Major Malware Issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by Schmiese, Feb 9, 2007.

  1. Schmiese

    Schmiese Private E-2

    I'm trying to help a friend clean all this malware garbage off their PC, but am hitting some snags. I've been faithfully following all the steps from the Major Geeks 'Read & Run Me First' tutorial, but not all is working as planned. Here's where I'm at:

    1. I emptied the quarantined viruses and spyware, etc. from ZoneAlarm's Security Suite and began following all the steps in the tutorial.
    3. Ran ccCleaner
    2. Finished (and attached) the bitdefender scan
    3. Could not get onto the PandaActiveScan site
    4. Download and ran CounterSpy twice in safe mode...it found about 1040 bad registry entries and I think 43 program issues. When I went to view/treat them, the list was blank. When I clicked on where the list should've been I got a runtime error. So, I've attached the log file, but nothing was treated there.
    5. Followed the instructions for Hijaak This and have attached the log file.
    6. Tried to run the GetRunKey and ShowNew .bat files, but got the following error message:
    c:\Windows\System32\cmd.exe
    c:\Windows\System32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

    I realize this computer is not running Windows XP SP2 (they only have SP1) and there's a lot of garbage programs the kids have installed. I know WINFIXER is among the malware problems on this PC. What I need to know is whether this thing is worth fixing or if they should cut their losses, back up their files and reformat the drive.

    Any and all help is appreciated.

    LH
     

    Attached Files:

    Schmiese, Feb 9, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    In future, please follow the steps in the READ ME in the order written. CounterSpy should be run before Bitdefender and Panda not after.
    Read the info on the download pages for GetRunKey and ShowNew again. This message is explained and also how to fix it is explained. Follow those steps and attach the two logs.
     
    chaslang, Feb 9, 2007
    #2
  3. Schmiese

    Schmiese Private E-2

    Sorry - I misquoted myself on the order. Because I had run it a second time (thinking the first problem was a fluke) I was thinking it was further down the line. I was working in the right order, but moved on if things didn't work.

    Got the fix for those .bat files (sorry I missed that - too much back and forth between 'how to' tabs!) and have attached those logs now.

    Thanks.
     

    Attached Files:

    Schmiese, Feb 9, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wow you have a ton of malware problems. It really would have been a lot easier if CounterSpy fix what it found. We will continue anyway. But let me ask has your trial for CounterSpy already expired. It may have if you ever use it in the past. You can only use the trial one and then only for a 15 day period.

    Okay let's start a load of manual fixes.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Did you install all this FunWebProducts junk to use with AIM, MSN Messenger, & Yahoo Messenger for Buddy Icons?
    • Do you need it??
    • I was going to give you steps to delete it.
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Mozilla Firefox (1.0.6)

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [romk] C:\PROGRA~1\COMMON~1\romk\romkm.exe
    O4 - HKCU\..\Run: [Nqr] C:\WINDOWS\System32\W?nSxS\nopdb.exe
    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
    O4 - HKCU\..\Run: [boo] C:\WINDOWS\boo.exe
    O4 - HKCU\..\Run: [aoqmRQd9R] C:\Program Files\asdfe57\SPBS.exe

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\tiob\baoe.exe
    C:\WINDOWS\del.tmp
    C:\WINDOWS\VCMnet11.exe
    C:\WINDOWS\system32\weirdontheweb_ventura.exe
    C:\WINDOWS\system32\Cache\weirdontheweb_ventura2.exe
    C:\WINDOWS\system32\doound.dll
    C:\WINDOWS\system32\dq16gt.dLL
    C:\WINDOWS\system32\dxser.dll
    C:\WINDOWS\system32\fkdrclnr.dll
    C:\WINDOWS\system32\hzui.dll
    C:\WINDOWS\system32\ixfxsrvc.dll
    C:\WINDOWS\system32\kkdhela2.dll
    C:\WINDOWS\system32\kudlv1.dll
    C:\WINDOWS\system32\kzdsf.dll
    C:\WINDOWS\system32\maftedit.dll
    C:\WINDOWS\system32\meoert2.dll
    C:\WINDOWS\system32\mfgsvc.dll
    C:\WINDOWS\system32\mpjava.dll
    C:\WINDOWS\system32\mupmspsv.dll
    C:\WINDOWS\system32\mWpi32.dll
    C:\WINDOWS\system32\myglibnt.dll
    C:\WINDOWS\system32\natui0.dll
    C:\WINDOWS\system32\nhtshell.dll
    C:\WINDOWS\system32\nzdll.dll
    C:\WINDOWS\system32\odeaccrc.dll
    C:\WINDOWS\system32\pfrfdisk.dll
    C:\WINDOWS\system32\sdhannel.dll
    C:\WINDOWS\system32\shndcmsg.dll
    C:\WINDOWS\system32\sksinv.dll
    C:\WINDOWS\system32\smrialui.dll
    C:\WINDOWS\system32\wfsdmoe2.dll
    C:\WINDOWS\system32\wzhcon.dll
    C:\WINDOWS\system32\ustart.exe
    C:\WINDOWS\system32\kill internet popups5.ico
    C:\WINDOWS\system32\pinkkas.ico
    C:\WINDOWS\system32\creditcard32123123123asdsa1.ico
    C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa1.ico
    C:\WINDOWS\hrvoccyh.exe
    C:\WINDOWS\xnixefgj.exe
    C:\WINDOWS\system32\InstallerV3.exe
    C:\WINDOWS\usta33.ini
    C:\WINDOWS\system\QBUninstaller.exe
    C:\WINDOWS\system32\mc-58-12-0000079.exe
    C:\Program Files\Common Files\mc-58-12-0000079-d.exe
    C:\Program Files\Common Files\services.exe
    C:\Program Files\Common Files\system32.dll
    C:\WINDOWS\system32\bmhved.exe
    C:\WINDOWS\system32\hbieeci.exe
    C:\WINDOWS\system32\hpagefq.vxd
    C:\WINDOWS\system32\hqalebc.exe
    C:\WINDOWS\system32\install_ID6.exe
    C:\WINDOWS\system32\bsva-egihsg52.exe
    C:\WINDOWS\system32\data.~
    C:\PROGRAM FILES\SCREENMATES\felix.exe
    C:\WINDOWS\system32\ca.dll
    C:\WINDOWS\system32\f3PSSavr.scr
    c:\WINDOWS\system32\mstc.exe
    C:\WINDOWS\system32\redtrsha.dll
    C:\WINDOWS\system32\winupdt.bin
    C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar
    C:\WINDOWS\system\sfgctfwoa.exe
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll
    C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
    C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
    C:\WINDOWS\Downloaded Program Files\OBJSAFE.TLB
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete if found:
    C:\Program Files\asdfe57
    C:\Program Files\AWS
    C:\Program Files\MAXIFILES
    C:\Program Files\SCREENMATES
    C:\Program Files\tiob
    C:\Program Files\DNS
    C:\Program Files\MY Web Search
    C:\Documents and Settings\Owner\Application Data\Viewpoint

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. ComboFix
    2. GetRunKey
    3. ShowNew
    4. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 10, 2007
    #4
  5. Schmiese

    Schmiese Private E-2

    Thanks for the timely and very detailed reply. Because there are 4 log files to attach, I'm going to go ahead and post my combofix log now, answer your questions and, when I'm done with all the steps, will post the other 3 logs in another reply.

    First of all, let me assure you, this is NOT my PC. It's shared by a family with 4 tween/teenage girls and that's why there's all this chat cr@p, etc. I have no problem deleting "all that FunWebProducts junk", so please feel free to pass along the steps. I think when all this is done I'm going to create a limited user account for the kids to use and drill into Mom's head not to give them access to her account so they can't randomly download/install whatever suits their fancy.

    Re: CounterSpy...I had downloaded it for the first time yesterday - can't imagine they'd ever had it on the PC before - and it doesn't say anything about me being out of time...in fact, I thought I saw something to the effect that I had 30 days to try it out. So, not sure why it choked after the scan, but I sure appreciate your time and effort in giving me a manual solution.

    I'm going to move on to those steps now and will post the last 3 logs when done.

    Wish me luck!
     

    Attached Files:

    Schmiese, Feb 10, 2007
    #5
  6. Schmiese

    Schmiese Private E-2

    I'm hitting a snag with the fixME registry merge. I did make sure that 'All files' was selected and saved it with the .reg extension (and no, I didn't include the --Quote-- and --End Quote-- marks, just selected from *REGEDIT4* down through the last HKEY), but when I dbl-click it on the Desktop, and answer 'Yes' that I want to write it into the registry, I get the following error window:

    "Cannot import ...fixME.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

    The encoding option in Notepad was ANSII and I also tried the Unicode option.

    What now?
     
    Schmiese, Feb 10, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well I know the patch itself is fine so for some reason it is not being saved properly. Did you use notepad?

    Try this. Download the attached fixME.zip file and extract the fixME.reg file from it directly to your Desktop (overwriting the previous file). Then locate fixME.reg on your Desktop and continue as previously instructed.
     

    Attached Files:

    chaslang, Feb 10, 2007
    #7
  8. Schmiese

    Schmiese Private E-2

    I did use Notepad - even reset the font to Courier New and took off text wrapping so it would be more "raw" - not sure why it didn't work, but your attachment went through fine. Thanks.

    Ran the Killbox program with the list you sent and that worked fine (no "pending file..." prompt).

    After reboot, found a few of the folders you listed (also found the Viewpoint folder off the Program Files location and found another copy of AWS off the Docs & Settings/Owner/App Data location, so got rid of those, too for good measure.

    Ran Ccleaner and have attached new log files from GetRunKey, ShowNew and HJT.

    The boot up is still quite long, but I think it's mostly due to all those stupid chat programs loading on boot. Will go into msconfig and take them out of startup and see if that helps things.

    I'm thinking they should really upgrade to SP2, but would rather they were able to back up all their files first, just in case.

    Oh, and can you send along the steps for deleting all the "FunWebProducts junk" and I'll get rid of that stuff, too.

    This has been quite an enlightening experience! I really applaud you guys for all your time and efforts in this never-ending battle against malware.

    I'll await your reply on how my logs look and let you know how things are going (as best I can, as it's not my computer and the owners will be better able to put it through its paces and see if everything they normally use is working as it should).

    Thanks!
     

    Attached Files:

    Schmiese, Feb 10, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Don't do this! First let's remove some more unnecessary startups (procedure below). Then find out from them why they need two versions of AIM and also do they use all of the messengers. If any are not used (especially duplicated versions of AIM) uninstall them as a first measure.

    Also ask them if they really need and truly use all those Toolbars (AOL, Google, Yahoo). Getting rid of at least two of them would help.


    I'll post a fix below.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run another scan with CounterSpy, save and attach a new log, also attempt to fix anything it finds.

    Then Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

    After clicking Fix, exit HJT.

    Now reboot!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Feb 10, 2007
    #9
  10. Schmiese

    Schmiese Private E-2

    Sorry for the delay...Sundays are notoriously busy.

    I checked with the owner and she felt they were only really using the Yahoo toolbar and the AIM programs. That AIM Plus is some type of cloning thing for when multiple users want to be on or show some type of away message while another one is using it, I guess. Anyway, I didn't see Yahoo's Messenger in the Add/Remove area (unless it's considered 'Yahoo Extras') and stupid Microsoft was asking for the Windows CD to uninstall MSN & Windows Messenger - PUH-LEEZE! So, I'll have to walk her through that over the phone or something.

    In the meantime. I ran the new fixME file and that went fine.

    Was able to do a scan with CounterSpy and have it show me the files to quarantine (I wonder if the issue before was that I was running the scan in Safe Mode...I didn't see where I was supposed to be back in regular mode to run that - sorry if I missed that). Anyway, I quarantined all it presented except the Party Poker (husband asked that I leave his poker games there, if possible). The log is attached and the program is now uninstalled.

    Ran Hijaak This and fixed the files you indicated.

    Did a reboot and reran the .bat files and HJT. Am attaching the Counterspy log and the .bat file logs here and will post a second time to add the HJT log.

    Feels like we're heading into the home stretch! :p

    Thanks again for all the help. I await your reply.
     

    Attached Files:

    Schmiese, Feb 11, 2007
    #10
  11. Schmiese

    Schmiese Private E-2

    HJT log file is attached.
     

    Attached Files:

    Schmiese, Feb 11, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you don't need Yahoo Instant Messenger of MSN Messenger to load, the fix the below. The 3rd item (mywebsearch) is actually consider mild malware. Fix it too.
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 12, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds