Limited or no connectivity Virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by lorengphd, Sep 24, 2006.

  1. lorengphd

    lorengphd Private E-2

    I have a laptop here that is unable to connect to the internet. I have windows security alerts saying that the computer is infected. I went into safe mode and ran CCleaner and Windows Mal Remover which found some stuff but the problem still persists.

    Because the computer cant get onto the internet, I am writing this all from my desktop. I installed hijack this via external HD and this is the log file.

    Please let me know if there is anything else I can tell you guys to at least help me get the name of the possible virus.
     

    Attached Files:

    lorengphd, Sep 24, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You really should have followed more of the directions in the READ & RUN ME. Like the following:
    • Viewpoint Manager - should have been uninstalled in step 0 of the READ ME
    • the log from ShowNew should have been attached
    • you should have put your system into Normal Startup mode. You have MSconfig disabling all kinds of startups.
    Uninstall Viewpoint Manager now!

    Also look for the belwo and uninstall if found:
    Webhancer
    CasinoClient
    WeatherBug

    Make sure viewing of hidden files is enabled (per the tutorial).
    Now download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the webhdll.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move webhdll.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    If it is already in the Remove section, just click Finish.

    Now please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\redistributor.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
    O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\PartyGaming <--- the whole folder
    C:\Program Files\AWS <--- the whole folder
    C:\Program Files\System Files <--- the whole folder
    C:\WINDOWS\system32\ntlogin32.exe
    C:\WINDOWS\system32\videosd32.exe
    C:\WINDOWS\system32\windir32.exe
    C:\WINDOWS\system32\winsys.exe
    c:\windows\webhdll.dll
    C:\WINDOWS\system32\redist.dll
    C:\WINDOWS\system32\redistributor.exe
    C:\kybrdfg_8.exe
    C:\nwnmfg_8.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp\
    C:\Documents and Settings\USERNAME\Local Settings\Temp\

    Replace USERNAME with your actual user account name.

    Now you should attempt to complete ALL of the READ & RUN ME and attach the below logs:
    • CounterSpy - ONLY IF you were not able to run Windows Defender
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • HijackThis
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Sep 24, 2006
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds