infected computer???

Discussion in 'Malware Help (A Specialist Will Reply)' started by adjohnson1971, Jan 1, 2006.

  1. adjohnson1971

    adjohnson1971 Private E-2

    Hi all. I've looked through previous threads and can find similar items but i'm unsure if they're the same so please forgive me if i'm repeating something.
    A few days ago i had a warning from avg about a virus and microsoft anti spyware saying about some changes. I thought i'd blocked it all but when i later ran spybot SD, adware and avg they were running at a snails pace. Also a program called unspy?? installed itself which i hope i deleted using add/remove. Later scanning found various trojans etc which were removed. I also noticed that when I click on a link using a search engine I'm taken away from that link.
    Spybot, adware and avg seem to be running at normal speed now, but after following your instructions in the removal forum, my searching on the internet is still playing up.
    My scan results are as follows
    Spybot reports xuron55(datei c\:windows\win.ini kann nicht geoffnet werden. the process cannot access the file because it is being used by another process
    microsoft anti spyware found a trojan downloader small popcorn 64 which it deleted.
    cwshredder was clear
    kill2me was clear
    avg has a reading error on a file c:\windows\system32\ and then once it wasdmqkk.exe and a second scan it was dmgik.exe.
    bitdefender and panda soft reports are attached with hijack this.
    please help!!! many thanks
     

    Attached Files:

    adjohnson1971, Jan 1, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below two items are for?
    R3 - URLSearchHook: (no name) - {F52FCEF5-B5FC-4016-D813-A3A859F815AA} - dePloy.dll (file missing)
    O23 - Service: Configuration Loader (a3) - Unknown owner - C:\WINDOWS\System32\misurp.exe" -service (file missing)

    You have a Wareout infection!

    Look in Add/Remove programs for UnSpyPC and uninstall if found.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [WinInitDll] msag.exe
    O4 - HKLM\..\Run: [NopeZ] TForm1.exe
    O4 - HKLM\..\Run: [dmmdl.exe] C:\WINDOWS\system32\dmmdl.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [sysconf16] wormexe.exe
    O4 - HKCU\..\Run: [slamm] bhoserv.exe
    O4 - HKCU\..\Run: [NSYSCPLSTR] cmon14.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CCS\Services\Tcpip\..\{47EFA1C3-418E-457D-8E9E-ED0270E8D043}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7E829DA7-2AFF-47C3-AA2D-894735F92869}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF1EE92E-91ED-4338-91FC-8DF85B643DBD}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E8BB67B6-8275-4507-B464-A923EDC103BC}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CS2\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.116.148,85.255.112.219
    O17 - HKLM\System\CS3\Services\Tcpip\..\{12DA6479-F89B-4B48-A2D6-1543A1959EDC}: NameServer = 85.255.116.148,85.255.112.219

    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\Windows\System32\msag.exe
    C:\Windows\System32\TForm1.exe
    C:\WINDOWS\system32\dmmdl.exe
    C:\Windows\System32\wormexe.exe
    C:\Windows\System32\bhoserv.exe
    C:\Windows\System32\cmon14.exe
    C:\WINDOWS\SYSTEM32\howiper.exe
    C:\Program Files\UnSpyPC <--- delete the whole folder

    Additional step to delete imloader.exe:
    - Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s imloader.exe
    del imloader.exe
    exit

    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    Also attach a new HijackThis log.
     
    chaslang, Jan 1, 2006
    #2
  3. adjohnson1971

    adjohnson1971 Private E-2

    Firstly many thanks.
    I followed your instructions and everything seems to be working correctly, I really can't thank you enough.
    Secondly, I haven't got a clue what those two items are for???
    Anyway I've attached a the logfiles you requested.
    Once again a big thankyou.
     

    Attached Files:

    adjohnson1971, Jan 2, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Could the O23 line service be something for you motherboard?

    Do the files in those two lines exist? Look for:
    C:\WINDOWS\System32\dePloy.dll or C:\WINDOWS\dePloy.dll
    C:\WINDOWS\System32\misurp.exe

    If not found try using Windows Search with the instructions given in the below:
    Searching for Hidden Files on WinXP


    Boot into safe mode and delete the below file related to Wareout:
    C:\WINDOWS\SYSTEM32\DMYEB.EXE
     
    chaslang, Jan 2, 2006
    #4
  5. adjohnson1971

    adjohnson1971 Private E-2

    Hi. I really wouldn't know what those 2 lines relate to, in all honesty it might as well be wrote upside down and in chinese!!! However I've deleted the file as per instructions.
    As for searching for the other 2 files I could find nothing. I searched using windows search and it found nothing relating to those lines. I also did a manual search and found nothing.
    Although not requested I've also attached a hijackthis report.
    Many thanks.
     

    Attached Files:

    adjohnson1971, Jan 2, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since they are unknown processes and the files are missing, I'm going to assume the O23 line was related to WinTools malware which is what I suspected.

    First run HJT and select the below line, close all browsers, and click Fix checked:
    R3 - URLSearchHook: (no name) - {F52FCEF5-B5FC-4016-D813-A3A859F815AA} - dePloy.dll (file missing)

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Configuration Loader (or if not found look for a3 ) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Configuration Loader

    If that does not work try entering the short name: a3

    Now exit HJT and reboot. Check your HJT log after reboot to see if the R3 and O23 lines are now gone and just let me know.

    How are things running now?
     
    chaslang, Jan 2, 2006
    #6
  7. adjohnson1971

    adjohnson1971 Private E-2

    Hi. Last set of instructions followed and the R3 and 023 lines have now gone.
    HJT log attached for your information.
    Everything seems to be running fine.
    Once again many thanks.
     

    Attached Files:

    adjohnson1971, Jan 2, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 2, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds