\Documents and Settings\Latrice\Application Data\qfpax.exe
C:\WINDOWS\ions.dll

After you finish the above, please run CCleaner in the default setting with the Windows tab as the one on top.

Finally, please run the C:\MGtools\GetLogs.bat file by double clicking on it.

When you're finished attach the Combofix and MGlogs.zip with your next post.

Thanks.
abri

 

Alright, abri... done.

Goliano

 

So, how does it look?

 

Hi goliano,
Two of your Vundo files are not getting deleted. One is Quicktime and the other is 2wire. If you can uninstall Quicktime and reinstall it, that would solve one of the two. I want to have someone look at the 2wire entry, because it looks like it might be your internet connection. Also, the .txt file you attached is ... interesting. I want to have that looked at as well. For the time being, you can use the computer, but please avoid unnecessary boots. I will get back to you about this. As soon as I know how to proceed with these remaining items, I'll post you the final cleanup instructions to remove all the tools and logs we had you put on the computer.
abri

 

Hello, abri.

Yes, 2Wire is the internet connection. Why is it classified as a Vundo file?

Uninstalled/reinstalled QuickTime.

What should I do about C:\Program Files\Common Files\rwuw that you asked me about earlier?

Thanks,

Goliano

 

MGlogs.zip after a CCleaner run.

 

Uninstalled 2Wire Gateway... didn't need it. MGlogs.zip attached.

 

It's indicated by the spaces you can see before the .exe file if you go back and look at your original hijackthis log or simply look at the files I had you delete using Combofix where I asked you to put them in the code box under the word RenV:: If you scroll over, you'll see they all have spaces before the .exe.

Leave that one, but delete the C:\WINDOWS\BMe3aeee02.txt

Other than that, your logs look good. Please do the final cleanup instructions. In particular, please take the bit of time it requires to read through the How to protect yourself from malware. Spyware Blaster is a great tool and requires basically nothing for the extra protection it gives. Also, the immunize feature should be clicked on in Spybot Search & Destroy. I don't remember if you have a two-way firewall, but there should be one.

abri

 

Yes, I have all of that installed.

Downloading .NET Framework Updates, now... will let you know if anything else happens.

Thanks for your help, abri.

Goliano

 

You're welcome!

 

So I can just delete it, right?