Could use some help.

Hi all,

I have been visiting this forum for some time and finally registered because I have a few problems.

This is not dealing with my computer so I am unsure as to how some of these problems got started.

I believe it to be a multitude of spyware/malware problems.

I have downladed and installed many anti spyware programs including:

Spybot
Spywareblaster
ad aware
CCleaner
BHO Demon
Hijackthis and a few other smaller ones.

I have run hijackthis a few times and deleted some things that I deemed suspicious, but some of the problems keep coming back. One I believe to be a TIBS program and the others are related to webpage setting itself to about:blank with many pop ups appearing.

On a side note there has been a blue screen appearing every once and a while that said at the top IRQL_NOT_LESS_OR_EQUAL. I think i fixed this by installing some updated drivers as it has not come back.

Thanks to everyone here.

 

I actually did run all those things to no avail.

I tried with safe mode, and restore set to off.

I will try the procedure again, and will post again later.

Thanks for the help for the time being.

 

well. ive been through all the steps that I could find and the problems are still persistent.

I have posted a hijack this file and hope that is some assistance to the game. Norton and Spybot were still active I think when I ran it so if you need one without anything I can do that.

Thanks to any that can help.

 

Shotgun3131,

Your log is a perfect example of what happens when you don't bother to visit Windows Updates!
You have a ton of crap on your log including a Cool Web Search variant and a Stopguard infection. Did you run CWShredder as per the tutorial??

Make sure System Restore is OFF and you have Enabled the Viewing of Hidden Files:

Look in Add or Remove Programs and REMOVE (if found)
Windows SyncroAd
Web_Rebates
Internet Optimizer
Offer Optimizer
BullsEye Network

NOTE: You may need to end the running processes for some of the above via Task Manager.

Then - to try to make a dent in your log - run HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vnmtc.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ioeoz.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vnmtc.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vnmtc.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O1 - Hosts: fferoptimizer.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {44E5B409-35A2-4E8D-BF94-344222323A53} - (no file)
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - (no file)
O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\KWM\LOCALS~1\Temp\bkrba.dat
O2 - BHO: (no name) - {73529697-D46A-4F7D-8A93-01378FCAEDA4} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {7CDA428B-E678-4696-262A-B07C9ECE7D9C} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O4 - HKLM\..\Run: [*srvkb] C:\WINDOWS\inf\srvkb.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [vccgjdbsbhq] C:\WINDOWS\System32\wcqqei.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [*abrkb] C:\WINDOWS\abrkb.exe
O4 - HKLM\..\RunOnce: [*abrkb] C:\WINDOWS\abrkb.exe rerun
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\KWM\Application Data\urpo.exe
O4 - HKCU\..\Run: [Kmil] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren time:1097991924
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {19DA1C6E-91E3-626D-7676-524450F6C8CE} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {7CFED967-A84E-492D-90F5-044090C7DE6A} (CV Package) - http://www.creativethinkinginc.com/creativevisions/webbin/cvvsetup.exe
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://loandocs.swiftsend.com/component/sview-6.2.2/svinstall_a_stat_ics.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://alamance-webcam.elon.edu/activex/AxisCamControl.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.peryourhealth.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -

Make sure ALL browser windows are CLOSED when you click FIX.

Then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\abrkb.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.
You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

Now, while in Safe Mode, run the following:
SpybotSD
Ad-AwareSE
CWShredder
a-Squared
CCleaner

Track down and, if they remain, try to DELETE:
C:\Program Files\Web_Rebates
C:\Program Files\Windows SyncroAd
C:\WINDOWS\System32\systime.exe
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\t?skmgr.exe
C:\WINDOWS\System32\wcqqei.exe

Now, Reboot into Normal Windows and scan with HJT and attach a new log.

This ought to make a dent in your log. Note that this is just a start! I'm sure I missed a bunch and many may come back. Hang in there

I am not around this forum that often, but hopefully somebody else will take a look at your log.

Good luck,

PP

 

Thanks for all the help, I ran through both chaslangs and Phans instructions and is seems to have helped.

I have uploaded the two about:buster logs per your request, hope they help.

I will upload the new HJT log next.

Thanks again.

 

HJT LOG (new)

 

Hi Chas,

In your previous post, netmp3.ini and netmp3.dat should be reversed to match the BHO entry. (I know this doesn’t make much sense since HJT attempts to Delete the corresponding files when it fixes BHOs). I’ll bet you looked at Joeigurl’s thread - I was in a hurry to meet her deadline and messed up! I entered them backwards. Sorry!

While Stopguard is probably the least of Shotgun's worries, it does have a nasty habit of resurrecting itself! I have noticed that it seems to have evolved a bit since I first dealt with it. So, it probably wouldn’t hurt to search for all netmp3 files and all 3pmten files.

It looks like my old buddy is popping up again - I see three other current threads that likely have this problem, among others.

Best,
PP

 

Thanks again phillie and chas.

I followed all the instructions and it seems to be getting a lot better.

I could not however find any netmp3 or 3pmten files on this system, through windows search or by searching myself, and yes hidden file and protected system files were all enabled.

I will include a new hjt log file.

Thanks again for the help.

 

Hi Shotgun,

Your log looks much better, save for Stopguard.
I have a special place in my heart for Stopguard. It is like a cockroach - it will survive long after we are all gone!!

These are your new Stopguard entries. The trick is to stop the running process - easier said than done!
O2 - BHO: CATLEvents Object - {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F} - C:\DOCUME~1\KWM\LOCALS~1\Temp\sodw.dat

O4 - HKLM\..\Run: [*wdos] C:\WINDOWS\system32\oobe\icserror\wdos.exe

O4 - HKLM\..\RunOnce: [*wdos] C:\WINDOWS\system32\oobe\icserror\wdos.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren time:1098327246

C:\WINDOWS\system32\oobe\icserror\wdos.exe

C:\WINDOWS\System32\bkinst.exe

Okay, I'm kinda making this up as I go along, so bear with me. Note that you CANNOT reboot or the files will change!

FIRST: Make sure System Restore is OFF and you have Enabled Viewing of Hidden Files.

First, look for these two in C:\Windows\Prefetch and Delete them, THEN navigate to them and try to Delete them:

C:\WINDOWS\system32\oobe\icserror\wdos.exe

C:\WINDOWS\System32\bkinst.exe

One of them will probably not let you delete it. No fear. Run HijackThis. Do the bit with the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) THE ABOVE FILE THAT YOU COULD NOT DELETE and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.
You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

NOW, while in Safe Mode, run HijackThis again and have it fix the following:

O2 - BHO: CATLEvents Object - {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F} - C:\DOCUME~1\KWM\LOCALS~1\Temp\sodw.dat

O4 - HKLM\..\Run: [*wdos] C:\WINDOWS\system32\oobe\icserror\wdos.exe

O4 - HKLM\..\RunOnce: [*wdos] C:\WINDOWS\system32\oobe\icserror\wdos.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren time:1098327246

Use Windows Explorer to run a search of your computer for:
bkinst
wdos
sodw
and DELETE the related files.

Run CCLEANER and SPYBOTSD

Then, go to C:\Documents and Settings\KWM\Local Settings\TEMP and delete any files or folders that remain.

Reboot Normal and Attach a fresh HJT log. Give detail as to any problems that you may have encountered with the above instructions.

Best luck
PP

 

I should have added that, at the start of my instructions, you need to open up task manager (ctrl-alt-del) and try to end the running processes for:

C:\WINDOWS\system32\oobe\icserror\wdos.exe
C:\WINDOWS\System32\bkinst.exe

They may not allow this to happen. You could try RightClicking on them in Task Manager and selecting End Process Tree & see if that does the job.

Then continue with the rest of my instructions,

PP

 

Thanks again Phiilie.

I ran through your instructions, but with a few problems.

Yes all files were viewable.

I couldnt locate either wdos.exe or bkinst.exe in the task manager as running processes, so i continued.

Next I deleted bkinst.exe from the sys32 dir, but I couldnt find wdos.exe in the icserror folder. Once again I continued.

I got into safe mode and ran HJT. While there the first O2 file ended in rvsvrd.exe instead of sodw.exe, so I deleted it.

I found the O4 - ....wdos.exe entry and deleted that as well.

The O4 - .....wdos.exe was not found but the safe entry with rvsvrd.exe was there in its place so I deleted that.

The last O4 could not be located in the log.

I last searched for bkinst, wdos, sodw. 5 files were found so i deleted them.

I ran ccleaner and sbot. Spybot came up with 1 problem other than DSOexploit and it was ATLEvents.ATLEvents, so I hit fix.

Ill attach a new log.

Thanks a lot.

 

Hi Shotgun,

The reason that you are not finding the files I list for you is because Stopguard MUTATES on each reboot. You MUST NOT REBOOT after posting a log or the entries will change. The sick beauty of Stopguard is its ability to resurrect itself over and over again.

That said, Are you noticing the pattern of the files? Can you spot them in your log?

Here are the files from your last log - They may be different if you have since rebooted:

O2 - BHO: CATLEvents Object - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\KWM\LOCALS~1\Temp\rvsvrd.dat

O4 - HKLM\..\Run: [*drvsvr] C:\WINDOWS\java\trustlib\com\drvsvr.exe

O4 - HKLM\..\RunOnce: [*drvsvr] C:\WINDOWS\java\trustlib\com\drvsvr.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren time:1098563499

C:\WINDOWS\java\trustlib\com\drvsvr.exe

C:\WINDOWS\System32\bkinst.exe - - -> This seems to be the Master exe that I run into a lot with Stopguard.

NEW INSTRUCTIONS:
Same bit W/ Hidden Files Viewing Enabled & System Restore OFF.

Run HJT with ALL browser windows Closed. Check the boxes to have it fix the following:
O2 - BHO: CATLEvents Object - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\KWM\LOCALS~1\Temp\rvsvrd.dat

O4 - HKLM\..\Run: [*drvsvr] C:\WINDOWS\java\trustlib\com\drvsvr.exe

O4 - HKLM\..\RunOnce: [*drvsvr] C:\WINDOWS\java\trustlib\com\drvsvr.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\System32\bkinst.exe ren time:1098563499

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane)C:\WINDOWS\java\trustlib\com\drvsvr.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.
You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode, find and DELETE:

C:\WINDOWS\java\trustlib\com\drvsvr.exe

C:\WINDOWS\System32\bkinst.exe

Use Windows Explorer to run a search of your computer for:
bkinst
drvsvr
rvsvrd
and DELETE the related files. (We neet to get rid of drvsvr.ini & drvsvr.dat and rvsvrd.ini &rvsvrd.dat + any other related crap.)

Run CCLEANER and SPYBOTSD

Then, go to C:\Documents and Settings\KWM\Local Settings\TEMP and delete any files or folders that remain.

Reboot Normal and Attach a fresh HJT log. Give detail as to any problems that you may have encountered with the above instructions.

Again, if you have since rebooted, these may be different. Note the BHOs with the file names reversed and those 04 entries with the "*" and "run once" "rerun."

If the files are indeed different and you do not feel confident in finding them yourself, please attach a fresh HJT log and then Do Not Reboot until I can check back. I doubt it would hurt if you put your computer in Standby mode.

Best luck
PP

 

Thanks again Phillie,

Sorry its been a while, but I have been busy, and away from this situation.

I started by running hijackthis - deleted all that I found that looked malicious, didnt screw anything up too bad. I was able to find the file to delete on restart, but upon restarting no message popped up saying it couldnt find the file. (it was restarted in safe mode)

After starting in safe mode i went to the windows/com folder and nothing was in it to delete. I found bkinst.exe in the sys32 folder and deleted that.

I ran windows explorer and searched for those three files and five items came up so I deleted them.

I ran ccleaner and spybot - spybot came up with TIBS and ATLEvents.ATLEvents so i fixed them

Ill add a new logfile

Thanks again for the help...

 

Hey shotgun,

Long time, no hear!

Your Stopguard mutated; you need to get it before you reboot! - Here are the fresh entries:

Look in Prefetch for:cfmalue & eulamfc and Delete all instances.

Use the previous instructions and fix these entries with HJT:

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\KWM\LOCALS~1\Temp\cfmalue.dat

O4 - HKLM\..\Run: [*eulamfc] C:\WINDOWS\system\eulamfc.exe

O4 - HKLM\..\RunOnce: [*eulamfc] C:\WINDOWS\system\eulamfc.exe rerun

Delete this file on reboot: C:\WINDOWS\system\eulamfc.exe

Use Windows Explorer to find and delete all instances of:
eulamfc
cfmalue


Just follow the same procedure as before and attach a fresh HJT log.

I'll try to check back tonight

Best,
PP