Help! Viruses are taking over

Welcome to Majorgeeks!

Well yes you are correct that Panda showed a lot of problems! You PC is far from clean. I'm surprised you think it is running normal. You must have been infected for so long that you don't know what normal is anymore. You will see from the below that there is alot wrong.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft authenticate service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • COM+ Messages
  • TCP and UDP Support
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste MsaSvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • COM+ Messages
  • TCP and UDP Support
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_09

Make sure you reboot after uninstalling the above!

Note: CounterSpy quarantine the below:

I'm not sure exactly what this is but it could be for

and perhaps you need this. You can run COunterSpy and select Quarantine and move this (only this) out of the Quarantine.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://prosearchs.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\labja.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wvhnlfe.exe
O2 - BHO: (no name) - {336F8072-6051-457E-8EF0-E3CCC6ED3189} - \
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)
O2 - BHO: (no name) - {A7943CCA-1AD7-4AFB-B7F1-0C5F26AD0BD9} - C:\Program Files\MSN\tekotoly.dll (file missing)
O2 - BHO: (no name) - {BC655F98-99A4-4AA8-9748-B9A54124E6AF} - (no file)
O4 - HKLM\..\Run: [aud29c51] RUNDLL32.EXE w1809063.dll,n 00729c4a000000051809063
O4 - HKLM\..\Run: [{2CCCD9D1-0C78-1033-0428-030303140001}] "C:\Program Files\Common Files\{2CCCD9D1-0C78-1033-0428-030303140001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [uinwax] C:\WINDOWS\system32\uqjfaa.exe reg_run
O4 - HKLM\..\Run: [{2CCCD9D1-0C77-1033-0428-030303140001}] "C:\Program Files\Common Files\{2CCCD9D1-0C77-1033-0428-030303140001}\Update.exe" mc-110-12-0000272t
O4 - HKCU\..\Run: [qfuyc] C:\WINDOWS\system32\uqjfaa.exe reg_run
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: nxvgh.exe
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp\WZS4A.tmp\swicdad.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O19 - User stylesheet: (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nxvgh.exe
C:\Documents and Settings\LocalService\Desktop\TagASaurus.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\f403225968.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun11.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun14.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun4.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z30NFE70\al3[1].txt
C:\Documents and Settings\Nathaniel\Application Data\Install.dat
C:\Documents and Settings\Nathaniel\Favorites\Antivirus Test Online.url
C:\Documents and Settings\NetworkService\Local Settings\Temp\f403231359.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\f403231375.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun21.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun22.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun26.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun27.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q4QWRDNP\al3[2].txt
C:\Program Files\Common Files\{2CCCD9D1-0C77-1033-0428-030303140001}\system.dll
C:\Program Files\Common Files\{2CCCD9D1-0C77-1033-0428-030303140001}\Update.exe
C:\Program Files\Common Files\{2CCCD9D1-0C78-1033-0428-030303140001}\system.dll
C:\Program Files\Common Files\{2CCCD9D1-0C78-1033-0428-030303140001}\Update.exe
C:\Program Files\PSDream\Uninstall.exe
C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
C:\RECYCLER\S-1-5-18\Dc1\system.dll
C:\WINDOWS\Downloaded Program Files\initial.inf
C:\WINDOWS\SYSTEM32\boyim.dat
C:\WINDOWS\SYSTEM32\dlh9jkd1q7.exe
C:\WINDOWS\SYSTEM32\dlh9jkd1q6.exe
C:\WINDOWS\SYSTEM32\dlh9jkd1q8.exe
C:\WINDOWS\SYSTEM32\dlh9jkd1q2.exe
C:\WINDOWS\SYSTEM32\ghmwfq.exe
C:\WINDOWS\SYSTEM32\ghmwfq.dat
C:\WINDOWS\SYSTEM32\ghmwfq_navps.dat
C:\WINDOWS\SYSTEM32\ghmwfq_nav.dat
C:\WINDOWS\SYSTEM32\kernels88.exe
C:\WINDOWS\system32\labja.exe
C:\WINDOWS\SYSTEM32\msasvc.exe
C:\WINDOWS\SYSTEM32\svchosts.exe
C:\WINDOWS\system32\tccpip.exe
C:\WINDOWS\SYSTEM32\uqjfaa.exe
C:\WINDOWS\system32\wvhnlfe.exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\acdt-pid29[1].exe
C:\WINDOWS\tmqmr.dll
C:\751622609
C:\bsgka.exe
C:\bycvpny.exe
C:\Config.Msi
C:\dvgvwlv.exe
C:\hwquegm.exe
C:\lalkq.exe
C:\oviq.exe
C:\ptdx.exe
C:\seao.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\PSDream
C:\Program Files\VSAdd-in
C:\Program Files\Common Files\{2CCCD9D1-0C77-1033-0428-030303140001}
C:\Program Files\Common Files\{2CCCD9D1-0C78-1033-0428-030303140001}
C:\Program Files\Common Files\{3CCCD9D1-0C78-1033-0428-030303140001}

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Try to finish the rest of the procedure. Ignore the uninstalls if you cannot do them. You are not supposed to have rundll32.dll in system32. You have Windows XP which means you have rundll32.exe

You have a load of malware that we need to get removed!

 

So are you now saying that the message was that rundll32.exe was missing. Previously you said rundll32.dll. Look in C:\windows\system32 and tell me if you see the rundll32.exe file.


Do I look clear now?[/quote]No! You still have a few problems and some of the items I asked you to remove are still there. Let's try something different.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Also use Pocket Killbox like you did in message # 3 but use it to delete the below list of files this time! Make sure to tell me if you run into any problems doing this.
C:\WINDOWS\SYSTEM32\bxjfrip.dll
C:\WINDOWS\SYSTEM32\ddcawur.dll
C:\WINDOWS\SYSTEM32\w1809063.dll
C:\WINDOWS\SYSTEM32\wvhnlfe.exe
c:\windows\system32\ghmwfq.exe
C:\WINDOWS\SYSTEM32\ghmwfq_navps.dat
C:\WINDOWS\SYSTEM32\ghmwfq_nav.dat

Now after the reboot from Pocket Killbox, use HijackThis to fix any of the below lines that still remain:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wvhnlfe.exe
O4 - HKLM\..\Run: [ghmwfq] c:\windows\system32\ghmwfq.exe ghmwfq
O4 - HKLM\..\Run: [aud29c51] RUNDLL32.EXE w1809063.dll,n 00729c4a000000051809063


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You may have a Gromozon Rootkit infection. You also may not have this infection. So let's go under the assumption that you have it and run a fix for it. This can be quite nasty and difficult to remove. Let's give the below tool a run and hope that it can fix the problem if it is actually present.

Gromozon Rootkit Removal Tool

Let me know what it reports!


Let's also see if we can locate another copy of rundll32.exe to restore from. Follow the directions below. Note that the search specifies looking for rundll32.e* The .e* is correct. Enter it exactly this way with no spaces.

Click Start and select Search
Now Select "All files and folders"
Enter the rundll32.e* in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button. Report back to me what and where matches are found (if any). You may get a match in a folder that is named i386 and the file may say rundll32.ex_ (yes the underscore is correct. It means the file is compressed.)

 

It is rather strange that Spybot would delete this file. Is this the only place you found it? Was there no other source like in an i386 folder? or in a subfolder of C:\windows\ (maybe a folder that begins with text like $NtUninstallKB )

Uninstall CounterSpy now to since it is only a trial and to avoid having it get in the way of our cleanups.

Also Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_09

Make sure you reboot after uninstalling the above!

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\TEMP\CB79D761.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [winconf] C:\WINDOWS\TEMP\CB79D761.exe

After clicking Fix, exit HJT.

Note the below files I'm asking you to delete may already be gone, but we need to be sure.
Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\bxjfrip.dll
C:\WINDOWS\SYSTEM32\ddcawur.dll
C:\WINDOWS\SYSTEM32\aud29c51.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey - Download and install the new version first
2. ShowNew - Download and install the new version first
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Get a copy of RUNDLL32.EXE from C:\WINDOWS\ServicePackFiles\i386 and copy it into C:\windows\system32

See if you can uninstall things now and do other steps that you could not do.

 

You're logs are clean. Just delete the two below folders left over from CounterSpy.
C:\Documents and Settings\Nathaniel\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Follow all the steps below which includes this. MAKE SURE you get an antivirus application installed when you get into the link in step 9. However also make sure you follow the below steps in the order written.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf Safely!