Computer Problems, AGAIN

Discussion in 'Malware Help (A Specialist Will Reply)' started by Snake Eyes77, Jul 31, 2006.

  1. Snake Eyes77

    Snake Eyes77 Private E-2

    Hello again guys and gals, been a long time :eek: Sorry to ask but I seem to be having another problem I hope someone can help me with. Here's whats happening. I am running a Toshiba Satellite Laptop with Win XP SP1, a Celeron 2.80 GHz processor. The computer has 240 MB of RAM. I have McAfee Antivirus running on the system and in which the problem starts.

    I usually keep my laptop on all the time, putting it in Hibernation mode when needed, but never fully shutting it down or turning it off. I recently had to reboot the computer due to some problems I had while surfing the web. After the computer rebooted, the McAfee Icon in the taskbar is in the brownish color, meaning that the Virusscan is disabled. I checked in the Security Center for it and it says it is enabled, yet the icon is still the "disabled" color. I thought it might also pertain to an Update I needed to download (even though it's set for automatic) yet when I go and try and do the update manually (from the Taskbar Icon) it tells me I have an Update, yet when I try to install it, it never does anything. I ran the McAfee Virus Scan and Spybot S&D as well as Adaware SE and deleted the problems it found, quarantining or doing what I could for the files that couldn't be. A couple of files (off the top of my head I cannot remember, sorry) could not have anything done with them by any of the programs, so I had Spybot run when I restarted the computer. It got rid of two of the remaining three problems, leaving command.exe remaining. I did a search on the file and found it was a trojan (sorry if this is in the wrong spot, but it also showed up in Spybot and Adaware).

    I then ran the HijackThis (I'll post the log when you guys need it, but remember that I don't post it until you guys ask :) ) and it found that file as well as another file, yet says they are missing. I am getting ready to backup a bunch of files from my laptop to an External Drive so I'd like to know, please, what I need to do to fix these problems and get McAfee running well again. Also, I don't know if this helps or anything, but when I restarted the computer, I get two error messages, one saying something about the registration on the McAfee is not set up, or something to the point, and I get a message that says this: RUNDLL and under it says this: Error loading w357294f.dll The specified module could not be found.
     
    Snake Eyes77, Jul 31, 2006
    #1
  2. Snake Eyes77

    Snake Eyes77 Private E-2

    You know what, just in case, here's the HijackThis log, hope it helps.
     

    Attached Files:

    Snake Eyes77, Jul 31, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
     
    chaslang, Jul 31, 2006
    #3
  4. Snake Eyes77

    Snake Eyes77 Private E-2

    Sorry bout that, ran the programs and here are the results, the three Scan logs you told me to include are also attached. Thanks again!

    Microsoft Malicious Software Removal Tool: No Malicious Software Found
    Malicious Software Removal Tool (Safe Mode): Nothing Found
    Ad-Aware SE: 24 Items delted
    Spybot S&D (SM): Found 3 items of Command Service, was able to fix one, but could not fix the other two, said it might be in memory, and I told it to run on next startup to see if it can fix it. Ran at several different startups (into Safe Mode and Normal) and it still could only fix one of the three Command Services.
    CounterSpy: Found some Spyware and Trojans (I believe) and Quarantied most and remove one or two minor problems.

    Upon reboot to send this reply, RUNDLL error still popping up, I Removed the McAfee program while in safe mode (wouldn't allow me to in Normal) because I kept getting the "An Error Occurred While Initializing ActiveShield Method: CoMcAppFactory::Register Register:0x80004015" message and could not Enable VirusScan nor run updates (said I had them and they were downloaded, asked me if I wanted to install them, said yes, nothing happend). Command Service still found by Spybot S&D. Think I may just do a fresh install of XP and try and reorganize from there.
     

    Attached Files:

    Snake Eyes77, Aug 2, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That should not be necessary but it is always your choice.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
    O4 - HKLM\..\Run: [vdx556bf] RUNDLL32.EXE w357294f.dll,n 002556bd00000003357294f
    O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:mad:MSITStore:C:\DOCUME~1\Maverick\LOCALS~1\Temp\mma.chm::/joysavsht.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\Maverick\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\System Files <--- the whole folder
    c:\windows\system32\tsuninst.exe
    C:\WINDOWS\System32\w357294f.dll
    C:\WINDOWS\System32\xeymi.dll
    c:\windows\keyboard1.dat
    C:\kybrdfg_7.exe

    Additional step to delete files in the Downloaded Program Files folder :
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s USDR6_0001_D08M0404NetInstaller.exe
    del USDR6_0001_D08M0404NetInstaller.exe
    exit

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Aug 2, 2006
    #5
  6. Snake Eyes77

    Snake Eyes77 Private E-2

    Did as ya said, was not able to find the following files/folders:
    C:\Program Files\System Files
    C:\WINDOWS\System32\w357294f.dll
    C:\WINDOWS\System32\xeymi.dll
    C:\kybrdfg_7.exe (could not find)

    And I could not delete the contents of the c:\windows\Prefetch folder.

    Upon rebooting to XP Normal Mode, I did not get the RUNDLL error I had been getting, nor the McAfee Registration Error, but I am not getting a "Some components of McAfee ActiveScan were not installed or are missing" or something similar to that, this is after I reinstalled the program during the last boot to Normal Mode. The McAfee Security Center Icon in the taskbar is still showing the brownish-red "disabled" color even though the Center says it is enabled, later (if it follows the same pattern), it will disable in the Center and no matter how many times I click on the button to enable it, it will not reenable.

    I'm still greatly considering just doing a fresh install, I know you said it should not be necessary, but this is just getting annoying, and sometimes it's better to start from the beginning again :)
     

    Attached Files:

    Snake Eyes77, Aug 2, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why? Did you get an error message?

    I repeat, it's your choice on what approach you prefer to take. But a new install involves more than you may think. Especially to get back to a level of where you system is at. You have to consider all of the below:

    • you have to backup all you own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, tape drive [yuck] )
    • then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online
    • then fdisk, format, reinstall the OS
    • now reinstall all your software especially protection
    • get online (requires some setup and config that novices have problems with)
    • download updates for OS
    • download updates for protection software
    • download updates for all other software
    • tweak all software back the way you like it. Including Desktop settings, icons etc.
    • create all the folders that you use for everything in your normally routines
    • re-load from your backups to get data back, to get settings, Favorites,.....etc back
    • now over the next two weeks you will realize that you forgot to backup some stuff and also you will keep finding something else that you need to reinstall.
    If you want to try something here is what I would do.

    Uninstall ALL McAfee software. Make sure ALL of it is uninstall and nothing is left hanging around. Verify by looking in your HJT log to make sure nothing related to McAfee is showing. Sometimes even though uninstalled, some process will still appear to be loading and all services (O23 lines) may still be seen. Once ALL of it is gone. Uninstall CounterSpy. Then >>> REBOOT <<<

    After reboot. Double check to make sure no McAfee software is showing. Then reinstall McAfee and see what happens.
     
    Last edited: Aug 2, 2006
    chaslang, Aug 2, 2006
    #7
  8. Snake Eyes77

    Snake Eyes77 Private E-2

    Well, it seems my laptop's CD Burner/DVD-ROM is on the fritz again, so it looks like I won't be able to do a fresh install :( but I am going to try and do it your way. I first had trouble uninstalling the programs, said Access was denied but then somehow managed to get it and SecurityCentre uninstalled. Checked the HJT log, it found a couple of items in the O23 areas, but nothing that seemed to be connected to McAfee. I then uninstalled the Counterspy and I am getting ready to reboot and try and see if I can get it reinstalled and running properly. I wonder how much of this is a result of the two remaining Command Services?

    Oh, and to answer your question about not being able to delete the files in the /Prefetch folder, yeah, it told me I could not delete the files, that they were still in use or something like that (this was while I was in Safe Mode, like you said).
     
    Snake Eyes77, Aug 2, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach a log from Spybot so I can see what it is finding. These are normally CmdService but there can be many different keys that are infected. Often they are locked to that no one can delete them and you need to take ownership of them so we can delete them. I will give you a procedure to do this later after I see what you have.

    That's unusual. Did you try deleting them one at a time to see which ones were being blocked? We need to make sure no malware processes are hanging around in there.
     
    chaslang, Aug 2, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds