help

Discussion in 'Malware Help (A Specialist Will Reply)' started by juanny, Mar 28, 2006.

  1. juanny

    juanny Private E-2

    hey i hav some serious spyware runnin on my cpu and i need some help... im really new to this site so if someone can help me out i hav a hijack this log thing,, i know i hav ehczrw312.exe and fihmspkd.exe runnin which i know is bad, and if someone could help me i would really appreciate it. I did steps 1-7 the best that i could but i did hav some issues. Please help! Thanks.
     

    Attached Files:

    juanny, Mar 28, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    Please complete the other steps of the READ & RUN ME that you have not run:

    - Microsoft Windows Defender
    - Bitdefender online scan and attach log (see step 6)
    - PandaActiveScan online scan and attach log (see step 6)

    NOTE: HijackThis should not be installed in a folder belonging to another program. You have it in CCleaner's folder.

    C:\Program Files\CCleaner\HijackThis.exe

    Please install it properly and after running the other steps in the READ & RUN ME, attach a new HJT log.
     
    chaslang, Mar 29, 2006
    #2
  3. juanny

    juanny Private E-2

    im sorry how do i do that? i know im really slow , but also i couldnt run bitdefender for some reason i couldnt get off the first page, and it says to run that before you run PandaActiveScan so i didnt run that
     
    juanny, Mar 29, 2006
    #3
  4. juanny

    juanny Private E-2

    oh and also windows defender doesnt work either because it says my version of windows can't be validated or something
     
    juanny, Mar 29, 2006
    #4
  5. juanny

    juanny Private E-2

    i think i got hijack this out of CCleaner, and heres an updated log
     

    Attached Files:

    juanny, Mar 29, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmmm! Is you copy of Windows legal?

    Please run PandaActiveScan and attach the log. If it will not run for any reason, just continue onto the below and attach the Ewido log.

    Running Ewido Anti-Malware
     
    chaslang, Mar 29, 2006
    #6
  7. juanny

    juanny Private E-2

    i can run pandaActiveScan but it takes so long i hav to leave it on overnight and when i check it in the morning my computer has a bunch of popups and is frozen. should i stop it and attatch the first part of the scan before i go to bed? also my computer's getting worse and worse with spyware my windows security has been compromised. I can no longer run my virus protection or windows firewall, and popups continue to come. im thinking i should just wipe my hard drive and reinstall the drivers because im worried that soon i wont even be able to use my computer at all it will be so infected.
     
    juanny, Apr 1, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's try a different approach. We will fix a load of things we can see with HijackThis and then see if you can run the online scans to find things not shown by HijackThis.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to SymWMI Service (or if not found look for SymWSC) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    SymWSC

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Now look in Add/Remove programs for WebHancer and uninstall if found.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\system32\ehczrw312.exe
    C:\WINDOWS\system32\fihmspkd.exe
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\Program Files\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/DOCUME~1/COLINB~1/LOCALS~1/Temp//xx.html
    O2 - BHO: (no name) - {12573A7F-DEB1-F61A-92AE-F18ADDA6FFCD} - C:\WINDOWS\system32\znj.dll (file missing)
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsn12.dll
    O2 - BHO: (no name) - {3C053484-891A-82EA-1A96-D2BFDEF6DBBD} - C:\WINDOWS\system32\dadyphag.dll (file missing)
    O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\system32\ehczrw312.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
    O4 - HKCU\..\Run: [Krg] C:\Program Files\Common Files\??crosoft\d?xplore.exe
    O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\ASEMBL~1\wowexec.exe" -vt ndrv
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
    O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
    O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:/Documents and Settings/COLINB~1/Local Settings/Temp <--- delete all files in this temp folder
    C:\Program Files\webHancer <--- the whole folder
    C:\Program Files\Common Files\Symantec Shared <--- the whole folder
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\Program Files\ASEMBL~1\wowexec.exe
    C:\WINDOWS\system32\DHaxi.exe
    C:\WINDOWS\system32\ehczrw312.exe
    C:\WINDOWS\system32\fihmspkd.exe
    C:\WINDOWS\system32\nsn12.dll
    C:\WINDOWS\system32\lsoda.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode.

    Now see if you can run both online scans from step 6 of the READ ME and attach the logs.


    Also attach a new HJT log after running the online scans.
     
    chaslang, Apr 1, 2006
    #8
  9. juanny

    juanny Private E-2

    when i did the step "Delete an NT service" and tried to remove symWSC i said i couldnt because the item is system critical. Should i just skip that step and continue with the next steps?
     
    juanny, Apr 1, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just continue! It did it anyway, and it is not system critical. That's why we are removing it! It is junk that Symantec left hanging around instead of doing a proper uninstall. If their name was not Symantec/Norton, we would be calling this malware. ;)
     
    chaslang, Apr 1, 2006
    #10
  11. juanny

    juanny Private E-2

    i dont know how to boot in safe mode so i did all that in normall mode, also i cant delete ehczrw312.exe or fihmspkd.exe, they keep reappearing. I'lldo the next scans and attatch a HJT log.
     
    juanny, Apr 1, 2006
    #11
  12. juanny

    juanny Private E-2

    ok heres an updated HJT log and the Panda Active Scan report. I still have the same problem with Bitdefender; on the "Read and Run me..." post where it tells how to run Bitdefende, it says to first "agree to the terms." However, the button that says "I agree" under the terms is only a picture, it's not a link or anything. Clicking on it does nothing. But other than that my computer's doing much better already, and is running much faster. It's not fixed yet though im sure theres still a lot of malware running.
     

    Attached Files:

    juanny, Apr 2, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You MUST follow directions! And you must boot in safe mode. How did you run the READ & RUN ME if you do not know how to boot in safe mode. See Step 5 in the READ ME! Do the steps again exactly as written!
     
    chaslang, Apr 2, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You also have not installed HijackThis properly as indicated in step 7! YOU MUST do this now. I will post no further instructions until it is installed correctly.

    Did you also notice ALL the bad stuff Panda found? This is why we ask that it be run. However you should have emptied your Sunbelt Software\CounterSpy\Quarantine folder as requested in step 0 of the READ ME to avoid having such a big log and having scans take so long.

    Also, you really should run the Ewido scan I gave you in step 6. You have a load of bad stuff that it may help remove.
     
    chaslang, Apr 2, 2006
    #14
  15. juanny

    juanny Private E-2

    ok heres the ewido log and the updated HJT log and i hope i got HJT installed properly.
     

    Attached Files:

    juanny, Apr 2, 2006
    #15
  16. juanny

    juanny Private E-2

    if its not installed right please tell me how to do it! Thanks
     
    juanny, Apr 2, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! That's better! ;) You still did not empty the CounterSpy\Quarantine folder though (at least not before running Ewido). Also Ewido fixed a ton of problems but you still have more and some new stuff has showed up too! A nasty Qoologic infection. I'm going to need you to run another tool to look for a few hidden files so I can work up a fix. This tool should run reasonably fast.

    Please download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • Post the contents of the txt.log which will open wen the scan is finished.
     
    chaslang, Apr 2, 2006
    #17
  18. juanny

    juanny Private E-2

    ok thanks heres the log, it ran pretty quickly
     

    Attached Files:

    juanny, Apr 3, 2006
    #18
  19. juanny

    juanny Private E-2

    oh yea sorry i forgot to clear the Counterspy quarantine folder before running Ewido but i cleared it before running HJT
     
    juanny, Apr 3, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\system32\ehczrw312.exe
    C:\WINDOWS\system32\DHaxi.exe
    C:\WINDOWS\SYSTEM32\BLMTKDS.EXE
    C:\WINDOWS\SYSTEM32\FOOLQFE.DLL
    C:\WINDOWS\SYSTEM32\FEEOL.DAT
    C:\WINDOWS\SYSTEM32\YHOLAW.EXE
    C:\WINDOWS\SYSTEM32\PQGPA.EXE
    C:\WINDOWS\UNWN.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robmg.exe



    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!


    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/DOCUME~1/COLINB~1/LOCALS~1/Temp//xx.html
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pqgpa.exe
    F2 - REG:system.ini: UserInit=userinit.exe,blmtkds.exe
    O2 - BHO: (no name) - {12573A7F-DEB1-F61A-92AE-F18ADDA6FFCD} - C:\WINDOWS\system32\znj.dll (file missing)
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsn12.dll (file missing)
    O2 - BHO: (no name) - {3C053484-891A-82EA-1A96-D2BFDEF6DBBD} - C:\WINDOWS\system32\dadyphag.dll (file missing)
    O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll (file missing)
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\system32\ehczrw312.exe"
    O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
    O4 - HKCU\..\Run: [Krg] C:\Program Files\Common Files\??crosoft\d?xplore.exe
    O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\ASEMBL~1\wowexec.exe" -vt ndrv
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
    O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
    O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll



    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\Program Files\webHancer <--- the whole folder
    C:\Program Files\ASEMBL~1 <--- the whole folder
    C:\PROGRAM FILES\NEWDOTNET <-- the whole folder
    C:\PROGRAM FILES\whInstall <-- the whole folder
    C:\Program Files\Common Files\wmum <-- the whole folder
    C:\Program Files\Yazzle Sudoku <-- the whole folder
    C:\Program Files\Common Files\System\MSMAPI\1033\full.exe
    C:\w.exe
    C:\NNSCAA638.EXE
    C:\sk02.exe
    C:\Veracruz.exe
    C:\WINDOWS\system32\ehczrw312.exe
    C:\WINDOWS\system32\DHaxi.exe
    C:\WINDOWS\SYSTEM32\BLMTKDS.EXE
    C:\WINDOWS\SYSTEM32\FOOLQFE.DLL
    C:\WINDOWS\SYSTEM32\FEEOL.DAT
    C:\WINDOWS\SYSTEM32\YHOLAW.EXE
    C:\WINDOWS\SYSTEM32\PQGPA.EXE
    C:\WINDOWS\system32\lsoda.dll
    C:\WINDOWS\system32\Setup94.exe
    C:\WINDOWS\system32\vbr.exe
    C:\WINDOWS\UNWN.EXE
    C:\WINDOWS\keyboard7.exe
    C:\WINDOWS\DH.dll_
    C:\WINDOWS\Q29saW4gQi1I\kZ6Puqb0k2YK.vbs
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robmg.exe

    Then reboot into normal mode and attach a new HJT log and a new log from FindQool
     
    Last edited: Apr 4, 2006
    chaslang, Apr 3, 2006
    #20
  21. juanny

    juanny Private E-2

    ok heres the new logs... im still getting the occasional popup i think might be caused by something i found in system 32 called ppicon.ico, its symbol is the partypoker symbol... i dont know what this is so i was just letting u know i found it in case its malware. Also something is still blocking me from turning on my Windows firewall and something is also disabling my anti-virus software (trend micro). Just wondering what i can do about this, without my virus protection the malware will come back and i'd rather not go through all this again. Thanks for all your help!
     

    Attached Files:

    juanny, Apr 4, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have a load of malware problems!

    Are your copies of Ewido and CounterSpy the free trial versions or paid versions! I'm believe Ewido is the free version I had you install. If either of these are the free trial versions, uninstall the free versions before continuing with the below.

    You must not use MSCONFIG to control startups while we are working on fixing problems. This is discussed in step 7 of the READ ME. Please run MSconfig and select normal startup. Do not reboot yet, if it tells you it needs.

    Don't worry about Windows Firewall, it is not good enough anyway. See the below link step 3 and install ZoneAlarmFree firewall and reboot afterwards (it should tell you it needs to reboot anyway).

    How to Protect yourself from malware!

    After reboot attach a new HJT log and then DO NOT reboot or power down your PC. Wait for my next steps to avoid having your problems mutate during a reboot.
     
    chaslang, Apr 5, 2006
    #22
  23. juanny

    juanny Private E-2

    the link doesnt work
     
    juanny, Apr 5, 2006
    #23
  24. juanny

    juanny Private E-2

    it's the "how to protect yourself from malware" link right? if so it doesnt work.
     
    juanny, Apr 5, 2006
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It did not paste in as a link. Try this one: How to Protect yourself from malware!

    Note: It is on the every page of the forum though since it is a sticky thread.
     
    chaslang, Apr 5, 2006
    #25
  26. juanny

    juanny Private E-2

    ok heres a HJT log, i instaled Zone Alarm firewall and AVG anti-virus. I no longer get the message from windows security center saying that im unprotected :D
     

    Attached Files:

    juanny, Apr 5, 2006
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/DOCUME~1/COLINB~1/LOCALS~1/Temp//xx.html
    F2 - REG:system.ini: UserInit=userinit.exe,blmtkds.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [yxsdau] C:\WINDOWS\system32\yholaw.exe reg_run
    O4 - HKLM\..\Run: [stratas] lockx.exe
    O4 - HKCU\..\Run: [uuaeb] C:\WINDOWS\system32\yholaw.exe reg_run

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Documents and Settings\COLINB~1\Local Settings\Temp <-- delete all file and subfolders in this temp folder
    C:\WINDOWS\system32\blmtkds.exe
    C:\WINDOWS\system32\lockx.exe
    C:\WINDOWS\system32\yholaw.exe reg_run

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 5, 2006
    #27
  28. juanny

    juanny Private E-2

    hey i got the new log, there are still two malware issues WPAIIEXX.EXE, and something like ODDEZIA6.EXE, im not sure the exact name of the second one. ZoneAlarm firewall is blocking both of them at the moment, but they're still there. Also i couldn't delete C:\Documents and Settings\COLINB~1\Local Settings\Temp , it was set to read only and every time i unchecked it it still wouldnt delete it, and when i looked at the properties again it was set to read only. I also did not find any of the files in System 32 :

    C:\WINDOWS\system32\blmtkds.exe
    C:\WINDOWS\system32\lockx.exe
    C:\WINDOWS\system32\yholaw.exe reg_run

    Things are working much better, I havent got a single popup since i installed ZoneAlarm and AVG.
     

    Attached Files:

    juanny, Apr 5, 2006
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not say to delete this Temp folder. I said to delete all files and subfolders that are in it.

    You're HJT log is clean. I see no signs of WPAIIEXX.EXE and ODDEZIA6.EXE. Are you saying ZoneAlarm is reporting these. Where are they located? Locate them and delete them. Delete them in safe mode or with Pocket Killbox if necessary.
     
    chaslang, Apr 5, 2006
    #29
  30. juanny

    juanny Private E-2

    i dont know where they are, or how to find out. they're not causing any problems, but id still like them deleted. what should i do now? something about system restore, right?
     
    juanny, Apr 6, 2006
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to search for them! Use the instructions in the below link to perform a search for each of those files.

    Searching for Hidden Files on WinXP


    No! You do not touch System Restore until we have removed ALL malware problems.
     
    chaslang, Apr 6, 2006
    #31
  32. juanny

    juanny Private E-2

    ok thanks i found and deleted both of them. Everything is running great! :D Thank you so much. You hav no idea how much I appreciate all you do to help people, you are so unselfish. What should I do next?
     
    juanny, Apr 6, 2006
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    First I would like to know where those two files were found. Was it C:\Windows\System32?

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 7, 2006
    #33
  34. juanny

    juanny Private E-2

    ohh..... im sorry i deleted them im not exactly sure where the search found them now, i dont remember im sorry. I have gotten one popup (casalmedia), but other that everythings great, should i go ahead and do system restore?
     
    juanny, Apr 7, 2006
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes continue with all the instructions in my last message. If you get anymore popup, take note of what websites you are on when it occurs, also whether you have more than one browser open (then note all sites connected to), also what else is running at the time.
     
    chaslang, Apr 7, 2006
    #35
  36. juanny

    juanny Private E-2

    System Restore was already off!!! the "turn off system restore" box was checked! what does this mean? What should I do?
     
    juanny, Apr 9, 2006
    #36
  37. juanny

    juanny Private E-2

    Also, AVG virus scan found 3 trojan downloaders, but they were in:

    C:\!Killbox\FEEOL.DAT
    C:\!Killbox\YHOLAW.EXE
    C:\!Killbox\robmg.exe

    this means that they were in killbox's quarantine folder, right? should i worry about them? (They're deleted now). It also found and deleted two other trojan downloaders:

    C:\WINDOWS\mousepad7.exe
    C:\WINDOWS\system32\drsmartload482a.exe

    just letting you know. Thanks!
     
    juanny, Apr 9, 2006
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Enable System Restore so your system will start creating restore points.
     
    chaslang, Apr 9, 2006
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was just the backups Killbox made and they are all safe to delete.

    They are related to some of the other items I had you delete in message # 20 but they had not shown in your logs. mousepadx.exe, keyboardx.exe, and newnamex.exe (where x is any number) typically all come together.
     
    chaslang, Apr 9, 2006
    #39
  40. juanny

    juanny Private E-2

    ok i enabled system restore, what should i do now?
     
    juanny, Apr 10, 2006
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Everything in the previous link I gave to you:

    How to Protect yourself from malware!
     
    chaslang, Apr 10, 2006
    #41
  42. juanny

    juanny Private E-2

    i was running ad-aware, when all of the sudden AVG popped up and alerted me that it had found a ton of trojans, im not sure exactly, maybe around 10 or 15? maybe more? I'm not sure but it found them all in

    C:\System Volume Information\_restore{D5341F9C-33F7-43CF...

    just letting you know. thanks!
     
    juanny, Apr 13, 2006
    #42
  43. juanny

    juanny Private E-2

    also, ad-aware found:

    mediamotor (1 object)
    Adware.Z-Quest (2 0bjects)
    WebHancer (1 object)
    VX2 (2 0bjects)
    Targetsaver (1 object)

    i deleted them all.
     
    juanny, Apr 13, 2006
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's System Restore! Are you sure you disabled it previously? Try disabling it and then reboot! Leave it disabled and run AVG and see what it finds. Make sure you fix everything found. Then enable system restore.
     
    chaslang, Apr 13, 2006
    #44
  45. juanny

    juanny Private E-2

    help! i keep getting those error messages saying "internet explorer has encountered a problem and needs to close". What should i do? what could be causing it?
     
    juanny, May 12, 2006
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well your previous logs from a month ago were clean. So if you have been getting those error message since I said you were clean, then it is not malware and you should post a question in the Software Forum. If the problems just started happening again, you may have gotten reinfected and you should re-run the READ & RUN ME and attach the logs from steps 6 & 7.
     
    chaslang, May 12, 2006
    #46

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds