Infected

Alin · Aug 13, 2008

Been a while since i re-installed win.
Ever since the 1st boot i have been getting some sort of windows announcements telling me to go to a website and download this and scan that ...
Evan i know windows does not warn you about infections

So i have run countless scans and almost all of them found the same problems.
Naturally i clicked remove but they still come up in scans over and over

Most of them are in Windows/System32/
wzcfsw.dll
ddserh.dll
sgdewg.dll
fmcvxy.dll
tdfhex.dll
hqghumea.dll
AclLayer.dll
etc...

They are just to stubborn to go away and they seem to be multiplying

Please help!

Alin · Aug 13, 2008

MGtools log

TimW · Aug 14, 2008

Let's begin with this:

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe E:\WINDOWS\System32\wingatey32.exe,start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1004336348-838170752-1801674531-1003\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - E:\WINDOWS\AppPatch\DesktopWin.dll
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinDLL (wingatey32.exe)"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DesktopWin"=-
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

KILLALL::

Files to delete:
E:\WINDOWS\system32\hqghumea.dll
E:\WINDOWS\system32\wingatey32.exe
E:\WINDOWS\AppPatch\DesktopWin.dll
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

Alin · Aug 14, 2008

Hello TimW thx for the reply

i did all the steps you intructed me to to
only this line was still present in HJT after the scan:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"

fixed that , then did the reg edit

on Avenger however the command

KILLALL::

Files to delete:
E:\WINDOWS\system32\hqghumea.dll
E:\WINDOWS\system32\wingatey32.exe
E:\WINDOWS\AppPatch\DesktopWin.dll

returned with an error :
Error:invalid script. A valid script must begin with a command directive.
Aborting execution!

TimW · Aug 14, 2008

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
Click to expand...

Use windows explorer to find and delete those files.

Alin · Aug 14, 2008

Use windows explorer to find and delete those files.
Click to expand...

I did disable windows system restore and did a scan with Kaspersky virus removal tool
Had a suspicion since thouse files are coming back over and over again also did install Sygate Personal Firewall since some of them ware trojan downloaders

anyhow the point is that thouse files aren't there anymore so i guess i'm clean now
Thank you verry much

Oh and here are the MGtools and avenger logs

TimW · Aug 15, 2008

The avenger log just shows that I need to get more sleep.....let's do a little bit more:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: mssetd.dll lenowos.dll sunesn.dll esceps.dll cmonos.dll offscrl.dll cxhole.dll therbrek.dll rmbsony.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll G
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - (no file)
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sysocmgr"=-
Click to expand...

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

Alin · Aug 16, 2008

Did again as instructed
HJT did NOT return with an error

MGlogs below

TimW · Aug 16, 2008

Your logs are clean...but you need to download the service packs.

If you are not having any other malware problems, it is time to do our final steps:

You can uninstall SUPERAntiSpyware now.

We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Alin · Aug 17, 2008

Well it all worked fine for a while
But it seems that after 1 day or so my old friends are back

Also something is changing my IP . getting unable to connect errors on my internet starter program . if i want to connect to the net i have to do it from safe mode

MGlogs below

TimW · Aug 17, 2008

You still have not installed either SP2 or SP3 .....we can't keep plugging the leaks.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: aaa.dll,hbmhly.dll lensch.dll biroas.dll cmonos.dll offscrl.dll cxhole.dll therbrek.dll rmbsony.dll dualey.dll wdhotem.dll baccops.dll
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - (no file)
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - (no file)
O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - E:\WINDOWS\System32\comuidsg.dll
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DesktopWin"=-
"sysocmgr"=-
"comuidsg.dll"=-

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"=-
"{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}"=-
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"=-
"{006CA8A1-61BC-4774-A54C-F49034270BAD}"=-
"{0B846B26-BFE6-4E8E-A948-1DB17B77B483}"=-
"{F99DEFDD-200B-4410-B572-E90883D527D2}"=-
"{7914E0AA-ECCB-4311-B584-C49538227824}"=-
Click to expand...

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
E:\WINDOWS\system32\biroas.dll
E:\WINDOWS\system32\comuidsg.dll
E:\WINDOWS\system32\lensch.dll
E:\WINDOWS\system32\dualey.dll
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Alin · Aug 18, 2008

Did as instructed
Download & install XP service pack 3

also HJT , regfix and deleted the temp folders

mgtools & avenger logs below

P.S. still using safe mode for the internet

TimW · Aug 18, 2008

We are getting there:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: aaa.dll,HBmhly.dll
O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - E:\WINDOWS\System32\comuidsg.dll (file missing)
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}"=-
"{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"comuidsg.dll"=-
Click to expand...

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
oreans32
HBKernel
cdralw

Files to delete:
E:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll.ren
E:\WINDOWS\linkinfo.dll
E:\WINDOWS\sysocmgr.dll
E:\WINDOWS\system32\baccops.dll
E:\WINDOWS\system32\candayl.dll
E:\WINDOWS\system32\cmonos.dll
E:\WINDOWS\system32\crtnumo.dll
E:\WINDOWS\system32\cxhole.dll
E:\WINDOWS\system32\ddserh.dll
E:\WINDOWS\system32\eoceps.dll
E:\WINDOWS\system32\HBmhly.dll
E:\WINDOWS\system32\hhrdxd.dll
E:\WINDOWS\system32\hqghumea.dll
E:\WINDOWS\system32\nvipat.dll
E:\WINDOWS\system32\tdfhex.dll
E:\WINDOWS\system32\therbrek.dll
E:\WINDOWS\system32\wdhotem.dll
E:\WINDOWS\system32\wrqszl.dll
E:\WINDOWS\system32\zgtwfx.dll
E:\WINDOWS\system32\drivers\cdralw.sys
E:\WINDOWS\system32\drivers\HBKernel.sys
E:\WINDOWS\system32\drivers\oreans32.sys
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

Alin · Aug 18, 2008

did as instructed
HJT+avenger+regfix+delete temp's
Logs below

P.S. Internet is working under normal windows boot now

TimW · Aug 19, 2008

A little more:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: aaa.dll,HBmhly.dll
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
aaa
HBmhly

Files to delete:
E:\WINDOWS\system32\explore.exe
E:\WINDOWS\system32\lenschk.exe
E:\WINDOWS\system32\zlcdps.dll

Folders to delete:
E:\Program Files\PC Tools AntiVirus
E:\Program Files\WinClamAVShield
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

Alin · Aug 20, 2008

Again did as instructed

Everything seems to work fine now , thank you very much

TimW · Aug 20, 2008

Works for me...

If you are not having any other malware problems, it is time to do our final steps:

You can uninstall SUPERAntiSpyware now.

We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Infected

Alin Private E-2

Attached Files:

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Alin Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member