Hijack -- Please Help

Do not re enable System Restore until your malware problems are completely fixed.

There is no need to ever Disable viewing of hidden files etc at all. But if you want to, you again must not do it until all malware problems are resolved.

So please disable system restore and enable viewing of hidden files again per the READ ME.

Follow the below steps exactly as written:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

No! As per the HJT sticky thread, all HJT logs should be from normal boot mode unless specifically requested otherwise.

Please post a new HJT log from normal boot mode.

 

Do you know how CWShredder got installed as a service?
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\CWShredder\CWShredder.exe

This is not required, normal or probably wanted. I have been seeing a bunch of these and it just makes no sense at all.

You have a Virtumundo infection. I'm working on a fix.

 

I see AVPersonal and AVG in your log. You must only use one antivirus application. It looks like AVG is either incompletely installed or incompletely uninstalled. Does it still show in Add/Remove programs? If so, uninstall it.

 

AVG is an antivirus application. But it was my mistake when I noticed the below in your log:
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

This is not AVG it is part of AV Personal.

For some more info on Virtumundo you can see the sticky thread about it. But I will be posting a fix for you soon:

READ ME: Virtumundo Problems/Resolution Threads


That's strange about CWShredder. I never had this happen before. I have to try installing it on a new machine where it has not been installed on before and see what happens.

 

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of urqpo.dll once and then click the kill button. After you have killed all of the urqpo.dll 's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of urqpo.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

Also in process explorer look for:
C:\WINDOWS\system32\conime.exe or just conime.exe

And right click on it a select Kill Process.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\urqpo.dll
O20 - Winlogon Notify: urqpo - C:\WINDOWS\system32\urqpo.dll



Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\urqpo.dll
C:\WINDOWS\system32\conime.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

I have some mistakes in the post that I'm going to fix. I hope you have not run it yet.

I'll but the changes in bold green so you can identify them. I had two DLLs listed that did not apply to you. You only have one so I changed the name and deleted references to the second dll.

 

RUn thru the steps again as they are written now. Make sure you find and delete that conime.exe file because it came back too.

By the way I double checked CWShredder on a couple PCs where it was never installed. It does not come up running as a service. So I have no idea how you got it to be on your system like that. We will fix that later too. Do you remember exactly what you did with it?

 

Possibly and it does run from the system32 folder so it probably is OK.

But see this too: http://www.liutilities.com/products/wintaskspro/processlibrary/conime/

And also at your favorite home, see: http://www.iamnotageek.com/a/conime.exe.php

 

arcueil_1,

Do not delete the conime.exe file! It more than likely is not a problem because of where it is running from (the system32 folder).

 

He indicate he was using the Chinese version in message # 4.

That link is also giving false info for the conime.exe that is in system32. Perhaps you need to tell them to fix those two links and be more specific that the one in system32 is a valid Windows file.

 

Yes leave conime.exe alone. The CWShredder fix will not be as simple as fixing the line in HJT because it is running as a service. Follow the steps below to fix it. (I would still like to know how you got it running like this.)


Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service


Now scan with HJT and make sure the below entry is gone:

O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\CWShredder\CWShredder.exe

 

Looks good! How is everything working now?

 

You're welcome. Now check out the below to help keep you clean:

How to Protect yourself from malware!