I've done the first steps, attached them, now what?

Discussion in 'Malware Help (A Specialist Will Reply)' started by lindyoppa, Nov 23, 2006.

  1. lindyoppa

    lindyoppa Private E-2

    Thanks for this forum! If there are already directions on what to do next, let me know where...
    I did all the work outlined in the "DO THIS FIRST" files, and attached a bunch of things, all of which say that I still have tons of spyware etc floating around. Any advice on what to do next?

    (Three attachements are here, more on the next message)
    THANKS!!!!!
     

    Attached Files:

    lindyoppa, Nov 23, 2006
    #1
  2. lindyoppa

    lindyoppa Private E-2

    And here are the rest!
    I hope I got all of them right...
     

    Attached Files:

    lindyoppa, Nov 23, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Wow! You have a load of infections!!!!! This is going to take a few steps and a few other scans.

    Let's begin!

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Next run this Using SDFix and attach the requested log.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    chaslang, Nov 24, 2006
    #3
  4. lindyoppa

    lindyoppa Private E-2

    *thank you* Happy belated Thanksgiving by the way!
    ok, did that, here are a bunch of new things attached.
     

    Attached Files:

    lindyoppa, Nov 24, 2006
    #4
  5. lindyoppa

    lindyoppa Private E-2

    And more...
     

    Attached Files:

    lindyoppa, Nov 24, 2006
    #5
  6. lindyoppa

    lindyoppa Private E-2

    PS. the above steps went ok, BUT I had to do "safe mode with networking" because regular old safe mode never booted up right. After it asked be for my windows password, and it gave me that "warning" that this is indeed safe mode, and I clicked "YES" to continue, it never booted up after that, even after like 5 entire minutes.

    SO, i had to to the SDFix in Safe Mode With Networking.

    In genera, my computer is really slow (like the mouse pointer movement is really choppy) and IE keeps crashing, even after I reinstalled the newest IE browser. (I ususally swear by Opera, but some programs, like BDScan & Panda needed IE). Eventually it works without crashing but takes many many tries...

    :/
     
    lindyoppa, Nov 24, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Use Add/Remove programs to uninstall the below software:
    888Bar
    Gold Codec 4.0
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    Mozilla Firefox (1.5)
    Safety Alert 2006
    Safety Bar
    VSAdd-in for Internet Explorer

    Then install the current version of FireFox from: Mozilla Firefox
    Do you use/play WildTangent related games?

    Continnue by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winwea32.dll once and then click the kill button. After you have killed all of the winwea322.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnn.dll
    fccbcaw.dll

    Next double click on explorer.exe and again click once on each instance of winwea32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnn.dll
    fccbcaw.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\ttoqmdhi.dll
    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
    O2 - BHO: (no name) - {73F4EBA5-666A-4D7A-8EAA-1ADC06467421} - C:\WINDOWS\system32\pmnnn.dll
    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
    O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\fccbcaw.dll
    O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Scbu] "C:\PROGRA~1\ECURIT~1\services.exe" -vt yazb
    O4 - HKCU\..\Run: [Dwnatb] C:\Documents and Settings\HP_Administrator\Application Data\s?stem32\s?anregw.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O20 - Winlogon Notify: fccbcaw - C:\WINDOWS\SYSTEM32\fccbcaw.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
    O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\fccbcaw.dll
    C:\WINDOWS\system32\jezmesh.dll
    C:\WINDOWS\system32\pmnnn.dll
    C:\WINDOWS\system32\ttoqmdhi.dll
    C:\WINDOWS\system32\winwea32.dll
    C:\WINDOWS\system32\wirvufc.dll
    C:\WINDOWS\system32\nnnmp.tmp
    C:\WINDOWS\system32\nnnmp.ini
    C:\WINDOWS\system32\nnnmp.ini2
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Gold Codec

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 25, 2006
    #7
  8. lindyoppa

    lindyoppa Private E-2

    wow, you are very good at your job--the directions you gave were very thorough! I can't believe how patient you are--there are so many posts to attend to!!!!

    The steps you outlined seemed to go fine. The Killbox all went great (no error messages and it rebooted fine).

    There is still a foreign adware-type popup program whose icon lurks at the bottom right, and teels me I'm infected, then leads me to their site to buy stuff. I cannot find this program under "add/remove" so it must be hidden somewhere else? It is called "Spy iBlock". I've not googled it yet, perhaps I will look to see if I can find another fix for it, in the meantime. If I find it, I'll let you know!

    Other than that, it still seems a little sluggish, especially on starting up...

    Attached are the latest reports.

    PS. I already got rid of WildTangent :)
     

    Attached Files:

    lindyoppa, Nov 26, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Many of the items I asked you to fix are still showing in your logs. This means that either the fixes were not performed properly or that something could be blocking the fixes. Sometime malware can block the fixes and sometimes it is valid protection software getting in the way. Let's cover both sides.

    First uninstall CounterSpy. Then continue.

    Did you forget to uninstall this:

    VSAdd-in for Internet Explorer

    Try uninstalling it again! Let me know what happens.

    Now run the below new procedures!

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.


    Now move on to my next message!
     
    chaslang, Nov 27, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now after completing the steps in my previous message continue here!

    Note items may not be found like last time in Process Explorer but we need to check anyway.


    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winwea32.dll once and then click the kill button. After you have killed all of the winwea322.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnn.dll
    fccbcaw.dll

    Next double click on explorer.exe and again click once on each instance of winwea32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnn.dll
    fccbcaw.dll

    Now just exit Process Explorer.


    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Program Files\Common Files\{2DB55AAB-06A1-1033-1028-050513200001}\Update.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\ttoqmdhi.dll
    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
    O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\fccbcaw.dll
    O2 - BHO: (no name) - {D7E6DB30-A0BE-45D7-AF74-401B09A33182} - C:\WINDOWS\system32\pmnnn.dll
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\evycnhvc.dll
    O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program Files\Gold Codec\iesplugin.dll
    O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpor.dll,startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Scbu] "C:\PROGRA~1\ECURIT~1\services.exe" -vt yazb
    O4 - HKCU\..\Run: [Dwnatb] C:\Documents and Settings\HP_Administrator\Application Data\s?stem32\s?anregw.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O20 - Winlogon Notify: fccbcaw - C:\WINDOWS\SYSTEM32\fccbcaw.dll
    O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
    O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\drvpor.dll
    C:\WINDOWS\system32\evycnhvc.dll
    C:\WINDOWS\system32\vtuuust.dll
    C:\WINDOWS\system32\ttoqmdhi.dll
    C:\WINDOWS\system32\wirvufc.dll
    C:\WINDOWS\system32\ixt0.dll
    C:\WINDOWS\system32\fccbcaw.dll
    C:\WINDOWS\system32\pmnnn.dll
    C:\WINDOWS\system32\evycnhvc.dll
    C:\WINDOWS\SYSTEM32\winwea32.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete if found:
    C:\Program Files\Common Files\{2DB55AAB-06A1-1033-1028-050513200001}
    C:\Program Files\Common Files\{3DB55AAB-06A1-1033-1028-050513200001}
    C:\Program Files\Gold Codec

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 27, 2006
    #10
  11. lindyoppa

    lindyoppa Private E-2

    Hi,
    It seems as if I have (had?) the stubborn kinds, since I did in fact follow all steps...This time around, there were some problems:

    1. I tried to uninstall the VS Add-In for IE in the Add/Remove programs function in Control Panel, but it just "blinks" quickly without doing anything. I could have sworn it deleted just fine the first time, but sure enough, it is still there and it won't go away. Is there another way I should be trying to uninstall it?

    2. The vast majority of items listed to check off and "fix" in HJT did not in fact exist on the checklist. Only 4 of the things on your list actually existed. There were also some other "O2-BHO (no name)-{CRAZY LONG NUMBER} items that weren't listed in your post, but I didn't check those ones off.

    3. On that last reboot, I tried to delete the directory {2DB55AAB....} in the Common Files directory, but got the error message "cannot delete, access denied, make sure the disk is not full or write-protected and that the file is not currently in use". The other crazy folder next to it was able to be deleted ({3DB.....})

    4. Also, it seems that the "Spy iBlock" icon is gone from the bottom right screen.

    Ok. Attached are the 3 latest reports I have. THanks again!!!!
     

    Attached Files:

    lindyoppa, Nov 27, 2006
    #11
  12. lindyoppa

    lindyoppa Private E-2

    ...AND this is the rapport.txt report requested from the earlier steps in your last post. I did do it twice (normal then safe mode) but didn't think to rename the first rapport.txt file, so it was written over, thus there is only this one.

    I guess it doesn't matter (it might have mattered just for diagnostic purposes or whatever)...
     

    Attached Files:

    lindyoppa, Nov 27, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is why those instructions began with the below text:
     
    chaslang, Nov 27, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using this Your Uninstaller! 2006 to uninstall it. Did that work?

    Good! Never delete anything we don't tell you to delete! That is always the safest approach.

    Sounds like you did not stop the below process:

    C:\Program Files\Common Files\{2DB55AAB-06A1-1033-1028-050513200001}\Update.exe

    I still see it running! Stop it, and then delete the folder.

    Questions:
    1. Do you use the WildTangent game junk?
    2. How are things working?
     
    chaslang, Nov 27, 2006
    #14
  15. lindyoppa

    lindyoppa Private E-2

    1. Apologies for my error--how frustrating people like me must be!!!! :/

    2. Yes, the "Your Uninstaller 2006" did work to uninstall that last program, Thanks!

    3. A-HA! I somehow missed the part that this thing was a "process" and not an "application" in the Task Manager window. I was able to delete it successfully!

    4. No, I don't use the WildTangent game junk that came with this HP. I don't seem to have the WildTangent game thing anymore.

    5. Things seem to be much better! How can I be sure that I am mal/adware free? Would you advise that I re-scan using the "readme first" sticky from the begining just to make sure there is no mal/adware left?

    Thank you for your patience!

    I wish I could repay you--if you ever need any advice about language or speech development in children, or about speech/language therapy, ask away! xxxxxxxx@hotmail
     
    Last edited by a moderator: Nov 29, 2006
    lindyoppa, Nov 28, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach new logs from GetRunKey and HJT so I can be sure it is all gone.

    You were not suppose to use Task Manager at all. Read the steps again. You were supposed to use HijackThis's Process Manager. Had this been a different process, you would not have been able to find it or kill it with Task Manager.

    What about all the silly games the installed. They all say xxxxxx from HP Media Center (remove only) where xxxxxx is the name of the game. There are a bunch. If you don't use them, then uninstall them. Also uninstall
    Game Console - WildGames <--- this is the new way Wild Tangent tries to hide itself
    HP Game Console and games <--- don't uninstall unless you are sure you don't need this.

    That is why the READ & RUN ME and other steps are being performed. We don't just fix a symptom that people like yourself mention. We look for all malware and other issues to fix. That is why the READ ME is so long. Just using a HijackThis log like some forums do and like some users expect us to do, results in a PC still being loaded with malware and other issues.

    Thanks! I deleted your email! Here is another important piece of advice. Never ever put your email address in a public forum. It is a sure way to get you added to loads of spammers lists. If you need to give someone an email address, make sure it is done more privately (like a Private Message - called PMs) or if necessary to post in a forum use something like name at emailserver.com . That way it will not be picked up by spam robots that key on an @ sign.
     
    chaslang, Nov 29, 2006
    #16
  17. lindyoppa

    lindyoppa Private E-2

    Thank you very much! I really appreciate your advice and expertise.
    I'm going to wait to unistall all the games for now, if that is ok.
    Attached are the latest reports.
     

    Attached Files:

    lindyoppa, Nov 29, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Yes that's okay! If they were true malware, my answer would be no. But they are just things that I call unnecessaryware! ;)

    We have another registry key to cleanup!

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    After doing the above attach a final GetRunKey log so I can be sure that key was removed and then move on to the below ASAP.

    Your logs are clean (other than the above which is probably fixed after doing the above patch). If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Nov 30, 2006
    #18
  19. lindyoppa

    lindyoppa Private E-2

    *amazing*
    THank you!
    (you are getting paid, right?!)
     

    Attached Files:

    lindyoppa, Nov 30, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're clean now!

    No!
     
    chaslang, Nov 30, 2006
    #20
  21. lindyoppa

    lindyoppa Private E-2

    WHAT?!?!?

    I can't find a donation page...Can I pay pal you or something through PM??
     
    lindyoppa, Nov 30, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes if you would like you can PM me with an email address and I'll send you details.
     
    chaslang, Dec 1, 2006
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds