Help with Viruses - Thread 1 of 2

Hi: I've been infected with a bunch of viruses. I followed your instructions and many of the problems appear to be gone.

I have 5 files to send you, so I will send the other two in another thread.

Note: I found a folder containing virusbursters.exe in it. I moved it to deleted items, since I didn't see anything in add/remove programs. Can I simply delete and remove from the recycle bin without causing damage?

In addition, I found one Yazzle1122OinUninstaller executable in my program files/common files folder. I also moved that to the recycle bin. Can I delete that without causing damage?

I still seem to get a popup window for winantivirus.com at this point. But it now appears as a restricted site, so the page is blank. But I don't want it to pop up anymore.

Please examine my logs in this thread the next I send you. I appreciate your help.

 

I guess I didn't need a new thread. I just added the new files as a reply.

Thanks again for assisting in cleaning up my pc.

From one Northern NJ person to another..... You provide a great service.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Safety Bar

VSAdd-in for Internet Explorer

Viewpoint Media Player

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {348E733E-4BF4-78FC-3A93-0372330DB941} - C:\WINDOWS\system32\gllkydf.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {B85E6958-98D6-4556-A511-5C829BA1BA75} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\sdwgalpq.dll (file missing)

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\ipwins ← Delete this whole folder if it exist!

C:\Program Files\VirusBursters ← Delete this whole folder if it exist!

C:\Program Files\VSAdd-in ← Delete this whole folder if it exist!

C:\Program Files\Safety Bar ← Delete this whole folder if it exist!

C:\Documents and Settings\Owner.YOUR-5D91A4C75F\Application Data\s?curity ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also attach a fresh HJT log.

 

Thanks. I've begun the process and ran into a few issues...

1) VSAdd-in for IE won't delete from Add/Remove Programs. I do see it in program files though.

2) I deleted Viewpoint Media Player, but after the safe mode reboot (and back to normal mode) it appeared in Add/Remove Programs again. I deleted again. Not sure if it will return after I reboot again.

3) In Hijack This, I noticed that the VSaddin.dll file has a different set of numbers in the brackets. So, I didn't delete it. Should I?

4) I didn't delete splshwrp.exe or tabtip.exe since we have a tablet PC and it seems like these entries are related to the tablet we're having issues with. Is that true? If you think these are the virus, I'll delete. I just don't want to break the tablet.

5) When going to safe mode and rebooting, the screen turns black and the desktop doesn't appear. It appeared without a problem last weekend and before I made any of these last changes. Please advise.

6) Since I can't get into Safe mode, should I manually delete the entire folders for VSAdd-in and Safety Bar?

7) For the owner.Your-5d91A4C75F folder, I don't see a sub folder called s?curity. But I do see one called security. Should I remove the security folder, since I don't see one called s?curity?

8) Other than the items above, I'm up to the ccleaner step. But I'm sure, you will tell me to correct some of the items above before proceeding.

Please advise.

Thanks.

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate VsAdd-in and uninstall this way. Probably would be better to do this In Safe Mode.

Remove it again, it shouldn't come back.

Yes, anything you see VSaddin or close remove it.

I didn't request them be literally deleted, I requested HJT fix them as in removing the startup entries. They are not bad just unecessary at startup.

Does this still occurr?

Yes! Delete then anyway you can.

Be sure hidden files/folders and the showing of system files is enabled.

Do what you can and post the new logs and we will go from there.

 

We seem to be making some progress. But I'm still getting some popups and unwanted sites appearing.

I still cannot get into Safe Mode anymore. It worked fine until we made the changes you suggested earlier. Please help.

1 & 2) Your Uninstaller successfully deleted Viewpoint and VSAdd-in. After reboot, they didn't appear to return. But this was done in normal mode, not safe mode since I can't get to safe mode anymore.

3) When re-running hjt, vsaddin.dll didn't appear anymore. Thus, no need to fix it.

4) I still didn't delete splshwrp or tabtip since you said it was not critical. I don't want to mess up any factory installed programs for her tablet pc. Please confirm that this is ok.

5) After typing msconfig and restarting, I'm asked to log into the XP machine with my password to enter safe mode. After logging in, a black screen with Safemode shown at the top of the screen appears. But nothing happens after that. The black screen remains and I can't do anything else, unless I switch back to normal mode. Please help.

6) I deleted the vsadd-in and Safety Bar folders from the c drive manually. This was done in normal mode, not safe due to the problem mentioned above in step 5.

7) Hidden Files/folders are set to be shown (enabled). Thus, I still do not see a sub folder called s?curity. I only see a sub folder called security in the owner.Your-5d91a4c75f folder. I did not remove anything here yet, since the folder name is slightly different.

8) At this point, I think I'm ready to run killbox. But I'll wait to hear from you.

As mentioned at the top, I think we still have issues, since some popups and unwanted web pages are appearing.

Please review the updated logs and get back to me. Note: hjt will be sent as a reply to this thread since this is the 4th attachment.

Thanks.

 

Here's the hjt log also. I look forward to receiving your response.

Thanks.

 

Run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Download AproposFix© by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

 

Please see attached logs.

1) I'm still getting pop-up dialog boxes and IE pages asking me to install drive cleaner. Of course, I ignored it. Please advise how to clean up.

2) When running pillbox, I deleted the 3 dll's and all other files shown in the active scan. The others were .txt files. Please confirm that this was ok to do.

3) After the reboot after killbox, the desktop never came up fully. I saw the background of the desktop, but no files were displayed. I then rebooted again and things appeared again. Please confirm that this was acceptable.

4) Please review the log files and let me know what I need to clean up next.

Thanks very much for your help. I hope we're getting closer.

 

Hi: I have not received a response to my 11/23 post. I'm sure you're busy. Please respond, since I seem to be getting more and more problems.

Thanks.

 

You didn't attach any logs? I need the logs from my previous post.

 

I did attach logs in my previous post. You just never replied to them. Thus, the forum admin said to reply and remind you that I have a reply with new logs waiting.

 

Since my instructions in post #8 you have not attached any logs. Without these logs I can't help any further.

Go back to post #8 and run those steps again since it's been a while. These things must be done in a timely manner due to malware replicating.

 

I don't know why they didn't appear. I'm attaching again. Sorry.

 

In addition to the logs I sent you earlier this morning (12/2/2006), please review these attached logs also. Norton is saying that I have the vundo virus. It cleans it up and removes the virus. But then shortly later, it says I've been infected with vundo again.

I ran the combofix, vundofix and HJT. These logs are attached.

So, there are basically 6 logs from 12/2/2006 to review. 3 From this post and 3 from earlier today.

Thanks, in advance for your help.

I hope I get rid of the Winantivirus popups and others too.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\xhndfyfg.dll (file missing)
O2 - BHO: (no name) - {6F0ACFEF-23A6-449F-B3A0-45D1816DE98E} - C:\WINDOWS\system32\pmkhi.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.


After you complete the above, REBOOT and proceed with the rest of this fix...


Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post.

 

Here are my latest logs. I think things are better now. Please confirm that you agree.

Note: The HJT log was created as a result of running HJT at the time recommended. I also ran HJT again, immediately following the first HJT run and cleanup. If you want me to attach that log, I can.


Thanks, in advance for all of your assistance. You've been very helpful.

 

Not sure if the previous logs posted. Here they are again, just in case.

 

Attach a fresh HJT log to confirm everything is gone.

 

Here's my latest HJT log. Please let me know if everything is now gone.

Thanks very much for all of your help.

 

Your log looks good, are you having any current problems?

 

Things look fine now. Thanks so much for all of your help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!