Google Redirection, Lost Desktop, Online Banking Hacked

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

 

You need to use a different computer and change all your online passwords.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\xousfksu\grmjepar.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKCU\..\Run: [wmiEventVdm] rundll32.exe "C:\Documents and Settings\Uncle Le Le\Local Settings\Application Data\DirectGLLite\wmiEventVdm.dll",d3dAuthenticationSupport uniMainlink

After clicking Fix exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Rename C:\Combofix.exe to bh67.com and try to run it again preferably in normal mode, if you have trouble, try safe mode.

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some data on it
• Right click on the screen and select > Select All
• Press Control+C
• Open a notepad and press Control+V
• now please ATTACH that report to this thread

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

You are going to have to boot into the recovery console. If it is not installed, then you will need to use your xp cd to get to the recovery console.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.

Now re-run MBRCheck and attach that new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Program Files\xousfksu\grmjepar.exe
• O23 - Service: PEVSystemStart - Unknown owner - C:\bh67\PEV.cfxxe

After clicking Fix exit HJT.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Program Files\xousfksu

:Commands
[emptytemp]
[resethosts]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

Run this and attach the results.

Using ESET's Online Scanner

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Stubborn.

• Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the Image textbox. Do not include the word Code

Code:

Code:

:otl
O20 - HKLM Winlogon: UserInit - (C:\Program Files\xousfksu\grmjepar.exe) - C:\Program Files\xousfksu\grmjepar.exe File not found

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="" 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Program Files\xousfksu
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

 

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Well well, still there. Sigh. I am going to have a wod with the other malware fighters but they have not logged in yet. Be patient. In the mean time, navigate to C:\Program Files\xousfksu rename the folder to C:\Program Files\Garbage Does it let you rename? Now try and delete it. Does it delete away okay or not? Let me know while we are still both online. Then we will get fresh logs to look at shortly.

 

EDIT: just go ahead with next message.

 

Also try this in safe mode.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Program Files\xousfksu

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Complete the below in normal mode.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

After doing what Kestrel13! posted in the last fix, immediately continu on with the below.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,C:\Program Files\xousfksu\grmjepar.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O23 - Service: PEVSystemStart - Unknown owner - C:\bh67\PEV.cfxxe

After clicking Fix, exit HJT.



Now run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run this GMER - running with a random name


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\avenger.txt
• the log from GMER
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Just to try something else until Chaslang logs in again.

• Open up Malware Bytes
• Go to the "MORE TOOLS" Tab
• Underneath File Assassin click "Run Tool"
• Navigate to C:\Program Files\xousfksu\grmjepar.exe
• Click "Open"
• When prompted say yes you are sure to deletion.
• Reboot the machine and navigate back to C:\Program Files\xousfksu
• Does the grmjepar.exe still exist?
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

You're welcome. However I'm sorry to have to bring you some bad news.


The below files appear to be due to a Ramnit infection:
C:\cleanupmgr.exe
C:\WINDOWS\Explorermgr.exe

So based on these file and a few other items I see in your log this infection is too dangerous to try to simply remove it. You also could have a second layer infection ontop of that. Ramnet infections are very bad since they can infected many system files and detecting/removing all of the can be very difficult to impossible. In addition, trying to remove all of them can make a PC very unreliable. Not removing is very dangerous to your security and also can still cause many problems in running the PC properly. The proper course of action with Ramnit infections is to format and reinstall so that you can be sure of the reliability of your PC.

Inline with what I'm mentioning about security issues, I advise you to go to a known clean computer and change ALL passwords every type of account you have( do not use this infected PC to do this ). I will post some additional info that we normally post when we see Ramnit infections.

 

Well this would be a better topic for our Software Forum, but there are quite a few guides out there that may help ( see below for a couple examples ), but make sure you backup personal data first and DO NOT back up any executable files ( like programs, installer programs for things you downloaded....etc as they may be infected already ).

http://www.theeldergeek.com/clean_installation_of_windows_xp.htm

http://www.ehow.com/how_4900870_format-reinstall-windows-xp.html

 

You're welcome and good luck!

How to protect yourself from malware!