Lots Of Baddies!!!! With Virtual Bouncer

griggi63 · Jan 4, 2006

Need a little help. Trying to clean Mom-in-laws pc. I did all i could from the tutorial in the beginning exept for the online scanner. PC is not online at moment. Running the start here procedure did all them and removed lots of the baddies, and the virtual bouncer i think. Having problems with the pc trying to connect to the internet constantly. not sure where to go from here....CHASLANG you have done me serious justice in the past, i could use some more of your magic!!!

chaslang · Jan 4, 2006

How are you doing the READ & RUN ME if you cannot get on line?

Did you do step 0 of the READ & RUN ME and uninstall any of the items found that are on that long list?

How does the PC connect to the internet (dial-up, cable, dsl)?

Can you attach a HJT log?

griggi63 · Jan 4, 2006

i use my pc to download whatever i need and burn to cd and run on moms pc. i went through the list as far as i could go without being able to do an online scan. am running avg as we speak on it, but i think i need to update the virus defs so i might have to stop. normally moms pc is connected by dial up. also, oddly enough, there are (2) internet access options on the dial up....one say "access995" the other says "access995(2)" and is set as default, i asked her about it she says she has no idea how it got there and that a few things popped up on her desktop from no where, i will do an hjt log and get back to you

chaslang · Jan 4, 2006

What was the last thing being done before internet access was lost? Does she remember? How long ago?

griggi63 · Jan 4, 2006

i think it hit her yesterday, she called me last night, said there were 800 messages in here outlook express, and that avg was trying to scan everything and would reach about 95 messages then start slowing down. when i picked up the pc today, there were 3 desktop icons that she had no idea what they were, i believe they said mtg1, mtg, mtgo...or somthing to that affect, then i noticed in the bottom right where the clock is that it had 2 odd icons i didn't recognise, one turned out to be virtual bouncer, the other was supposed to be some sort of spyware blocker that i was not familier with, and these things slowed the pc down considerably, i have rid it of a lot of the baddies, i'm pretty sure i didn't get them all though.

chaslang · Jan 4, 2006

You do not have HJT installed properly per step 7 of the READ ME.

You still have some baddies in there. Fix HJT while I look thru the log.

chaslang · Jan 4, 2006

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Overlay Components ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows Overlay Components

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Look in Add/Remove programs for Casino Client or similar and uninstall if found.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\oyhmhjo.exe
C:\WINDOWS\system32\FAFBFC020306030.exe
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\owinnsaw.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {03C5F6E7-680C-19DE-2097-678349D99E9B} - C:\WINDOWS\system32\wxuf.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe
O4 - HKLM\..\Run: [oyhmhjoA] C:\WINDOWS\oyhmhjoA.exe
O4 - HKLM\..\Run: [020304090A0D0A100] FAFBFC020306030.exe
O4 - HKLM\..\Run: [{D9-93-36-6F-ZN}] C:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnsaw.exe CORN001
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnsaw.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rmdsregr.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\oyhmhjo.exe <--- should be gone already due to above steps

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\wxuf.dll
C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
C:\WINDOWS\system32\jumb.exe
C:\WINDOWS\oyhmhjoA.exe
C:\WINDOWS\oyhmhjo.exe
C:\WINDOWS\system32\FAFBFC020306030.exe
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\owinnsaw.exe
C:\WINDOWS\system32\rmdsregr.exe
C:\Program Files\CMMan <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

griggi63 · Jan 4, 2006

ok, have done all that except i couldn't find the following items...

Casino Client
C:\WINDOWS|oyhmhjo.exe
C:\WINDOWS\system32\FAFBFC020306030.exe
C:\WINDOWS\system32\wxuf.dll
C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
C:\WINDOWS\oyhmhjoA.exe
C:\WINDOWS\oyhmhjo.exe
C:\Program Files\CMMan <--- the whole folder

it seems to be running ok, the internet connection window is not popping up anymore..the true test is when i get it back to her and get her back online...
It still shows 2 dial up options for access995 (her isp) will remove one when i reset it up for her. anything else i need to do?

chaslang · Jan 5, 2006

Okay your log is clean! Before deleting the any of the dialup connection options test to make sure the one you are keeping works. There could be differences in them.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Lots Of Baddies!!!! With Virtual Bouncer

griggi63 Private First Class

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

griggi63 Private First Class

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

griggi63 Private First Class

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

griggi63 Private First Class

Attached Files:

hijackthis2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member