Did R&R still having probs

Welcome to Majorgeeks!

Please run this Virtumonde aka Trojan Vundo Removal and attach the requested log.


Also attach new logs from ShowNew and HJT after doing the above.

 

I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.


Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

This is my second message. Make sure you have follow the first procedure before doing the below.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

Now also attach new logs from ShowNew, GetRunKey, and HJT!

 

Goto Add/Remove programs and uninstall the below software:
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant <--- Should have been uninstalled in step 0 of the READ ME
Safety and Security Center Uninstaller
Viewpoint Media Player <--- Should have been uninstalled in step 0 of the READ ME

Now install the current version of Sun Java from: Sun Java Runtime Environment

Noe please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it (explained further down):

HKEY_LOCAL_MACHINE\software\microsoft\mssmgr

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now leave RegistrarLite running and continue
• Now run the REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate to HKEY_LOCAL_MACHINE\software\microsoft\mssmgr
• Does the above mssmgr key still exist! If so, right click on it and select Delete.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

After completing ALL of the above instructions, continue here!

Now download a tool we will need- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: ChangerBHO Class - {1D4C7057-EAD2-44C6-AD18-9092905F28F1} - C:\WINDOWS\system32\CMCFG32v.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - C:\WINDOWS\se_spoof.dll (file missing)
O2 - BHO: (no name) - {5BF2F787-3F11-4E59-B1A5-163497253448} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\tvtlboxi.dll (file missing)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Mitch Schwartz\Application Data\winantiviruspro2006freeinstall[1].exe
C:\WINDOWS\tpopup.exe
C:\WINDOWS\SYSTEM32\mgttcqga.exe
C:\WINDOWS\SYSTEM32\AVWAVs.dll
C:\WINDOWS\SYSTEM32\CMCFG32v.dll
C:\WINDOWS\SYSTEM32\CMDIAL32s.dll
C:\WINDOWS\SYSTEM32\ghuwsmgc.dll
C:\WINDOWS\SYSTEM32\rvrjuuyo.dll
C:\WINDOWS\SYSTEM32\ssqro.dll
C:\WINDOWS\SYSTEM32\wexpnviv.dll
C:\WINDOWS\SYSTEM32\xycdd.tmp2
C:\WINDOWS\SYSTEM32\xycdd.ini
C:\WINDOWS\SYSTEM32\xycdd.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\Common Files\{7CF3FA22-0AE9-1033-1108-040416200001}
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Mitch Schwartz\Local Settings\Temp

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Sorry about that! It looked like malware. It is rather foolish of AOL to not put their name in front of it like they do with everything else and like ALL major software creators do so you can tell who it belongs too. I thought AOL was just repackaging McAfee software to use for their security applications. And you do show this McAfee SecurityCenter as being installed so I thought it was your security center. YOU CANNOT USE TWO security centers. So if McAfee's is not the same as the Safety and Security Center, you must uninstall one. What they may have done was put McAfee SecurityCenter as the actual installed program name and they may have foolishly put Safety and Security Center Uninstaller as the uninstaller program only. Being the creators of security software you would expect them to be a lot smarter and name the uninstaller like this: McAfeeSafety and Security Center Uninstaller

Since the AOL program is supposed to have an antispyware program included that actually blocks malware, uninstall any other realtime spyware blockers like Windows Defender.

J2SE Runtime Environment 5.0 Update 8
My Way Search Assistant <--- Should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player <--- Should have been uninstalled in step 0 of the READ ME[/quote]
That's strange because the do show in your log from ShowNew. This uninstalls of them must not have worked properly. We may have to remove the entries from the registry manually.

Just complete all other steps.

 

We need to remove a malware service related to WinAntiVirusPro (a rogue tool).

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Firewall service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteFWSvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot your PC before continuing on to the below.

Now let's fix those items that you said were not in Add/Remove programs!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach new logs from ShowNew and from HJT!

 

Yes you do have a whole bunch of new problems including DeluxeCommunications, Qoologic, Virtumonde, and a bunch of other trojans! You will notice from the length of the procedure how bad things became and you would probably had been finished if you had completed message number 14's instructions quickly. You are going to have to make an effort to get back here more quickly and complete the fixes and you are going to have to stop whoever is downloading bad stuff or going to bad websites from doing that. While fixing this PC you should not download or install anything at all unless we ask you to install it. Also only run the procedures we ask you to run. Running anything else only makes our job more difficult and more time consuming.

Also you need to stop changing your home and search pages while working on this! Now I see the below:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=


Is this something you configured or is it malware?


I still see the below in your uninstall programs list that is at the end of the newfiles.txt log. Did you forget to uninstall them or are you not seeing them in Add/Remove programs?
My Way Search Assistant
Viewpoint Media Player

Now run this Qoologic Removal Procedure and attach the requested log later when all of the below steps are finished.


Now please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\outlook\outlook.exe
C:\Program Files\Common Files\{7CF3FA22-0AE9-1033-1108-040416200001}\Update.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\talfe.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fvriock.exe,ddjfihw.exe
O2 - BHO: (no name) - {61A71E9C-CEE0-42C0-B710-83CE05275B64} - C:\Program Files\MSN Gaming Zone\niwy.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [tuz2b763] RUNDLL32.EXE w92c8158.dll,n 0062b75d0000000392c8158
O4 - HKLM\..\Run: [{3F-FA-A2-22-ZN}] C:\windows\system32\omdsregr.exe GEN001
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\system32\bxlwxc.exe reg_run
O4 - HKLM\..\RunOnce: [D7vydvBD] "C:\WINDOWS\system32\lkyaekrrr.exe" -xeWfjU
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\MITCHS~1\MYDOCU~1\ASEMBL~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [qfuu] C:\PROGRA~1\COMMON~1\qfuu\qfuum.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\system32\bxlwxc.exe reg_run
O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - AppInit_DLLs: dxclib303562752.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\vxgck.exe
C:\Documents and Settings\Mitch Schwartz\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Mitch Schwartz\Application Data\Dxcuknwrd.dll"
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\outlook\outlook.exe
C:\921_135b.exe
C:\WINDOWS\pbcmalk.exe
C:\WINDOWS\srvcivqgoy.exe
C:\WINDOWS\srvrqmxlva.exe
C:\WINDOWS\system32uaw5wah6a.exe
C:\WINDOWS\system32drei.exe
C:\WINDOWS\system32vypqj.exe
C:\WINDOWS\system32\bxlwxc.exe
C:\WINDOWS\SYSTEM32\drei.exe
C:\WINDOWS\SYSTEM32\eqtbew.exe
C:\WINDOWS\SYSTEM32\fvriock.exe
C:\WINDOWS\SYSTEM32\ddjfihw.exe
C:\WINDOWS\SYSTEM32\lkyaekrrr.exe
C:\WINDOWS\SYSTEM32\w92c8158.dll
C:\windows\system32\omdsregr.exe
C:\WINDOWS\SYSTEM32\talfe.exe
C:\WINDOWS\SYSTEM32\vypqj.exe
C:\WINDOWS\clbhu.dll
C:\WINDOWS\SYSTEM32\dxclib303562752.dll
C:\WINDOWS\SYSTEM32\kxtbufv.dll
C:\WINDOWS\SYSTEM32\lqe2z.dll
C:\WINDOWS\SYSTEM32\tuz2b763.dll
C:\WINDOWS\SYSTEM32\xycdd.ini2
C:\WINDOWS\SYSTEM32\jojep.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{3CF3FA22-0AE9-1033-1108-040416200001}
C:\Program Files\Common Files\{7CF3FA22-0AE9-1033-1108-040416200001}
C:\Program Files\Common Files\qfuu
C:\Program Files\DeluxeCommunications
C:\Program Files\outlook

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Mitch Schwartz\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. Qoologic Removal log
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Uninstall the below software:
My Way Search Assistant
Viewpoint Media Player

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below folder and delete it if found:
C:\Program Files\Common Files\{7CF3FA22-0AE9-1033-1108-040416200001}
Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

How are things are working now!

 

Well technically that is not correct. It is in your registry and the log from ShowNew does show it. It just is not showing in what you are looking at. Try using the below and see if it can completely remove it.

Your Uninstaller! 2006

You have AOL to thank for this. Try using the below to see if you can get it removed permanently:

ViewpointKiller


You logs are clean otherwise.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!