Laptop Hijacked

Discussion in 'Malware Help (A Specialist Will Reply)' started by thecrofter, Oct 7, 2006.

  1. thecrofter

    thecrofter Private E-2

    I been asked by my friend to assist with his laptop. He was using MSN Messenger and someone sent him a nasty. I have run thgough the procedures in the read this first, the only problem is Panda would not run, it told me there was a problem with the internet connection. Here are the other logs. Thanks.
     

    Attached Files:

    thecrofter, Oct 7, 2006
    #1
  2. thecrofter

    thecrofter Private E-2

    Oops! Forgot the Bit defender log
     

    Attached Files:

    thecrofter, Oct 7, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I want you give you an important heads up so that you can tell your friend. This is very important if the PC was being used for anything financial related (internet banking, purchasing online, credit card stuff etc).

    Start by Uninstalling the below software from Add/Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Search Assist
    Viewpoint Media Player

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now continuing by downloading a tool we will need- Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Documents and Settings\Paul Chatham\Yinstall.exe
    C:\dfndrff_e24.exe
    C:\kybrdff_e23.exe
    C:\nwnmff_e24.exe
    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Paul Chatham\Yinstall.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_e24.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e23.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnmff_e24.exe
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\\Program Files\\Common Files\\{CC134C90-063B-1033-0609-06002c}\\Update.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    C:\Documents and Settings\Paul Chatham\Yinstall.exe
    C:\dfndrff_e24.exe
    C:\kybrdff_e23.exe
    C:\nwnmff_e24.exe
    C:\otwlkons.exe
    C:\ovvpecjh.exe
    C:\pmmbhym.exe
    C:\teqnsq.exe
    C:\nwnmff_e23.exe_tobedeleted
    C:\WINDOWS\system32\drsmartload1135a.exe
    C:\WINDOWS\system32\loadadv455.exe
    C:\WINDOWS\system32\Yinstall.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete them if found:
    C:\Documents and Settings\All Users\Application Data\McAfee
    C:\Documents and Settings\All Users\Application Data\McAfee.com
    C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    C:\Documents and Settings\All Users\Application Data\Symantec
    C:\Program Files\McAfee
    C:\Program Files\McAfeeSearchAssist
    C:\Program Files\Common Files\{3C134C90-063B-1033-0609-06002c}
    C:\Program Files\Common Files\{3C134C90-063C-1033-0609-06002c}
    C:\Program Files\Common Files\{CC134C90-063B-1033-0609-06002c}
    C:\Program Files\Common Files\{CC134C90-063C-1033-0609-06002c}
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033

    Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Paul Chatham\Local Settings\Temp

    Now attach a the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 7, 2006
    #3
  4. thecrofter

    thecrofter Private E-2

    Thanks for your help. I ran through all the steps you detailed, it all went very well. Laptop seems to be running clean now. Here are the latest logs.
     

    Attached Files:

    thecrofter, Oct 8, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Oct 9, 2006
    #5
  6. thecrofter

    thecrofter Private E-2

    Ran through the final steps. Ran another Bitdefender. Everything seems clean, Thanks very much for your help again.
     
    thecrofter, Oct 9, 2006
    #6
  7. thecrofter

    thecrofter Private E-2

    I've just been presented with another problem. The PC which runs from the same connection is showing similar signs. I have run through the steps detailed for the Laptop but I'm still having problems with the PC. Here are the latest logs from th PC. Thanks again.
     

    Attached Files:

    thecrofter, Oct 9, 2006
    #7
  8. thecrofter

    thecrofter Private E-2

    Here's the Bitdefender report
     

    Attached Files:

    thecrofter, Oct 9, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Add/Remove programs and uninstall the below (let me know if they uninstall properly):
    DeluxeCommunications
    Java 2 Runtime Environment, SE v1.4.2_03
    Search Bar

    You need to install and run ShowNew and GetRunKey properly as instructed in the download links and then attach new logs! You are not running them properly!

    You also did not follow directions in the READ ME completely. The copy of Spybot you are using has not been used in about two years. Uninstall it and install the proper version.
     
    chaslang, Oct 10, 2006
    #9
  10. thecrofter

    thecrofter Private E-2

    Okay, I've followed through all the steps again. Here are the problems I came across and the new logs.

    Deluxe Communications runs it's uninstall, but still reappears.
    Java 2 Runtime Environment, SE v1.4.2_03 will not uninstall, it starts and seems to be going OK but then there is an error message "ERROR 1316 A network error occured while attempting to read from file C:\WINDOWS\INSTALLER\Java 2 Runtime Environment, SE v 1.4.2_03.msi" it then rolls back.
    Search Bar does not uninstall you press the button and it just flashes back to the program list.

    I uninstalled S&D and reinstalled the latest version(Sorry). When I ran it in safe mode if found various problems and fixed them all except ISearchTech.YSB which it asked if it could try to fix on reboot. When I rebooted and rescanned it found the same problems again and still could not fix ISearchTech.YSB.

    I could not run Bit defender in safe mode, so rebooted into normal mode and ran it there, although Bitdefender reported nothing Avira was picking up various viruses, trojans and JAva problems as the scan ran, I either denied access or deleted, although they all re-appeared.

    When I ran getrunkey I got an error message C:\WINDOWS\SYSTEM32\cmd.exe C:\WINDOWS\SYSTEM32\autoexec.nt The system file is not suitable for running MS-DOS and Microsoft windows applications. Choose close to terminate the application.

    When I ran shownew I get the error message "the process cannot access the file because it is being used by another process" about twenty times.

    I've tried to follow all the instructions as best I can hopefully I'm not being dim and missing something obvious and I have tried give as much detail as I can. Here are the latest logs.

    Thanks
     

    Attached Files:

    thecrofter, Oct 10, 2006
    #10
  11. thecrofter

    thecrofter Private E-2

    and here
     

    Attached Files:

    thecrofter, Oct 10, 2006
    #11
  12. thecrofter

    thecrofter Private E-2

    I forgot to mention Panda would not install the ActiveX and therefore would not run in either Safe or Normal
     
    thecrofter, Oct 10, 2006
    #12
  13. thecrofter

    thecrofter Private E-2

    Any update for me?
     
    thecrofter, Oct 11, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we will come back to these later!

    Also will be addressed later.

    Did you read the information on the download page for both GetRunKey and ShowNew?? Please read it and follow the directions.
     
    chaslang, Oct 12, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's see if we can get started fixing some malware based on what info we have thus far.

    Start by downloading a tool we will need- Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
    O20 - AppInit_DLLs: dxclib303562752.dll

    NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\speedtest2.dll
    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\system32\ObjSafe.tlb
    C:\WINDOWS\elitepop06.exe
    C:\Program Files\DeluxeCommunications\Dxc.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.
    After reboot locate the below folder and delete it if found:
    C:\Program Files\DeluxeCommunications

    Now attach a the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 12, 2006
    #15
  16. thecrofter

    thecrofter Private E-2

    Thanks for your reply.

    Firstly I fixed the GetRunKey problem(sorry)

    Then I followed through all the other steps. Everything worked perfectly until I went to delete the Deluxe Communications folder after the final reboot. It would not delete telling the progrm was in use.

    Here are the latest logs, as you can see Deluxe communications has reappeared. And I'm still getting the pop-ups.
     

    Attached Files:

    thecrofter, Oct 13, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Print or save the below instructions locally because you will need to close all browser windows to continue.

    Close all browser windows (Including the one you are reading this in)

    Goto Add/Remove Programs in Control Panel

    Find DeluxeCommunications in the list and double click on it to invoke the uninstaller.


    If there is no Add or Remove Programs entry for this program, Goto Start-->Run, type in     C:\Program Files\DeluxeCommunications\Dxc.exe /u and hit enter.


    The DeluxeCommunications uninstall program will load and you will ask you to enter a security code. Do as instructed and enter the security code it displays and click ok.

    The uninstaller will then Display a dialog saying that all browser windows will be closed if you continue. Click Yes to continue.

    Finally, It will display a dialog asking you if you want to reboot. Click Yes and let your computer boot.

    Boot into Normal Mode

    Download the FixDC.zip attached to this post and save it on your desktop.

    Extract the contents of FixDC.zip to your desktop.

    Run FixDC.reg from your desktop by double clicking on it and click yes to allow it to merge with the registry.

    Now to cleanup some remaining files.

    Click Start and select Search
    Now Select All files and folders
    Enter the Dxcknwrd.dll in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
    Then click the Search button.

    If the search finds the file then Delete it by right clicking on them and selecting Delete

    Repeat the same search and delete procedure for Dxccwrd.dll instead of Dxcknwrd.dll

    Now attach new logs from ShowNew and HJT.

    How are things working now?
     

    Attached Files:

    chaslang, Oct 14, 2006
    #17
  18. thecrofter

    thecrofter Private E-2

    This Deluxe thing is a real pain.

    It's not in the add/remove list and there is no dxc.exe in the Deluxe folder. I searched for Dxc.exe it can not be found, I searched in all subfolders and hidden files and folders. It ain't there!! Consequently I still cannot delete the Deluxe folder or either of the files in it. There's something running from somewhere that is using them. Could I stick the drive into another PC as a slave and delete them that way?

    I did the registry fix anyway and found Dxcknwrd.dll (x3) and Dxccwrd.dll (x3) and deleted them.

    Here are the latest logs.
     

    Attached Files:

    thecrofter, Oct 14, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download the attached ShowNDC.zip file. Extract the ShowNDC.bat file from it into the same folder where you have previously extracted ShowNew.bat. Then run the ShowNDC.bat file and attach the log from it. The log is still named newfiles.txt.

    This one should give me some additional information that I need! Besides the DeluxeCommunications issue you have a bunch of other malware that may be making removal more difficult that normal.
     

    Attached Files:

    chaslang, Oct 16, 2006
    #19
  20. thecrofter

    thecrofter Private E-2

    I see this entry did not show on the thread but I got the e-mail so I have followed the steps.

    Well it can be sometimes but other times it goes away easily. I think your
    is being difficult because you have a pile of other malware at the same
    time. So let's try to get more of the other malware removed at the same
    time. And also I want you to use the attached version of ShowNew which I
    renamed ShowNDC.zip (extract the ShowNDC.bat file to where you installed
    ShowNew.bat).

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6
    Now install the current version of Sun Java from: Sun Java Runtime
    Environment
    (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)


    Please delete the below folders? Note that the Questionmarks represent
    unprintable characters that were found during the scans, but they may appear
    to you as normal characters when you locate them using Windows Explorer. I
    will add comments in RED next to each item. Note the date of the folders
    which will help you to locate them:

    "C:\Program Files\"
    DELUXE~1 6 Oct 2006 "DeluxeCommunications"
    DESKBAR 5 Oct 2006 "Deskbar"
    WNSXS~1 30 Aug 2006 "W?nSxS" <-- may look like WinSxS
    YMBOLS~1 14 Aug 2006 "?ymbols" <-- may look like
    Symbols
    MANTEC~1 15 Aug 2006 "??mantec" <-- may look like
    Symantec

    "C:\Program Files\Common Files\"
    ASEMBL~1 31 Jul 2006 "a?sembly" <-- may look like
    Symbols
    ICROSO~1.NET 6 Sep 2006 "?icrosoft.NET" <-- may look like
    Microsoft.NET and there may be a real valid folder with the same name.
    RACLE~1 24 Aug 2006 "?racle" <-- may look like Oracle


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on
    the system. So when you do the below, if some files do not show in the list
    after pasting them in, just continue.

    Select:

    Delete on Reboot
    then Click on the All Files button.
    Please copy the file paths below to the clipboard by highlighting ALL of
    them and pressing CTRL + C (or, after highlighting, right-click and choose
    copy):C:\Program Files\DeluxeCommunications\DxcBho.dll
    C:\Program Files\DeluxeCommunications\Dxc.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\hancerdoem.exe
    C:\WINDOWS\kahiv.dll
    C:\WINDOWS\srvpgwpblr.exe
    C:\WINDOWS\uninst108.exe
    C:\WINDOWS\uni_e6h.exe
    C:\WINDOWS\SYSTEM32\mny.exe
    C:\WINDOWS\SYSTEM32\wnscpsv.exe
    C:\WINDOWS\SYSTEM32\cjwqgku.dll
    C:\WINDOWS\SYSTEM32\dxclib303562752.dll
    C:\WINDOWS\SYSTEM32\fblfe.dll
    C:\WINDOWS\SYSTEM32\oxnyoymk.dll
    C:\WINDOWS\SYSTEM32\qrxfmh.dll
    C:\WINDOWS\SYSTEM32\xjtg.dll
    C:\WINDOWS\SYSTEM32\zrrlw.dll

    Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    Click the red-and-white Delete File button. Click Yes at the Delete on
    Reboot prompt.If you receive a PendingFileRenameOperations prompt, just
    click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete it if found:
    C:\Program Files\DeluxeCommunications
    C:\Documents and Settings\All Users\Application Data\Symantec

    Also delete all files and subfolders in the below folders except ones from
    the current date (Windows will not let you delete the files from the current
    day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Campbell Chatham\Local Settings\Temp


    Now run HijackThis and select the following lines but DO NOT CLICK FIX until
    you exit all browser sessions including the one you are reading in right
    now:

    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -
    C:\Program Files\DeluxeCommunications\DxcBho.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program
    Files\DeluxeCommunications\Dxc.exe
    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program
    Files\DeluxeCommunications\Dxc.exe
    O20 - AppInit_DLLs: dxclib303562752.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and
    click OK to continue.


    After clicking Fix, exit HJT.

    Now reboot your PC!

    Now attach a the below new logs and tell me how the above steps went.


    GetRunKey
    ShowNDC <--- Zip file attached below!!!!!
    HJTMake sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to
    disable System Restore, reboot, and re-enable system restore per step 1 of
    the READ & RUN ME. This only applies to if using WinXP or WinMe.


    Here's what occured.

    Uninstalled the Java and got the latest version, in normal mode as it would not uninstall in safe.

    Booted in Safe and deleted all the folders specified except the Deluxe one which would still not delete.
    Tried running pocket killbox in safe, kept getting a system error (RPC server is unavailable) so ran it in normal.

    Did not receive any warning and it seemed to delete all the files. After a reboot I deleted the Deluxe folder (hurrah) and the Symantec folder. then deleted Temp files and Temp in the local settings for all the different users.

    Back into safe mode and ran Hijack. ticked the boxes and fixed. I got the AppInit error but continued anyway.

    Rebooted into normal and ran HJT, the Deluxe entries were back. So I ticked them again and this time they seem to have gone for good.

    Here's how we're running now.

    First thing I did was go for a browse. No pop ups any more however Avira is giving me occasional warnings that there is a file popup[1].htm in one of the Temp Internet Folders which is Exp/Agent.B

    As I shut down to reboot Windows asked me if I wanted to install updates, although I was unaware of even auto-dowloading any updates??? I have now run Update and it says I have all the latest( as I thought ). I've also run Spybot it still finds ISearchTech.YSB and cannot remove it even after a reboot. I had a look at the windows security centre, the firewall was off and it will not allow me to turn it on, I've downloaded and install Zone Alarm.

    So, I think there may still be something lurking in the background. Occasionally the active browser window will go inactive for no reason. I had a look in the registry and there are still entries for Deluxe and for YourSearchBar, I don't know if that is relevant but I thought I would mention it anyway.

    After all that here are the latest logs. Thanks. We are definately making some REAL progress.
     

    Attached Files:

    thecrofter, Oct 17, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In message # 15 I asked you to fix the below line. I still see it in your log!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

    Did you forget to fix it? Or is it something you need and therefore skipped it? You did not have this setting on your other PC!


    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Documents and Settings\Campbell Chatham\Application Data\
    C:\Documents and Settings\Campbell Chatham\Application Data\dxccwrd.dll
    C:\Documents and Settings\Campbell Chatham\Application Data\Dxcdmns.dll
    C:\Documents and Settings\Campbell Chatham\Application Data\Dxcknwrd.dll
    C:\Documents and Settings\Campbell Chatham\Application Data\Dxcuknwrd.dll
    C:\Program Files\em\dohancer\webinstaller.exe
    C:\Program Files\em\dohancer\whCC-GIANT3.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete them if found:    C:\Program Files\em

    Now attach a the below new logs and tell me how the above steps went.
    1. ShowNew
    2. HJT

    Make sure you tell me how things are working now! If Spybot is still finding something that it cannot remove, attach a log from Spybot.
     
    chaslang, Oct 19, 2006
    #21
  22. thecrofter

    thecrofter Private E-2

    I've been away for a few days, but I've finally got back round to this PC.

    The R1 entry on the HJT log was fixed but it immediately came back and continues do to so. What is it?

    I then ran Killbox and ran through the deletions all went as it should. Here are the latest logs, including the Spybot log. The Your Search Bar entry will still not delete. Also as I am browsing Avira is still giving me occasional warnings that there is a file popup[1].htm in one of the Temp Internet Folders which is Exp/Agent.B
     

    Attached Files:

    thecrofter, Oct 23, 2006
    #22
  23. thecrofter

    thecrofter Private E-2

    Here is the other log
     

    Attached Files:

    thecrofter, Oct 23, 2006
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

    Run Registrar Lite navigate to the following key and take ownership of it (I explained how to do that further down).

    HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar


    To take ownership of the key do the following:
    • Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the top Menu
    • Select Take Ownership
    • Now leave RegistrarLite running and continue
    • Now run the fixME.reg REGISTRY PATCH below in this message.
    • Tell me the results. Any error messages?
    • Now in RegistrarLite click View and then Refresh
    • Now navigate back to the above key we took ownership of to make sure that the YourSiteBar key has been deleted.
    • If the key still exists, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.
    Here is the Registry Patch

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then reboot your PC!

    Now run Spybot and see if it still detects YourSiteBar.

    Now let's do some cleaning!
    • Now run Pocket Killbox and select File, Cleanup, Delete All Backups
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and enable System Restore to create a new clean Restore Point.
    Now attach a new log from ShowNew (not ShowNDC). Tell me how things are working now.
     
    chaslang, Oct 25, 2006
    #24
  25. thecrofter

    thecrofter Private E-2

    Did the Registrar Lite thing. It finally worked when I ran it in safe mode. Your site Bar seems to be gone. Spybot runs clean. Although I still get the Avira warning about the file popup[1].htm. Here is the latest ShowNew log.
     

    Attached Files:

    thecrofter, Oct 25, 2006
    #25
  26. thecrofter

    thecrofter Private E-2

    I forgot to mention one or two other things. The active browser window still goes inactive for no reason sometimes. And I ran spybot under the other user profiles in one of them it found SmitFraud and a couple of other registry entries but fixed them first go. Should I run HJT in the other user profiles just to be on the safe side?
     
    thecrofter, Oct 25, 2006
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can delete the file yourself manually but make sure all browsers are closed. Also doing a Reset of Web Settings on all user accounts should normally cleanup stuff like this. If you don't know how to Reset Web Settings, here's how:


    Remaining problem from previous steps:

    One of the files I asked you to delete (back in message # 15) with Pocket Killbox, is still there. You need to delete this using Pocket Killbox. You will not be able to locate it or delete it from Windows Explorer or Windows Search so make sure you use Killbox as given in message # 15 and delete the below file:
    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe


    Yes you should work on other user accounts but only one at a time. How many are there? Pickone and post the below 3 logs while logged into that user account:
    - GetRunKey
    - ShowNew
    - HJT
     
    chaslang, Oct 26, 2006
    #27
  28. thecrofter

    thecrofter Private E-2

    Still not out the woods yet.

    I've deleted the popup[1].htm file, it keeps reappearing every now and then.

    I ran killbox again and deleted the NetInstaller file. I suspect it had reappeared from somewhere as well.

    User profiles are:-

    Campbell Chatham
    Neil (which I suspect is where most of the problems are, I deleted the profile and recreated it, there is now a neil.chathamracing profile sitting in the background, I guess that windows does not entirely delete all the files when you delete a profile)
    Rachel
    Suzie Q
    The Champ #1

    I've attached the logs from Neil for a start, this is where most of the limewire activity was and where most of the MSN Messenger activity happens, hence the reason I'm most suspicious of it. When I try to reset web settings in this profile I get a message saying Unable to reset web settings.
     

    Attached Files:

    thecrofter, Oct 27, 2006
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you say that? You don't really have any major problems remaining.

    This is just due to the sites you or someone else is accessing. I doubt this is a serious problem anyway. You could look at the file in an editor to see what is in it. As you saw already, it is easy enough to remove. Real malware is alot more difficult.

    Actual the Username that you posted logs for is Neil but the UserProfile being used is still Neil.CHATHAMRACING. That's because you did not delete the account. You just renamed it which does not remove the user profile information. You could rename the user account name to anything you want but the user profile would still remain. To truly get rid of the account, you must delete the account. I would then reboot and after reboot delete anything that may remain for that account.

    You cannot use Reset Web Settings in an account that does not have administrator priviledges. The easiest way around that is to change the account to be an admin account while you work on it and then change it back to a restricted account afterwards.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Downloaded Program Files\axo.dll
    C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 28, 2006
    #29
  30. thecrofter

    thecrofter Private E-2

    I guess I'm just super sensitive at the moment, but I still "feel" like there is something going on on this PC.

    The popup[1].htm warning hasn't appeared today, so I'm begining to be a bit easier with that.

    The Neil profile:- I ran through the HJt procedure the offending lines just reappeared and then i did pocket Killbox it found 1 of the files and then rebooted without any errorr messages. the HJT entries would not stay gone so I have deleted the user in XP and then accessed as another user and tried to delete any remaining files. I got an error message saying "Cannot delete CARRT5HT. : cannot find specified file. Make sure you specify the correct path and filename." So I tried using Killbox to delete the remaining file, after a reboot the file was still there. The file exists in the folder c:\Documents and settings\neil\my documents\my pictures\msn emoticons\ I have manually deleted everything else to do with this user profile but no matter what I do this one file remains. I can browse to it with explorer, the file properties say the file size is 0 bytes and it is not read only. I'm not going to try and re-create the User name until i've got this file totally cleared out.

    My one remaining worry, after we finally remove the Neil profile is that no matter what profile I'm in there seems to be a fair bit of activity, mostly inbound, on the Zone alarm icon at the bottom of the screen even without a browser open.
     
    thecrofter, Oct 30, 2006
    #30
  31. thecrofter

    thecrofter Private E-2

    Here are the logs for the remaining three users.
     

    Attached Files:

    thecrofter, Oct 30, 2006
    #31
  32. thecrofter

    thecrofter Private E-2

    Hopefully they're clean.
     

    Attached Files:

    thecrofter, Oct 30, 2006
    #32
  33. thecrofter

    thecrofter Private E-2

    And the last ones
     

    Attached Files:

    thecrofter, Oct 30, 2006
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you are referring too. I did not ask you to delete any files here.
     
    chaslang, Oct 31, 2006
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only account that has anything additional to cleanup is the one associated with the "T" logs (the account named Champ). Log into this account and do the below:


    Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then use Pocket Killbox to delete the below file:
    C:\WINDOWS\Downloaded Program Files\motorsix.ocx


    Other than that your logs were clean. How is everything working?
     
    chaslang, Oct 31, 2006
    #35
  36. thecrofter

    thecrofter Private E-2

    I'm just trying to comlpetely remove all traces of the Neil account. For some reason it is impossible to delete this last file. Could it be a symptom of "something" going on.
     
    thecrofter, Nov 1, 2006
    #36
  37. thecrofter

    thecrofter Private E-2

    followed the steps for user The Champ, all went well.

    Logged on as Campbell Chatham, the browser still turns itself into an inactive window from time to time and I still get the Avira warning that C:\Documents and Settings\Campbell Chatham\Local Settings\Temporary Internet Files\Content.IE5\Some Random Folder\popup[1].htm is infected with agent\exp.b. As i'm typing this I've just been invited to install DriveCleaner to check my computer for free!!!!!!!!! And then a new window has opened at drivecleaner.com. :mad: Here's the latest logs
     

    Attached Files:

    Last edited: Nov 1, 2006
    thecrofter, Nov 1, 2006
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But you did not say exactly what and where. You need to give the exact name of the file and the full path to it. You may be able to just use Killbox on it.
     
    chaslang, Nov 3, 2006
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Has "Champ" (whoever uses that account) been doing any surfing while you are not working on fixing the PC? If so, perhaps you need to find out what sites are being accessed. You could look in the Internet Explorer History.

    Do you know if Internet Explorer Default Page which shows in your installed programs list is part of Tiscali? It seems suspicious!


    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop (Yes! Overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Delete the below file if found (use safe mode or Killbox if necessary):
    C:/WINDOWS/system32/atl.dll

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT



    Okay please run the below procedure and attach the requested log (you will need a second message to attach this fourth log):

    Using Sophos Anti-Rootkit
     
    chaslang, Nov 3, 2006
    #39
  40. thecrofter

    thecrofter Private E-2

    Nobody has surfed anywhere while we've been working on this PC, I'm the only person who has even turned it on. I checked the IE history anyway the only sites listed under the champ user are Majorgeeks(God bless 'em), Google and Microsoft.

    Don't know if IE Default Page is part of Tiscali or not(I have loaded IE7) I have deleted Tiscali through Add/Remove Programs, the PC uses BT Broadband for it's internet connection anyway.

    I ran the Reg fix it seemed to run OK

    Went to delete the atl.dll but it said it was in use, tried in safe mode same result, tried with killbox, still the same it just won't delete. Here are the latest logs, run in The Champ.

    BTW I went in to the regedit just to check the atl.dll entry had gone, it had, but I noticed there is an entry in the same area lokking at the system32 folder for webcleaner.dll , is this suspicious?
     

    Attached Files:

    thecrofter, Nov 3, 2006
    #40
  41. thecrofter

    thecrofter Private E-2

    here is the sophos log
     

    Attached Files:

    thecrofter, Nov 3, 2006
    #41
  42. thecrofter

    thecrofter Private E-2

    C:\Documents and Settings\Neil\My Documents\My Pictures\msn emoticons\CARRT5HT.

    I have tried Killbox, safe mode,DOS, I still get the same message. I've tried deleting the whole folder at every level, it just won't go away. I would like to recreate the Neil user profile but am nervous of doing this until the old profile is completly gone. The file size is 0 bytes, so I suppose it can't be doing anything, but I just don't like the idea that this file refuses to go.
     
    thecrofter, Nov 3, 2006
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please delete the below folders? Note that the Questionmarks represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. Note the date of the folders which will help you to locate them:
    Code:
    "C:\Documents and Settings\The Champ #1\Application Data\"
CROSOF~1.NET  21 Sep 2006              "??crosoft.NET"
WNSXS~1       16 Sep 2006              "W?nSxS"
    No! It is part of Microsoft Malicious Software Removal Tool! I don't recommend that you experiment in the registry on your own unless you are an expert. Doing the wrong thing can make your PC unusable and non-recoverable.


    Download The Avenger ( http://swandog46.geekstogo.com/avenger.zip ) by Swandog46, and save it to your Desktop.
    Extract avenger.exe from the Zip file and save it to your desktop
    Run avenger.exe by double-clicking on it.
    Check the 'Input script manually' box.
    Click on the magnifying glass icon.
    Copy the quoted bold print below and paste it in the box that opens from Avenger:
    Now click the 'Done' button.
    Click on the traffic light icon and OK the prompt.
    You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.
    A log file from Avenger will be produced at C:\avenger.txt, please post that log here in your next reply.

    Now Uninstall this: Internet Explorer Default Page


    You need to take a serious look at the log from Sophos Anti-Rootkit. The things being download with Ares (and probably other similar P2P tools) are the source of most infections that we fix. If it were my PC, Ares and any other P2P program would be uninstalled and their folders and all contents deleted.



    I will be away for 9 days! Hopefully one of the other helpers here can continue to help you! Or you will have to wait until I get back!
     
    Last edited: Nov 3, 2006
    chaslang, Nov 3, 2006
    #43
  44. thecrofter

    thecrofter Private E-2

    Deleted the folders OK, in normal mode, all went well.

    I know not to mess about in the registry, I just thought I would mention the entry I saw while I was checking the other one had gone OK.

    Downloaded Avenger followed the instructions and finally the msn emoticons folder deleted, allowing me to delete all the remaining folders in the Neil profile.

    I dont understand what you mean by delete Internet Explorer Default Page, there is nothing listed in Add/Remove Programs or Hijack this... I've already deleted Tiscali.

    I had a look at all the Ares stuff I've now deleted and uninstalled that too.

    Finally, I rebooted into the Campbell Chatham profile and went for a bit of a browse around. It all went well at first, it seemed to be responding quickly and so on. BUT then the active window went inactive again and I got the offer of installing Drivecleaner AGAIN.

    I have now removed the HD from the PC and reformatted it using my own PC and I will re-istall Windows on a, hopefully clean drive. Thanks for all your help, it's a pity we didn't manage to beat it this time.
     
    thecrofter, Nov 7, 2006
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 13, 2006
    #45

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds