I've found 3 malware items on my PC, HELP!!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Berger, Nov 30, 2007.

  1. Berger

    Berger Private E-2

    First I'd like to apologize for my initial ignorance. Second I would like to thank you In advance for your help. I've browsed around and your forums appear honest, responsive and helpful. I've seen posts with very similar problems but am not sure they fit my exact situation. I recently downloaded and ActiveX plugin for IE; a bad idea, I hate IE to begin with but the plug-in wasn't working on firefox. I assume that was because It was trojan malware that has now infected my PC with: Worm.Win32.netsky, Win32.Backdoor.Agent, Win32.TrojanSpy.Peed. I am under constant assault with page jackings and pop ups. One of the pop-ups notified me of the Worm.Win32.netsky and asked to remove it but I am not trusting any of them. The other 2 I mention I discovered using Ad-aware, though the program Is unable to remove the infection. Though it all Firefox has remained a safe haven. I'm not at all computer savy but I know my way around the 2k pro OS I am using. I'm thankful for any help
     
    Berger, Nov 30, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Nov 30, 2007
    #2
  3. Berger

    Berger Private E-2

    Wow, like I said I am ignorant:eek:, that little ditty seemed to cure all the syptoms But the programs you'all supplied found WAY more malware than the three I listed above. Scary stuff. I will go ahead and attach the logs I was able to aquire. Though I did run into a problem with AVG Anti-virus. It was not able to remove/quarantine one of the pieces of malware. The program prompted me saying It would remove it after a restart, then asked if I would like to restart now(recommended). I said no, as I was eager to obtain the next log file, but when I clicked the log tab as directed it read: No reports available. I then immediatley preformed a restart and AVG did not pop up after. Did I screw it up? Am I clean?:confused
     

    Attached Files:

    Berger, Dec 1, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2_04

    Reboot and install:
    Java Runtime 6

    Now disable all anti-virus and anti-spyware programs while we do the following:

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to fxSVC
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste fxScanner into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Re-enable your security software ...Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 1, 2007
    #4
  5. Berger

    Berger Private E-2

    OK. most of my problems returned after a reboot: constant notifications about attacks and the Worm.Win32.Netsky, random "alt-tab"ing between windows and periodic seemingly random IE pages opening.

    I uninstalled the java runtime environment and installed the new one.

    Being sure to disable any anit-malware programs, I saw fxSVC was already stopped, but I did need to disable it.

    Then I downloaded HJT from a different thread on the forum. The program was not mentioned in the READ & RUN ME FIRST section.

    I'm not sure what fxScanner is. Do you mean the fxSVC? I can't copy/paste that or I just don't know how. I went back and tried a scan with HJT to see if that might bring it up but it had an error right after the scan read complete forcing the program to close.

    That's where I'm at right now, in HJT, not sure where to find the fxScanner to copy/paste.

    I'm using my laptop right next to my computer to read the directions and reply, so I'll be attaching a HJT log in another post not sure if it will be of any use at this point.
     
    Last edited: Dec 1, 2007
    Berger, Dec 1, 2007
    #5
  6. Berger

    Berger Private E-2

    Here is the log from the HJT scan that failed right after it's initial scan was complete.
     

    Attached Files:

    Berger, Dec 1, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall that HJT ....it is in the wrong place and not renamed ....the proper one was/is install within the MGTools folder.
    Uninstall all IE toolbars and add-ons.
    Please re-run ComboFix and attach that logs as well as "run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this."
     
    TimW, Dec 2, 2007
    #7
  8. Berger

    Berger Private E-2

    I don't mean to be difficult and I really appreciate your patience with me, but I don't know how to uninstall IE toolbars and add ons, that is if I have any. I really only use firefox.

    I want to be sure not to skip any steps. I don't the HJT in the MGtools file, I see an hijackthis.log but no .exe

    should I run combo fix anyways?

    *edit* I see now: hjt was renamed analyse.exe
    I will try running that and follow your steps below, I'll post another reply with what I've found :)
     
    Last edited: Dec 2, 2007
    Berger, Dec 2, 2007
    #8
  9. Berger

    Berger Private E-2

    I will attach the logs after closely following your second post.
     

    Attached Files:

    Berger, Dec 2, 2007
    #9
  10. Berger

    Berger Private E-2

    Following the 3rd post: Still not able to find how to clear the IE toolbars and add-ons.

    I did run combo-fix again and I will attach the log below
     

    Attached Files:

    Berger, Dec 2, 2007
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Don't worry about the toolbars...it is a precaution, so if you have none, lets continue.

    Again...this is important...disable all anti-virus and spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 2, 2007
    #11
  12. Berger

    Berger Private E-2

    I was not able to locate the following in HJT:

    O2 - BHO: (no name) - {19751F36-6749-4897-8E51-F50E3A9FDF14} - C:\WINNT\system32\mljge.dll G
    O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINNT\system32\nnnnmmj.dll (file missing)
    O2 - BHO: {66cd5eef-06d1-934a-c0b4-edc12c7ced1a} - {a1dec7c2-1cde-4b0c-a439-1d60fee5dc66} - C:\WINNT\system32\palxjoxc.dll
    O4 - HKLM\..\Run: [0cf36a49] rundll32.exe "C:\WINNT\system32\caukpcnw.dll",b
    O20 - Winlogon Notify: nnnnmmj - nnnnmmj.dll (file missing)
    O21 - SSODL: kbdctrl - {4C77FDE5-21ED-46E7-9FB1-DC6887D6F316} - C:\WINNT\kbdctrl.dll (file missing)

    I was able to fix the other two.
     

    Attached Files:

    Berger, Dec 2, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Almost there.....

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,C:\WINNT\system32\ntos.exe,

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 3, 2007
    #13
  14. Berger

    Berger Private E-2

    So far so good.:)
     

    Attached Files:

    Berger, Dec 4, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you run the MGTools before running avenger? I ask because avenger took out the
    C:\WINNT\system32\ntos.exe

    But it still shows in the HJT log.
     
    TimW, Dec 4, 2007
    #15
  16. Berger

    Berger Private E-2

    I'm positive I ran HJT first, asked it to fix
    F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,C:\WINNT\system32\ntos.exe

    then I ran avenger.

    I'm quite sure I followed the directions.
     
    Berger, Dec 5, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's not a big problem ...not to worry ...are you having any other issues?
     
    TimW, Dec 5, 2007
    #17
  18. Berger

    Berger Private E-2

    No, it looks like that did the trick. I can't thank you enough for being so responsive and helpful. I'll be sure to put in a good word for you with everyone I know. The world needs more really helpful folks like you all. Sleep well knowing you're good at what you do, and never think you're not making a difference.
     
    Berger, Dec 8, 2007
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Thank you for the kind words ...safe surfing. :)
     
    TimW, Dec 8, 2007
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds