Help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by ADCORMAN1, Jan 19, 2008.

  1. ADCORMAN1

    ADCORMAN1 Private E-2

    Hi, I am having some major problems with my pc. I have a compaq without the windows xp home edition recovery cd's. I downloaded the recovery disks and used them to reboot windows, but once in I can't do anything. It freezes and my f-secure keeps popping up (constantly) telling me it has detected this and that but takes no action. I cannot open up my f-secure manager and internet explorer says it cannot connect even though I have a good connection. Can anyone help? I am bouncing back and forth from this working pc and my non-working one trying desperatly to find a fix for this. Also, when the compaq freezes up it shuts down and I have to reload the recovery disks again to get back on. chkdsk keeps disappearing along with other things.
     
    ADCORMAN1, Jan 19, 2008
    #1
  2. ADCORMAN1

    ADCORMAN1 Private E-2

    Ok so here are some of my f-secure anti-virus warnings:
    Spyware detected:
    Type: Adware
    Family:
    Name: Adware.Win32.Virtumonde
    Object: C:\Windows\System32\gebyx.dll
    Action: none

    Spyware Detected:
    Type:Adware
    Family:
    Name: Adware.Win32.Virtumonde
    Object: C:\Windows\System32\byxvusq.dll
    Action: none

    Spyware Detected:
    Type: Adware
    Family:
    Name: isearch toolbar
    Object: C:\windows\RXJpY2sgSmFjaNvbg\asappsrv.dll

    Can anyone help me with this these pop-up just keep coming, but it won't let me do anything about it.
     
    ADCORMAN1, Jan 19, 2008
    #2
  3. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Welcome to Majorgeeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide

    So logs that you will get to attach are:

    MGlogs.zip (which has 5 logs inside it, including Hijackthis, just attach the whole Zip )
    AVG log. ( Which is the report scan txt file )
    Combofix logs.

    http://img117.imageshack.us/img117/829/60272555mm4.jpg



    After these are attached our malware experts will review these to see if your OK, if not they will issue you some further removal instructions if needed.


    Plus a guide on how to attach the logs HOW TO: Attach Items To Your Post
     
    DavidGP, Jan 19, 2008
    #3
  4. ADCORMAN1

    ADCORMAN1 Private E-2

    I would love to do these seemingly simple steps, but my pc won't let me do anything!!!! I cannot get to the internet at all! I can barely open windows. Any suggestions?
     
    ADCORMAN1, Jan 19, 2008
    #4
  5. ADCORMAN1

    ADCORMAN1 Private E-2

    ok, finally got into add/remove programs: I had targetsaver (removed), viewpoint (removed), outerinfo (would not remove), network monitor (would not remove) I still cannot connect to the internet to download the vondo removal thing. Any suggestions?
     
    ADCORMAN1, Jan 19, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the tools onto another PC and then copy to this PC some how using a CD, a USB flashdrive,....etc. Then get us the logs. We cannot help you if you cannot get us some logs. Your only recourse would be to reinstall which really should not be necessary. Normally even with Vundo infections like you appear to have, the internet is still accessible and the tools can be downloaded and run.

    You could also try booting in safe mode to see if you have internet access in safe mode.
     
    chaslang, Jan 20, 2008
    #6
  7. ADCORMAN1

    ADCORMAN1 Private E-2

    Success! (I think?)

    Ok, I followed directions and am finally back up and running. Here's my logs. Please look them over and tell me if I am in the clear.
     

    Attached Files:

    ADCORMAN1, Jan 20, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No wonder you are having so many problems. This PC is very very badly infected. I'm not sure who is using it or how it is being used, but everyone using it needs to be more careful of where they are surfing and what they are downloading and installing.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    iWon Prize Machine
    J2SE Runtime Environment 5.0 Update 11

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {4874C9EE-F547-4B2C-81C2-C2E2BCB6E12E} - C:\WINDOWS\system32\gebyx.dll (file missing)
    O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
    O2 - BHO: (no name) - {A349ACD3-C49D-41BC-9749-B1FF68A98186} - C:\WINDOWS\system32\vcmsujqb.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {9F3006AC-2245-4452-BB41-7C65CE66E33D} - (no file)
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
    O4 - HKLM\..\Run: [YJT] C:\WINDOWS\YJT.exe
    O4 - HKLM\..\Run: [rbenh ml710e] "C:\Program Files\RBEnhance\rbenh.exe"
    O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [mremoted] C:\WINDOWS\System32\mremoted.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [dadqjmt] C:\WINDOWS\dadqjmt.exe
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [<A HREF=http://www.gandi.net/>GANDI</A> then par] c:\WINDOWS\System32\<A HREF=http://www.gandi.net/>GANDI</A> then parked.
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\OvmP8s0W.exe
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [AdwareKill] C:\Program Files\AdwareKill\setup.exe
    O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [sacyr] C:\Program Files\WindowsUpdate\sacyr77798.exe
    O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\ERICKJ~1\MYDOCU~1\PPPATC~1\msdtc.exe" -vt yazb
    O4 - HKCU\..\Run: [riuw] C:\PROGRA~1\COMMON~1\riuw\riuwm.exe
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - Startup: desktop(2)(2).ini
    O4 - Startup: desktop(2).ini
    O4 - Startup: desktop(3).ini
    O4 - Global Startup: desktop(2).ini
    O8 - Extra context menu item: &Search - ?p=ZJxdm128YYUS
    O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
    O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Help - {1659048F-F88C-4AC8-BBA4-DBE0C9DBA208} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {B47491E7-07B1-467D-916E-F7F77306FB4D} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Support - {E1AE49B2-1511-4BC5-8512-D1F88F0ECA37} - http://www.comcastsupport.com (file missing) (HKCU)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\win_ix.dll
    O20 - Winlogon Notify: datcat32 - C:\WINDOWS\SYSTEM32\datcat32.dll
    O20 - Winlogon Notify: ddcyxxw - ddcyxxw.dll (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Jan 22, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds