I still have huge problems even after READ & RUN ME FIRST

Re: huge malware problems even after READ & RUN ME FIRST

Sorry about that, but no it does not normally take that long. This happened because you did not originally post in the Malware Forum with your problem and this caused you to slip by unnoticed. This was due to the fact that your thread was eventually moved to the malware forum, but since it had a number of posts in it, it probably looked like someone was already working on it. Also each time you posted a message, you lost your place in the work queue as explained here: Don't Bump! It Only Hurts You!!!

I'm working thru your logs now and will post with a fix in a little while.

 

First we need to cleanup some left over services from Symantec.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • LiveUpdate Notice Service Ex
  • LiveUpdate Notice Service
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste CLTNetCnService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • LiveUpdate Notice Ex
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now uninstall the below old versions of software:
Java(TM) SE Runtime Environment 6
LiveUpdate Notice (Symantec Corporation)

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D1224678-95D3-4469-9685-6AB719C12957} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BM3b2de365] Rundll32.exe "C:\Users\mo2men\AppData\Local\Temp\qimkjvna.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\mo2men\AppData\Local\Temp\ljhff.dll,c
O4 - HKCU\..\Run: [BM3b2de365] Rundll32.exe "C:\Users\mo2men\AppData\Local\Temp\qimkjvna.dll",s

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
C:\Users\mo2men\AppData\Local\Temp\qimkjvna.dll
C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
C:\Users\mo2men\AppData\Local\Temp\qimkjvna.dll
C:\Users\mo2men\AppData\Local\Temp\ffhjl.ini
C:\Users\mo2men\AppData\Local\Temp\ffhjl.ini2
C:\Users\mo2men\AppData\Local\Temp\IpAdrSet.log
C:\Users\mo2men\AppData\Local\Temp\mo2men.bmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete the below folder if it exists:
C:\Program Files\Common Files\Symantec Shared

Now copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file
that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Some items we were trying to fix did not get fixed last time. Make sure that you exit ALL browsers before clicking fix in HijackThis!!
We need to remove another bad service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {26892337-7EA8-4D58-BFE3-67FF6ED1CF5F} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
O2 - BHO: (no name) - {77A2773C-ACE5-4632-9AD1-FDFC994BE696} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
O2 - BHO: (no name) - {B98267BC-2CFB-4128-BB20-1A7D98E2B9C2} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
O2 - BHO: {b599540a-10c7-142a-d654-5c8d6df241fc} - {cf142fd6-d8c5-456d-a241-7c01a045995b} - C:\Windows\system32\fyvqddxb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [381ed0f9] rundll32.exe "C:\Windows\system32\gophapjo.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Windows\system32\gophapjo.dll
C:\Windows\System32\bdsqfixf.exe
C:\Windows\System32\pbkkjcyr.exe
C:\Windows\System32\frbwlack.dll
C:\Windows\System32\fyvqddxb.dll
C:\Windows\System32\gophapjo.dll
C:\Windows\System32\iwjpmkbj.dll
C:\Windows\System32\jagkkdwn.dll
C:\Windows\System32\yudekrdc.dll
C:\Windows\System32\bnjwgqrx.ini
C:\Windows\System32\cdrkeduy.ini
C:\Windows\System32\ojpahpog.ini
C:\Windows\System32\drivers\11BA2788-6475-4E8D-8169-CFC805E27698.cxv
C:\Users\mo2men\AppData\Local\Temp\ffhjl.ini
C:\Users\mo2men\AppData\Local\Temp\ffhjl.ini2
C:\Users\mo2men\AppData\Local\Temp\ljhff.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot look for all of the above files we had Pocket Killbox attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created
Make sure you tell me how things are working now!

 

Okay we will try this a different way since Killbox cannot remove the files since they are hooked into several running processes.

Let's begin with by removing a service from VundoFix which should not be running.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to VundoFix Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteVundoFixSvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now let's cleanup from Pocket Killbox

• Run Pocket Killbox and select File, Cleanup, Delete All Backups
• Now close/exit Pocket Killbox

Continue by downloading a tool we will need: Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

Run Process Explorer by double clicking on the procexp.exe file.

• Step 1 - unhook DLL from rundll32.exe
• In the top section of the Process Explorer screen double click on rundll32.exe to bring up the rundll32.exe Properties form.
• Click on the Threads tab at the top.
• Once you see this screen click on each instance of the ljhff.dll files (if found) and then click the kill button.
• After you have killed all instances of any of ljhff.dll under rundll32.exe click ok.
• (If you do not find ljhff.dll , just continue on.)
• Step 2 - unhook DLL from lsass.exe
• Next double click on lsass.exe to bring up the Properties form.
• Click on the Threads tab at the top.
• Once you see this screen click on each instance of the ljhff.dll files (if found) and then click the kill button.
• After you have killed all instances of any of ljhff.dll under rundll32.exe click ok.
• (If you do not find ljhff.dll , just continue on.)
• Step 3 - unhook DLL from explorer.exe
• Next double click on explorer.exe to bring up the Properties form.
• Click on the Threads tab at the top.
• Once you see this screen click on each instance of the ljhff.dll files (if found) and then click the kill button.
• After you have killed all instances of any of ljhff.dll under rundll32.exe click ok.
• (If you do not find ljhff.dll , just continue on.)
• Step 4 - unhook DLL from iexplore.exe
• Next double click on iexplorer.exe to bring up the Properties form.
• Click on the Threads tab at the top.
• Once you see this screen click on each instance of the ljhff.dll files (if found) and then click the kill button.
• After you have killed all instances of any of ljhff.dll under rundll32.exe click ok.
• (If you do not find ljhff.dll , just continue on.)

Now just exit Process Explorer.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0CB5E62A-BEC4-4815-AB47-684C5C779443} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll
O2 - BHO: (no name) - {CCC4C770-86E8-4FDB-94A1-0C96E28F7342} - C:\Users\mo2men\AppData\Local\Temp\ljhff.dll

After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

[

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!

 

You must make sure you re-ran GetLogs.bat to create a NEW log. You cannot attach the same log as previously attached.

Quick do the below ASAP!!


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

When you log into MajorGeeks, make sure you are checking the box that says remember me. Then try again to upload the file.

Otherwise try attaching using Mozilla Firefox.

 

Possibly it is related to the malware. Did you run the fixME.reg patch given in message # 15?

• If so, was that before or after getting the logs that are in MGlogs.zip.
• If not, please run it now! Also tell me if you received a success message on adding it to the registry.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [BM3b2de365] Rundll32.exe "C:\Windows\system32\lwdvlfbv.dll",s


After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should now have both ComboFix.exe and CFScript.txt icons on your Desktop.
• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!

 

You're welcome. Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It is not easy to say exactly where; however, common places for infections like this are:

1. questionable download sites especially anything porn, game cheating, software cracking,...etc sites
2. downloading special codecs to view video files
3. P2P and Torrent downloading (which can be related to # 1)