Infected and Can't Run Any Malware Removal Programs

Bobny · Nov 17, 2008

Hi - I am having a problem with my Dell laptop, which runs MS Windows XP SP3. A few days ago I started getting an error message shortly after startup saying that the "DCOM server process launcher terminated unexpectedly and Windows must shutdown" with a 60 second timer. I can stop the shutdown using Start/Run/shutdown -a. The computer will then work, but I continue to get pop ups saying the computer is infected. When using IE to search the internet, I constantly get redirected and get pop ups urging me to install "Antivirus Pro 2009." I have Malwarebytes, Superantispyware, and Combofix installed on the computer, but I can't run them - I just get the egg timer for a few seconds, then nothing. I tried in safe mode and also from a memory stick and still can't run the programs. I also can't download new versions of the programs or any other Malware-related programs, such as HijackThis - I just get redirected or I get a message that IE cannot display the download page. I also cannot get to your site, so I am using another computer to contact you. I went through your cleaning procedure and was able to get through Steps 1 and 2; however, I can't do Step 3 since none of the programs will run. Any help would be appreciated.

Thanks,
Bobny

chaslang · Nov 18, 2008

Welcome to Major Geeks!

I know you indicated you have started to run the READ & RUN ME, but follow along with the tips/notes below and try ALL steps. Make sure you also follow the instructions about renaming files.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

Bobny · Nov 19, 2008

Thanks for the reply. I went through the cleaning procedure with the following results:

Step 1: Completed
- Add/Remove malware - none found.
- Update Java- already had latest version
- MSconfig - already set to normal startup mode
- Quarantined files - none found
- Emptied recycle bin
- Norton not installed
- Ccleaner ran successfully

Step 2: Completed
- All hidden files shown

Step 3: Partially Completed - Downloaded programs and burned to CD on good computer then copied to infected computer.
- Superantispyware - Copied and renamed to SAS.exe, but would not run. Error message " SAS has encountered a problem and needs to close."
- Spybot - Started to install but when it went to access the internet got error message "Error sending request. A connection with the server could not be established." I confirmed that internet access was available.
- Malwarebytes - Copied and renamed to mb.exe, but would not run.
- Combofix - Copied and started to run, but when it went to access the internet got error message "IE cannot display the webpage."
- MGTools - copied but it did not autorun. I manually started "Getlogs.bat" and the resulting zip file with the logs is attached.

I also tried to run the scans in "Safe Mode" but they still would not run.

Thanks for any further help you can provide.
Bobny
-

chaslang · Nov 19, 2008

You have multiple AV programs installed. Please uninstall either Norton or TrendMicro immediately.

You need to make sure you are using the current version of ALL programs. You do not have the correct version of MGtools. Please download it from the link in the READ & RUN ME and run it. Attach a new log.

Make sure you have the current versions of MBAM and SAS and try running them again.

I see you have been using Avenger! Are you already working your problems in another forum?

Bobny · Nov 20, 2008

Thanks for the reply:
- TrendMicro deleted.
- Re-downloaded MBAM and SAS and tried again to run - still would not run.
- Re-downloaded MGtools and ran successfully. New log attached.
- Not working problem in another forum. Avenger was old and is now deleted.

Thanks for your help.
Bobny

chaslang · Nov 22, 2008

Bobny said: ↑

Not working problem in another forum. Avenger was old and is now deleted.
Click to expand...

Old??? It was from Nov 17, 2008???

Also you have a recent ComboFix log
Code:
"C:\"
COMBO-~1      Nov 13 2008              "Combo-Fix"
combofix.txt  Nov 13 2008      434434  "ComboFix.txt"
Plus I see a lot of logs from SUPERAntiSpyware and Malwarebytes that were created over the last few months. Looks like you have been having lots of malware problems.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: {6e9c5c29-2e23-188b-18a4-828d9eda3d52} - {25d3ade9-d828-4a81-b881-32e292c5c9e6} - C:\WINDOWS\system32\evxelw.dll
O2 - BHO: (no name) - {A1F88CB3-3D3B-40AF-B357-6BA607E9D08C} - C:\WINDOWS\system32\jkkLCvwx.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\wvUkKdda.dll
O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKLM\..\Run: [18172ef2] rundll32.exe "C:\WINDOWS\system32\julbtqlf.dll",b
O20 - AppInit_DLLs: karna.dat azozfn.dll wwjpyc.dll yeeahv.dll evxelw.dll
O20 - Winlogon Notify: wvUkKdda - C:\WINDOWS\SYSTEM32\wvUkKdda.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\Documents and Settings\Bob\Application Data\covafi._sy
C:\Documents and Settings\Bob\Application Data\cutysuhu.bin
C:\Documents and Settings\Bob\Application Data\orocit.vbs
C:\Documents and Settings\Bob\Application Data\sirogowune.sys
C:\Documents and Settings\Bob\Application Data\vehutavasy.sys
C:\Documents and Settings\Bob\Local Settings\Application Data\ekapa.lib
C:\Documents and Settings\Bob\Local Settings\Application Data\gaxawageny.scr
C:\Documents and Settings\All Users\Application Data\ahekag.com
C:\Program Files\Common Files\jawahybu.ban
C:\Program Files\Common Files\ysagopyg.pif
C:\WINDOWS\brastk.exe
C:\WINDOWS\xerakefi.lib
C:\WINDOWS\yzonu.lib
C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\wini101974.exe
C:\WINDOWS\system32\wini108020.exe
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\azozfn.dll
C:\WINDOWS\system32\wwjpyc.dll
C:\WINDOWS\system32\yeeahv.dll
C:\WINDOWS\system32\alhxbevq.ini
C:\WINDOWS\system32\flqtbluj.ini
C:\WINDOWS\system32\gykbgcbg.ini
C:\WINDOWS\system32\jfqfgujo.ini
C:\WINDOWS\system32\jpbsprna.ini
C:\WINDOWS\system32\uttwvlnb.ini
C:\WINDOWS\system32\xwvCLkkj.ini
C:\WINDOWS\system32\xwvCLkkj.ini2
C:\WINDOWS\system32\av.dat
C:\WINDOWS\system32\anrpsbpj.dll
C:\WINDOWS\system32\aroeoeod.dll
C:\WINDOWS\system32\azozfn.dll
C:\WINDOWS\system32\bnlvwttu.dll
C:\WINDOWS\system32\cbXQjhhi.dll
C:\WINDOWS\system32\cumooulg.dll
C:\WINDOWS\system32\dbqryrhc.dll
C:\WINDOWS\system32\ddcBUmKC.dll
C:\WINDOWS\system32\evxelw.dll
C:\WINDOWS\system32\expeibch.dll
C:\WINDOWS\system32\gbcgbkyg.dll
C:\WINDOWS\system32\gpyojtee.dll
C:\WINDOWS\system32\gtzkrg.dll
C:\WINDOWS\system32\htxqljyl.dll
C:\WINDOWS\system32\hykpkwjs.dll
C:\WINDOWS\system32\jkkLCvwx.dll
C:\WINDOWS\system32\julbtqlf.dll
C:\WINDOWS\system32\khfGyyxW.dll
C:\WINDOWS\system32\mfkokhxo.dll
C:\WINDOWS\system32\msansspc.dll
C:\WINDOWS\system32\nnnliJby.dll
C:\WINDOWS\system32\noxiyn.dll
C:\WINDOWS\system32\ojugfqfj.dll
C:\WINDOWS\system32\pmnkKaBq.dll
C:\WINDOWS\system32\pqdcss.dll
C:\WINDOWS\system32\qvebxhla.dll
C:\WINDOWS\system32\qwqhgunb.dll
C:\WINDOWS\system32\sqpdngtf.dll
C:\WINDOWS\system32\urqPfExX.dll
C:\WINDOWS\system32\wvUkKdda.dll
C:\WINDOWS\system32\wwjpyc.dll
C:\WINDOWS\system32\wxirif.dll
C:\WINDOWS\system32\xxyawvVM.dll
C:\WINDOWS\system32\yeeahv.dll

Folders to delete:
C:\Program Files\AntivirusPro2009

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25d3ade9-d828-4a81-b881-32e292c5c9e6}

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | Antivirus Pro 2009
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | brastk
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | 18172ef2
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager | PendingFileRenameOperations
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks | {A63E645F-13BD-45ED-B15F-6E8C1BD57279}

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Bob\Local Settings\Temp\

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\avenger.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

Bobny · Nov 23, 2008

Chaslang,
Thanks for the reply.

For information, I have run Malware programs in the past; however, I did not run Avenger on November 17, nor am I working with another forum to correct the curent problem. I truly appreciate your help and am being honest with you.

I followed your latest instructions with the following results:
- Remove Windows Messenger - Done
- Run analyse.exe - Done per instructions
- Run Avenger - Done per instructions, log attached
- Delete files from C:/Windows/Temp - Done
- Delete files from C:/Documents and Settings\Bob\Local Settings\Temp\ - Done
- Run Ccleaner - Done
- Run C:\MGTools\GetLogs.bat - Done, log attached.

Computer now starts up without getting the auto shutdown, and I no longer get popups saying the computer is infected. However, I still cannot run Superantispyware, Malwarebytes, etc. and I still cannot access your site on the internet - I get redirected.

Thanks for any further help.
Bobny

chaslang · Nov 24, 2008

Bobny said: ↑

For information, I have run Malware programs in the past; however, I did not run Avenger on November 17, nor am I working with another forum to correct the curent problem. I truly appreciate your help and am being honest with you.
Click to expand...

I'm just going by your first MGlogs.zip file. In it you will find a newfiles.txt log and in this log the below shows;
Code:
"C:\"
AVENGER       Nov 14 2008              "Avenger"
avenger.txt   Nov 17 2008        3228  "avenger.txt"
bug.txt       Nov 17 2008        3608  "Bug.txt"
COMBO-~1      Nov 13 2008              "Combo-Fix"
combofix.txt  Nov 13 2008      434434  "ComboFix.txt"
DCOMBO~1      Nov 17 2008              "DComboFix"
This means that Avenger was installed on Nov 14th and had a log created on Nov 17th. Also you can see that combofix was being using on Nov 13th.

Bobny said: ↑

However, I still cannot run Superantispyware, Malwarebytes, etc.
Click to expand...

What exactly happens when you run them? Please uninstall them completely right now and then reboot.

Bobny said: ↑

and I still cannot access your site on the internet - I get redirected.
Click to expand...

To where?

You logs show a load of connections open to/from your PC. Are you running any P2P or torrent type programs? If so, you need to stop running them while working on your problems. Below is a list of the active connections showing
Code:
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    dell-bl:1516           dell-bl:1064           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1067           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1070           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1073           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1076           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1078           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1081           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1084           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1087           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1090           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1093           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1096           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1098           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1101           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1105           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1108           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1111           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1114           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1117           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1120           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1123           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1126           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1129           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1132           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1135           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1138           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1141           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1143           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1146           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1149           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1152           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1154           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1157           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1160           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1163           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1166           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1169           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1172           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1174           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1177           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1181           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1182           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1186           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1189           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1192           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1195           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1198           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1201           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1204           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1207           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1210           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1213           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1216           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1219           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1222           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1224           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1226           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1229           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1232           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1234           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1236           CLOSE_WAIT
  TCP    dell-bl:1516           dell-bl:1239           CLOSE_WAIT
  TCP    dell-bl:1044           a72-247-146-35.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    dell-bl:1065           qb-in-f103.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1068           qb-in-f102.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1071           126.114.233.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1074           83.238.36.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1079           64.111.196.117:http    CLOSE_WAIT
  TCP    dell-bl:1082           64.111.220.234:http    CLOSE_WAIT
  TCP    dell-bl:1085           sv-click.looksmart.com:http  CLOSE_WAIT
  TCP    dell-bl:1094           eh-in-f184.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1099           unused.networksolutions.com:http  CLOSE_WAIT
  TCP    dell-bl:1115           83.238.36.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1118           83.238.36.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1121           64.111.196.117:http    CLOSE_WAIT
  TCP    dell-bl:1124           64.111.208.45:http     CLOSE_WAIT
  TCP    dell-bl:1144           ld-interstitial.las.marchex.com:http  ESTABLISHED
  TCP    dell-bl:1147           ld-interstitial.las.marchex.com:http  ESTABLISHED
  TCP    dell-bl:1150           ld-interstitial.las.marchex.com:http  ESTABLISHED
  TCP    dell-bl:1158           bwcontentb.las.marchex.com:http  ESTABLISHED
  TCP    dell-bl:1164           [URL="http://www.whitepages.com:http"]www.whitepages.com:http[/URL]  CLOSE_WAIT
  TCP    dell-bl:1167           paginas.superpages.com:http  ESTABLISHED
  TCP    dell-bl:1170           paginas.superpages.com:http  CLOSE_WAIT
  TCP    dell-bl:1175           paginas.superpages.com:http  CLOSE_WAIT
  TCP    dell-bl:1178           paginas.superpages.com:http  ESTABLISHED
  TCP    dell-bl:1183           a72-247-146-112.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    dell-bl:1184           a72-247-146-112.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    dell-bl:1187           qb-in-f102.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1190           qb-in-f103.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1193           126.114.233.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1196           qb-in-f102.google.com:http  CLOSE_WAIT
  TCP    dell-bl:1199           83.238.36.72.static.reverse.ltdomains.com:http  CLOSE_WAIT
  TCP    dell-bl:1202           208.122.40.118:http    CLOSE_WAIT
  TCP    dell-bl:1205           208.122.40.118:http    CLOSE_WAIT
  TCP    dell-bl:1208           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1211           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1214           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1217           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1220           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1227           NET-allocation-00026135.ix.sitestream.net:http  CLOSE_WAIT
  TCP    dell-bl:1230           74.205.26.220:http     CLOSE_WAIT
  TCP    dell-bl:1237           a72-247-146-112.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    dell-bl:1240           unassigned.BGP.Serverstream.net:http  CLOSE_WAIT
  TCP    dell-bl:1241           a72-247-146-112.deploy.akamaitechnologies.com:http  ESTABLISHED 
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {6A077705-9D92-4869-B219-C207C64EF9E4} - C:\WINDOWS\system32\jkkLCvwx.dll (file missing)
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\wvUkKdda.dll (file missing)
O4 - Global Startup: AutorunsDisabled
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O20 - Winlogon Notify: wvUkKdda - wvUkKdda.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\swearware]
[-HKEY_CURRENT_USER\Software\Wget]
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\feywxenv.dll
C:\WINDOWS\system32\iagaxt.dll
C:\WINDOWS\system32\iwpptrhn.dll
C:\WINDOWS\system32\vnexwyef.ini
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\avenger.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

Bobny · Nov 25, 2008

Chaslang,
Thanks for the reply and your patience. I went through your instructions with the following results.

1. I see the newfiles.txt log with Avenger listed on November 14 - i just can't explain it.

2. When I try to run Superantispyware I get an error message "SAS has encountered a problem and must close." I uninstalled it.
When I try to run Malwarebytes I get the egg timer for a few seconds then nothing. I uninstalled it.

3. When I try to access your site I get redirected to "search.live.com/results.aspx?FORM=DNSAS&q=www.majorgeeks.com" which aappears to be a search engine and has a number of listings for "majorgeek.com". I clicked on one and some sort of scan started with a message in red text "System errors detected. To prevent data lost system scanning is started" which appears to be a bogus scan to me. After scanning for 1 to 2 seconds, the scan was paused and a "Windows Internet Explorer" pop up appeared saying "Windows is scanning your system for threats. The scanning is provided by our official partner Antispyware scanner. Please refrain from closing the window until the scanning is finished. We highly recommend you to install the full version of Antispyware scanner to monitor your PC for threats and on-time security systemupdates."

I closed the pop up and another appeared saying "Please note that Spyware is highly malicious for your PC information privacy. If you want to install the full version, please click "Ok", wait for the page to load, start the installation process and follow the instructions. If you want to wait for scanning results to appear, please click "Cancel". Aafter Antispyware scanner is installed, you can close the scanning window and remove Spyware from your computer."

This all appeared bogus to me so I closed the second pop up. The scan started again and the first popup appeared again starting the cycle over. I finally was able to close the window and get out of Internet Explorer.

4. I see the connections listed, but don't really understand what they mean. I also don't really know what "P2P" or "torrent" programs are; however, I have been using the computer to access the internet. I can get to sites such as Google, YouTube, Fidelity, etc., but can't access your site, Superantispyware (redirect to ylwbook.areaconnect.addresses.com...), Malwarebytes, or other such sites. I will stop using the computer to access the internet unless you instruct me to. Is there a way to close the connections?

5. I ran Analyse.exe, fixme.reg (got success message), Avenger, Ccleaner, and GetLogs.bat as instructed. Logs are attached.

Thanks again.
Bobny

chaslang · Nov 27, 2008

Bobny said: ↑

4. I see the connections listed, but don't really understand what they mean. ..................s there a way to close the connections?
Click to expand...

Your last log shows that they are not opened now. Perhaps removing the last malware items corrected these.

You logs are all clean. If you are still having redirection problems then do the below.

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Click Start > Run and type in cmd

Click OK.

This will open a command prompt.

Type or copy and paste the following line in the command window:
ipconfig /flushdns

Hit Enter

Exit the command window

Now let's flush the Java Cache

Click Start > Settings > Control Panel

Double click the Java icon (be patient, it may take a while to open)

Now click the General tab and under the Temporary Internet File area

Click the Settings button and then click the Delete Files... button.

In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.

Now let's flush the FireFox Cache

To flush your FireFox Cache:

click Tools

select Options

select Privacy

in the section labeled Private Data click Clear Now

Now let's flush the Internet Explorer Cache

To flush your Internet Explorer Cache:

click Tools

Internet Options

Now on the General tab and click Delete Files and select Delete all Offline content too

Click OK.

When it finishes Click OK.

Now run Ccleaner!

There is a possibility that your router hardware has been infected. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

Now put copies of the below two files into a ZIP file and attach it to your next message.
Code:
"C:\"
bug.txt       Nov 17 2008        3608  "Bug.txt"
combofix.txt  Nov 13 2008      434434  "ComboFix.txt"
Also run this Running GMER to detect rootkits and attach the GMER log.

Any change to any of your problems?

Bobny · Nov 29, 2008

Chaslang,
Thanks for the latest instructions.

For information, I note that upon startup I get a message saying "CentralLog.EXE has encountered a problem and needs to close. Do you want to send a report to Microsoft?" I click "Don't send" and continue. Don't know what this means, but thought you should know.

Here are the results of your latest instructions:
1. Ran System File Checker - It ran through and took some time, but it completed with no messages.
2. Ran ipconfig flushdns - completed
3. Flushed java cache
4. Firefox not installed
5. Cleared IE cache
6. Ran Ccleaner
7. Tried to run GMER, but it would not run. I get a message saying "The publisher could not be verified. Are you sure you want to run this software?" I select run, but nothing happens.
8. I noted that you asked for a combofix file to be attached, so I tried to run Combofix but it would not run. I get egg timer then nothing. If I go into Task manager I see ComboFix.exe under processes, but nothing runs.
9. I reset my router to factor settings using the reset button on the router. I still cannot open your site or malware sites.
10. I still cannot run Superantispyware or malwarebytes. Same results as previous.
11. I ran GetLogs again and the file is attached. I noted a message titled ProcessDll.exe-Application Error saying "The application failed to initialize properly (0x0000135). Click on OK to terminate the application." I clicked Ok and the batch file finished. Don't know if this means anything.

Thanks for your patience with this problem.
Bobny

chaslang · Nov 30, 2008

Bobny said: ↑

For information, I note that upon startup I get a message saying "CentralLog.EXE has encountered a problem and needs to close. Do you want to send a report to Microsoft?" I click "Don't send" and continue. Don't know what this means, but thought you should know.
Click to expand...

Use Windows Search to see if you can find out where this file is located on your PC. Let me know where it is found.

Bobny said: ↑

7. Tried to run GMER, but it would not run. I get a message saying "The publisher could not be verified. Are you sure you want to run this software?" I select run, but nothing happens.
Click to expand...

Protection software could be getting in the way. Let's try a different tool.

Please try running ComboFix again...once done then Download Blacklight Beta.

Download blbeta.exe and save it to the Desktop.

Once saved... double click blbeta.exe to install the program.

Click accept agreement and Click scan

This application may fire off a warning from your antivirus. Let the driver load. Wait for it to finish.

If it displays any items...don't do anything with them yet. Just hit exit (close)

It will drop a log on Desktop that starts with fsbl....big number

Please attach the fsblxxxx.log to your next message.

Also run this Using SDFix and attach the log from SDfix.

Now click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

Then search for TDSSserv.sys

Let me know if you find this or not.

If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.

Bobny said: ↑

8. I noted that you asked for a combofix file to be attached, so I tried to run Combofix but it would not run. I get egg timer then nothing. If I go into Task manager I see ComboFix.exe under processes, but nothing runs.
Click to expand...

No I did not ask you to run ComboFix. I had asked you to put copies of those two files into a ZIP file and attach them. The C:\ComboFix.txt log that you already have is too large to attach. If you compress it into a ZIP file, you will be able to attach it. I want to see what ComboFix found when you ran it on Nov 13th.

Bobny said: ↑

9. I reset my router to factor settings using the reset button on the router. I still cannot open your site or malware sites.
Click to expand...

Please try temporarily bypassing your router and directly connect your PC to your cable or DSL modem and let me know if there is any change.

Bobny said: ↑

11. I ran GetLogs again and the file is attached. I noted a message titled ProcessDll.exe-Application Error saying "The application failed to initialize properly (0x0000135). Click on OK to terminate the application." I clicked Ok and the batch file finished. Don't know if this means anything.
Click to expand...

This was explained in the Using MGtools link given in the READ & RUN ME. Please run the given fix and then download the current version of MGtools.exe and run a new scan. Then attach the new log.

Bobny · Dec 1, 2008

Chaslang,
Thanks for the latest guidance. PC seems to be running much better. Here are the results.

1. Searched for Centrallog.exe and found two: CentralLog.exe in C:\Program files\Poiontsec for PC" and CENTRALLOG.EXE-1CC43403.PF IN "C:\WINDOWS\Prefetch". I am still getting the error message.

2. Tried Combofix but did not run. Log from Nov 13 attached.

3. Ran Blacklight - nothing found. Lof attached.

4. Tried SDFix but did not run first try. Tried again after completing item 8 below and it did run. Log attached.

5. Searched for TDSSserv.sys - found it and disabled it.

6. Installed MS .NET framework and re-ran GetLogs.bat with no error message - log attached.

7. Tried internet and can now get to all sites with no problem.

8. Can now run Superantispyware (found 58 items), Spybot (found 18 items) and Malwarebytes (found 18 items) - log attached in next reply.

Thank you so much for your help. Is there anything else I should do now?
Bobny

Bobny · Dec 1, 2008

Chaslang,
Here are remaining logs.
Bobny

chaslang · Dec 4, 2008

Bobny said: ↑

1. Searched for Centrallog.exe and found two: CentralLog.exe in C:\Program files\Poiontsec for PC" and CENTRALLOG.EXE-1CC43403.PF IN "C:\WINDOWS\Prefetch". I am still getting the error message.
Click to expand...

You mean PointSec for PC! This is software you installed. You will have to take this problem up with them. A possible solution may be to reboot and reinstall if you need the software. This is not an issue for the Malware Forum.

Your logs are clean now.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Bobny · Dec 4, 2008

Chaslang
I completed the cleanup and the computer seems to be running fine. Thank you for all your help. You did a great job and I very much appreciate it!

Bobny

chaslang · Dec 6, 2008

You're welcome. Surf safely!

Log in or Sign up

Infected and Can't Run Any Malware Removal Programs

Bobny Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

MGlogs.zip

avenger.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

avenger.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

Bug.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

Attached Files:

ComboFix.zip

fsbl-20081201235633.log

mbam-log-2008-12-01 (23-00-52).txt

Bobny Private E-2

Attached Files:

MGlogs.zip

Report.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Bobny Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member