Malaware has made me its beeyatch

Last night my seven year old called cheerily from the "kid" computer, "Mom, something is wrong here." I walked over to see approximately 43 pop ups and some installations-in-progress. BAH!

The results were catastrophic, with approximately three pop ups every 45 seconds, even with a browser closed. I put on my best geek facade early this morning and went to work. I did my research, here and on another site. I really read your "read this first" threads.

I ran my usual web root spy sweeper. I downloaded ad aware and ran it as well. I downloaded and ran spybot. I found a special uninstaller for the Aurora ad and the Elite toolbar. I even sacrificed Kazaa and eliminated Top Search. I downloaded Dr. Delete and got rid of bman.exe and bman1.exe. (I think!) Then I dowloaded SpyBlaster, just in case I ever recover.

Now it didn't take me all day. I took breaks to nap and eat and trim my toenails and floss. I am happy to report that I have my old google toolbar back and now I only get a pop ups at the rate of two every 3-4 minutes. That is such progress!

My fear is that the child clicked and inadvertently installed a program I can not find. The pop ups are not squelched by my google toolbar blocker, begin at start up, and all seem to come from

ads1.revenue.net
ad.yieldmanager.com
that damn tricky ad that tries to get you to download spyspotter
stuff powered by zedo

In my research I even figured out you need a hijackthis log, which I have managed to secure. (I am so proud!) I even looked at it and tried to nod thoughtfully and pretend like I understood it. But I also know how to follow directions and it said not to post unless asked.

Also, I should mention I am unable to operate this computer in safe mode. For some reason, I can not log in that way. I get an incorrect password.

I am pitiful. Send help. I have nudie photos and pricey bourbon to trade.

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thank you, sir!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

P2P Networking

E2G

WinTools

Toolbar

After uninstalling the above you will need to reboot. During the reboot boot into SAFE MODE.


Once in Safe Mode, scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - -{28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - -{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - -{ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKLM\..\Run: [v38S3Fj] cioawex.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefeg32.exe
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] camrrenu.exe
O4 - HKCU\..\RunOnce: [sysnss] C:\WINDOWS\System32\sysnss.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - https://formsrvr.butlercc.edu/jinitiator/jinit.exe

O23 - Service: OracleClientCache80 - Unknown owner - e:\ORANT\BIN\ONRSD80.EXE (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome81Nameshp9000.buccc.cc.ks.us - Unknown owner - E:\Oracle\Ora81\BIN\NAMES.EXE (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\P2P Networking ←–– Delete this whole folder if it exist!

C:\Program Files\E2G ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\WinTools ←–– Delete this whole folder if it exist!

C:\Program Files\Toolbar ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\vplzvl.exe

C:\WINDOWS\System32\cioawex.exe

C:\WINDOWS\System32\sysnss.exe

C:\WINDOWS\System32\elitefeg32.exe <-- Also, look for other files starting with ELITE and ending with EXE, there could be up to 10 of these. Delete any others you find!

C:\WINDOWS\cfgmgr52.dll

camrrenu.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

After you have completed everything listed above, please procede with the below online scans posting your results as in what was found and the location of the infection.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan


After doing ALL of the above, Scan with HijackThis and attach the new log.

 

And what if I can't reboot in safe mode? (In my orginal message I explained I can not log in that way - I just get an error.) Can I just do it in normal windows, or is figuring out how to log in in safe mode something I MUST accomplish first. I can get to safe mode - it just rejects my user name and password when I log in.

 

You need to be in Safe Mode to do fix below as some of the files are in use by windows.

While in normal windows, go into Control Panel and then select user accounts. Remove all passwords and then go in safe mode. Shouldnt have a problem then.

 

Did you ever know that you're my hero?

I followed these outstanding and clear instructions, although I couldn't find everything as listed. Attached is my latest hijack this log plus the results of two of the online scans you suggested.

The trojan scan also showed

.../Julie/LocalSettings/Tem/Uninstall.exe - AdWare.Toolbar.Elitebar.q
.../AllUsers/StartMenu/Programs/StartUp/nkca.exe - Trojan downloader
.../Windows/system32/tibytbp.dll - Trojan downloader

And the items that continue to show up in spyware scans are - BookedSpace, Apropos Media, and People On Page

But my immediately problem is blissfully solved. I have had no insanely frequent and annoying pop ups since rebooting after leaving safe mode. Thus, you are a god. I worship you.

*********

BitDefender Online Scanner

Results

Identified Viruses
24

Infected Files
42

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
40




Engines Info

Virus Definitions
159270

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkca.exe
Infected with: Trojan.Downloader.Qoologic.L

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkca.exe
Disinfection failed

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkca.exe
Delete failed

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\ceres.dll
Detected with: Adware.BetterInet.B

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\ceres.dll
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\farmmext.exe
Infected with: Trojan.Downloader.Stubby.A

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\farmmext.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\farmmext.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\wupdt.exe
Infected with: Trojan.Downloader.Intexp.C

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\wupdt.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\DrTemp\wupdt.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\ei.exe
Infected with: Trojan.DownLoader.1693

C:\Documents and Settings\Julie\Local Settings\Temp\ei.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\ei.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\f148472296.exe
Infected with: Trojan.Downloader.Qoologic.L

C:\Documents and Settings\Julie\Local Settings\Temp\f148472296.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\f148472296.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\suicidetb.exe
Infected with: Trojan.Adclicker.BA

C:\Documents and Settings\Julie\Local Settings\Temp\suicidetb.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\suicidetb.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temp\tp7543.exe
Infected with: Trojan.Downloader.Qoologic.I

C:\Documents and Settings\Julie\Local Settings\Temp\tp7543.exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temp\tp7543.exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[1].htm
Infected with: Exploit.Html.Codebase.Exec.Gen

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[1].htm
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[1].htm
Deleted

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[2].htm
Infected with: Exploit.Html.Codebase.Exec.Gen

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[2].htm
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\456RWTE3\download[2].htm
Deleted

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\4H2RKDMV\ei[1].exe
Infected with: Trojan.DownLoader.1693

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\4H2RKDMV\ei[1].exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\4H2RKDMV\ei[1].exe
Deleted

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\UFCFETOF\AutoUpdaterInstaller[1].exe
Infected with: Trojan.Downloader.Apropo.G

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\UFCFETOF\AutoUpdaterInstaller[1].exe
Disinfection failed

C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\UFCFETOF\AutoUpdaterInstaller[1].exe
Deleted

C:\Program Files\FwBarTemp\searchbar.exe
Infected with: Trojan.Downloader.VB.EU

C:\Program Files\FwBarTemp\searchbar.exe
Disinfection failed

C:\Program Files\FwBarTemp\searchbar.exe
Deleted

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE (1).exe
Infected with: Win32.P2P.Sddrop.B@mm

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE (1).exe
Disinfection failed

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE (1).exe
Deleted

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE.exe
Infected with: Win32.P2P.Sddrop.B@mm

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE.exe
Disinfection failed

C:\Program Files\Kazaa\My Shared Folder\WS_FTP_LE.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000049.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000049.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000049.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000050.exe
Infected with: Trojan.StartPage.NK

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000050.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000050.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000051.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000051.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000051.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000052.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000052.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000052.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000053.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000053.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000053.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000054.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000054.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000054.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000055.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000055.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000055.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000058.dll
Detected with: Adware.Elitebar.A

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000058.dll
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000058.dll
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000083.exe
Infected with: Trojan.Downloader.Qoologic.L

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000083.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000083.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000089.exe
Infected with: Trojan.Downloader.VB.EU

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000089.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000089.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000090.exe
Infected with: Win32.P2P.Sddrop.B@mm

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000090.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000090.exe
Deleted

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000091.exe
Infected with: Win32.P2P.Sddrop.B@mm

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000091.exe
Disinfection failed

C:\System Volume Information\_restore{DDFF717B-789F-4813-B42D-BDE0941D512D}\RP1\A0000091.exe
Deleted

C:\WINDOWS\system32\AUNPS2.dll
Infected with: Trojan.Clicker.Small.EZ

C:\WINDOWS\system32\AUNPS2.dll
Disinfection failed

C:\WINDOWS\system32\AUNPS2.dll
Deleted

C:\WINDOWS\system32\Cache\AUNIcons.exe
Infected with: Trojan.Downloader.Agent.JQ

C:\WINDOWS\system32\Cache\AUNIcons.exe
Disinfection failed

C:\WINDOWS\system32\Cache\AUNIcons.exe
Deleted

C:\WINDOWS\system32\Cache\dist006.exe
Infected with: Dropped:Trojan.Downloader.VB.EU

C:\WINDOWS\system32\Cache\dist006.exe
Disinfection failed

C:\WINDOWS\system32\Cache\dist006.exe
Deleted

C:\WINDOWS\system32\Cache\HelperInstall.exe
Infected with: Trojan.Dropper.Delf.Z

C:\WINDOWS\system32\Cache\HelperInstall.exe
Disinfection failed

C:\WINDOWS\system32\Cache\HelperInstall.exe
Deleted

C:\WINDOWS\system32\Cache\InstallAPS.exe
Infected with: Dropped:Trojan.Clicker.Small.EZ

C:\WINDOWS\system32\Cache\InstallAPS.exe
Disinfection failed

C:\WINDOWS\system32\Cache\InstallAPS.exe
Deleted

C:\WINDOWS\system32\Cache\optimize.exe
Infected with: Trojan.Downloader.Dyfuca.DX

C:\WINDOWS\system32\Cache\optimize.exe
Disinfection failed

C:\WINDOWS\system32\Cache\optimize.exe
Deleted

C:\WINDOWS\system32\Cache\pi1_51.exe
Infected with: Trojan.Downloader.Prutect

C:\WINDOWS\system32\Cache\pi1_51.exe
Disinfection failed

C:\WINDOWS\system32\Cache\pi1_51.exe
Deleted

C:\WINDOWS\system32\ms_32.exe
Infected with: Win32.P2P.Sddrop.B@mm

C:\WINDOWS\system32\ms_32.exe
Disinfection failed

C:\WINDOWS\system32\ms_32.exe
Deleted

C:\WINDOWS\system32\ms_bak.tmp.exe
Infected with: Backdoor.SDBot.D36B6961

C:\WINDOWS\system32\ms_bak.tmp.exe
Deleted

C:\WINDOWS\system32\payup.dat
Infected with: Trojan.Downloader.Qoologic.L

C:\WINDOWS\system32\payup.dat
Disinfection failed

C:\WINDOWS\system32\payup.dat
Deleted

C:\WINDOWS\system32\SahAgent.exe
Detected with: Adware.Sahagent.A

C:\WINDOWS\system32\SahAgent.exe
Disinfection failed

C:\WINDOWS\system32\SahAgent.exe
Deleted

C:\WINDOWS\system32\tibytbp.dll
Infected with: Trojan.Downloader.Qoologic.L

C:\WINDOWS\system32\tibytbp.dll
Disinfection failed

C:\WINDOWS\system32\tibytbp.dll
Delete failed

C:\WINDOWS\system32\vplzvl.exe
Infected with: Trojan.Downloader.Qoologic.L

C:\WINDOWS\system32\vplzvl.exe
Disinfection failed

C:\WINDOWS\system32\vplzvl.exe
Deleted

C:\WINDOWS\system32\winhot32.dll
Infected with: Trojan.Downloader.NL

C:\WINDOWS\system32\winhot32.dll
Disinfection failed

C:\WINDOWS\system32\winhot32.dll
Deleted

C:\WINDOWS\system32\winup2date.dll
Suspected of: Trojan.Downloader.Small.Gen

C:\WINDOWS\system32\winup2date.dll
Disinfection failed

C:\WINDOWS\system32\winup2date.dll
Delete failed

C:\WINDOWS\system32\winupdt.exe
Infected with: Trojan.Downloader.Agent.JQ

C:\WINDOWS\system32\winupdt.exe
Disinfection failed

C:\WINDOWS\system32\winupdt.exe
Deleted

 

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)

O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [v38S3Fj] vgawsx.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] atibaln.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - https://formsrvr.butlercc.edu/jinitiator/jinit.exe

O23 - Service: OracleOraHome81Nameshp9000.buccc.cc.ks.us - Unknown owner - E:\Oracle\Ora81\BIN\NAMES.EXE (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\CxtPls ←–– Delete this whole folder if it exist!

C:\Prorgam Files\Common Files\WinTools ←–– Delete this whole folder if it exist!

NEXT:
Locate PocketKillbox

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nkca.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\vgawsx.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\atibaln.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\sysnss.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system. After your system has rebooted and normal windows has loaded, procede with these last few steps.

NEXT:
Run CCleaner

Scan with HijackThis and attach the new log.

 

I should not feel so proud of myself for following simple instructions, but I DO. Thank you.

C:\WINDOWS\System32\sysnss.exe

That is the one killbox could not locate. (Did not show up in blue.) I also tried dr. delete (in safe mode) but got the message that file did not exist. I don't see it when I bowse either, and I am showing hidden files.

Hmmm.

Log attached.

 

Boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] atibaln.exe

Make sure All Browser Windows are Closed when you Click FIX.


NOW:
Navigate to and DELETE the following if they should remain, be sure you have the Viewing of Hidden Files & Folders Enabled.

C:\WINDOWS\System32\atibaln.exe

C:\WINDOWS\System32\vplzvl.exe

C:\WINDOWS\System32\sysnss.exe

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log. If these files still remain, we will have to get advanced.

 

You are too good to me.

Uh oh. I am scared about getting advanced.

 

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Gotcha.

 

Okay! This can be a pain to remove so lets begin.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file regfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the regfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!



Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


You must physically disconnect from the internet by pulling the cable, also shut down all running programs.


Locate PocketKillbox and run the utility.
(If some dont show up in blue, procede as if they are in blue)

Now, Copy and Paste CC:\WINDOWS\System32\atibaln.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\vplzvl.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\sysnss.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\AKQRA.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\TIBYTBP.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\WINUP2~1.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\BNQABQC.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\WMCONFIG.cpl into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\UNADBEH.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\JOVNJ.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Before you enter the next line, make sure you set Killbox to "Replace on Reboot"

Now, Copy and Paste C:\docume~1\alluse~1\startm~1\programs\startup\NKCA.EXE into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


After doing ALL of the above, reboot and post a fresh HJT log along with a new log from the Qoologic Tool & the RKFiles Tool. You will have to post 2 times to get the logs. After this we will see what remains.

Good Luck!

 

Hey, I didn't get notification of this message in my email. And here I thought you were slacking...

I am going to do this - I am! But I am on deadline right now, which means I am far too frantic and focused to undertake a computer challenge. Plus, I am frightened something "bad" will happen.

Soon I will summon the courage though. I am scared - hold me. ;P

 

It's okay, as long as you follow my fix word for word you wont have any problems.

I promise!

 

Wait...do I do all of that in safe mode?

 

DAMMIT JIM!

Something bad DID happen! Since I am a mini-geek, I fixed it. Welll, me and my friendly Cox tech support guy. ;P

However, the hijackthis log looks distressing to me. But what do I know. It is attached and I will do the others in the next post.

 

And the other logs. Have I mentioned you are fabulous?

 

First, before I forget! Navigate to the following folder and delete these 2 files:

NKCA.EXE

strings.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - Global Startup: NKCA.EXE
O4 - Global Startup: strings.exe

Again, make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\sysnss.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\vplzvl.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\payup.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\skytown.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


Allow Killbox to reboot your system, after windows has loaded post a fresh HJT log along with the other 2 logs.

 

I have met the devil and his name sysnss.

As a note, I did not see strings in the file so did not delete. With killbox both sysnss and vplzvl did not turn blue and they were not on the HJT list.

 

My untrained eye is not pleased. What do these pesky files do anyway? Maybe I can make friends with them and we can just live together in harmony? It didn't work with Tod Bernard in the 2nd grade, but maybe I have matured since then.

 

First download: - ProcessExplorer for Win NT/2K/XP

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of sysnss.exe & atibaln.exe once and then click the kill button. After you have killed all of the sysnss.exe & atibaln.exe's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of sysnss.exe & atibaln.exe then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] atibaln.exe


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINDOWS\System32\atibaln.exe
(Click NO when it prompts to reboot)

C:\WINDOWS\System32\sysnss.exe

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log.

 

Once you see this screen click on each instance of sysnss.exe & atibaln.exe once and then click the kill button. After you have killed all of the sysnss.exe & atibaln.exe's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of sysnss.exe & atibaln.exe then click the kill button. Once you have done that click ok again.

I saw this, but there were no instances of sysnss or atibaln for either

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] atibaln.exe


The second two were not there.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINDOWS\System32\atibaln.exe
(Click NO when it prompts to reboot)

C:\WINDOWS\System32\sysnss.exe

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log

Did this, but it did not turn blue for the files. Just continued as if it did.