Malware hiding from me

I have spent a lot of time working on the thread "MajorGeeks Support Forums > Help & Technical Forums > Malware Removal
Malware Removal FAQ" It is not working for me. I cannot delete files and cannot get ANY virus software to run except for BitDefender online. If finds a lot of files and deletes a lot of files, but I still cannot start virus programs. I get the same message from the thread above - "not a win32dll file". Can you help please? I have become very frustrated trying to do this on my own.

 

Hi chasgreghall,
Welcome to Major Geeks!

Are you able to install the programs? Are you able to get your computer into Safe Mode? To do this, hit the F8 repeatedly during bootup until the menu appears at the top of which is Safe Mode. Print out the instructions in the links if you need them.

If you can install software, please go to Safe Mode and see if you can get Combofix and the MGTools to run there. Here are the links for each:

How to properly run Combofix

Using MGTools

If you're able to rlease attach the logs. If not, please let me know.
The MGTools logs are called MGlogs.zip and can be found as a file (not a folder) directly under C. The Combofix.txt log can also be found there.

abri

 

Also, I have a Windows XP SP2 disk and an Ultimate Boot Disk. I will attach the results of the BitDefender when it is finished.

 

Nope, when I try safemode, the computer reboots.

 

I have tried these without success

 

See if you can get ESET to run. And I will also post instructions for Panda. Both of these are online scanners and both require Internet Explorer with Active X enabled.

Please disable your antivirus program while running this scan to avoid running into issues with your existing program conflicting with the online scan.

Notes:

• You must use Internet Explorer to run this scan.
• If you are using Vista, right click IE and "Run as Administrator" or the online scanner will not work properly.

Click on this ESET Online Scannner to begin the process.

• Check the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to be installed.
• Click Start
• Check below options:
  • Remove found threats
  • Scan unwanted applications.
• Click Scan
• Wait for the scan to finish
• When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
• Attach this logfile to your next message.
  • (See: HOW TO: Attach Items To Your Post )

And this one:

Using Panda Active Scan

Let me know how this goes?
abri

 

c:\report3.html

 

Here are the results from BitDefender before I stopped it. I will post the other two when complete.

BitDefender Online Scanner

VideoEditMagic
Trojan.Spy.Keyghost.A
Trojan.Downloader.Vb.EU
Win32.Bagle.SUQ@mm
Trojan.Delf.PBM
Rootkit.Bagle.F
Win32.Bagle.SVL@mm

 

Drive E is a remote hard drive that I can detach.

 

1 hour and 20 minutes in and still running. Only 1 threat so far. Looks to be a little over half way. I will keep you posted. Thanks so much for your help.

 

Eset log:
Win32/Bagle.OD worm

 

Here is the Panda results. It did not end the way it said in the instructions. An outlook error message popped up.

 

Hi Chasgreghall,

Why did you stop it? After you finish up the instructions in this post, please go back and run BitDefender again and have it scan your external drive. You can do this by starting it the usual way with I agree and allowing it to update. Then when you get to the Start Scan button, look at the window just above this and there are two links in small bold red print. The upper one will allow you to select which drives you want to have scanned. Have it scan whatever hasn't been scanned so far.

Before you continue with the next part, please run CCleaner at the default setting with the Windows tab as the one on top.

The big problem here is keygens.Please continue right on and try to get Combofix installed onto your desktop. You may wish to reinstall it after these last scans and have it install over the existing version. Use the instructions in Using Combofix

Once installed, there are specific instructions for properly renaming it and running it from the cmd prompt. This is helpful when malware is preventing it from running. If you can get it to run a scan, please attach the log here using the Manage Attachments button below the reply window. We prefer having the logs attached unless you're having trouble with the Manage Attachments feature.

If you cannot get Combofix to run a scan but you can still install it, I would like for you to try the following. It may not work if the scan isn't working.

• Copy and paste the contents of the below box to Notepad
• Save it to your desktop with the name CFscript.txt
• Make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• Now find the CF-script.txt on the desktop and point at it with your mouse and drag it across the desktop to where the combofix icon is. When you pull the CF-script.txt onto Combofix.exe (or cf.exe), it will start up the process and attempt to delete those files that you gave it.

Please attach the Combofix log if it runs. If it doesn't, let me know what happens?

Then see if you can get the MGTools to install. The instructions for this are in the Using MGTools


If the MGTools run, please attach the MGlogs.zip which will be located as a file directly under C.

abri

 

CCleaner will not run.

 

Hi Chasgreghall,

If it still won't run, it may help to install it over the existing one. Try that. If that doesn't help, please continue on through all the other instructions and let me know if you can do any of them.

Thanks.
abri

 

I tried to reinstall CCleaner. It didn't work.

I tried Combofix and got this error box...

C:\Documents and Settings\chall\desktop\cf.exe is not a valid Win32 application.

This is the error I get everytime I try to run any programs that are not online, including CCleaner and Killbox.

 

A little more info...

Everytime I reboot, the Local Settings directories become hidden. The only way I can unhide them is with the attrib command in cmd.

 

See if you can find and delete these two folders:

Folders to delete:
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS1\system32\drivers\down

Then try to get the MGTools to run. We need this information. The instructions are in Post 2.

 

i was able to delete the downld directory. i do not see the down directory anywhere.

 

do you still want me to try MGtools

 

Yes!
Preferably normal mode. Safe mode if necessary.

 

OK, done with MBlogs. How do I attach the file? I have not re-enabled UAC yet.

 

got it uploaded i think.

 

i am going to be offline until about 8:00. can you or someone else continue then? I wil be out all day tomorrow and I would like to get this resolved if we are close. You are greatly appreciated. I will donate when we are done.

 

i am back if anyone can continue to help.

Thanks a bunch!

 

Hi chasgreghall,

You have Spybot's Teatimer running. This has the function of blocking changes to your registry, which includes good changes. That's why we ask you to turn it off at the beginning of the READ & RUN ME. I'll give you the instructions below for turning it off. First however, I want to give you a brief logical (not moral) clarification as to why cracks and keygens are a bad idea. As with all other products, these supposedly free pieces of software target a certain user type in the computer world. Most of them are designed from the start with known exploits in place which will be sought out as soon as possible after their installation. They're created by people who want to gain access to your computer for a number of different reasons and the basic premise behind the activities of these software makers is that people who accept cracks and keygens are safe targets because they don't have the option of going to the police.

No matter what we do here to clean up your computer, the same vulnerabilities will exist when we get done and your computer will get reinfected as soon as these vulnerabilities are relocated i.e. you need to remove any keygens and cracks or your computer is just going to get infected again.

Now please do the following:


1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 5

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: IBHOR Class - {3F2092FF-DAC7-49FC-AA23-B34C4A2B017F} - C:\WINDOWS\IEDomhlp.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


Does the following program need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


After you click fix, just close hijackthis.



7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Thanks for the good advice. It is duly noted. I have rebooted since we started. It does not look like Spybot is running in the system tray. The only one appears to Pandas Clientshield.

 

tried to run spybot. same error box as in post #26.

 

sorry, error box is in post #16

 

Hi chasgreghall,
If you aren't able to disable Teatimer in Spybot by either of the methods I gave you, then see if you can uninstall the program. Then try to continue on with the instructions. If you get held up again, try running one of the online scans inbetween, and then try to continue.
abri

 

I am only able to select one file at a time because MGtools closes fairly quickly. Here is...

O2 - BHO: IBHOR Class - {3F2092FF-DAC7-49FC-AA23-B34C4A2B017F} - C:\WINDOWS\IEDomhlp.dll

 

I uninstalled spybot by the way.

 

Here is the file...

 

Here is the file...

 

removed log

 

Hi chasgreghall,

Please do the following:


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R3 - URLSearchHook: IBHOR Class - {3F2092FF-DAC7-49FC-AA23-B34C4A2B017F} - C:\WINDOWS\IEDomhlp.dll
O2 - BHO: IBHOR Class - {3F2092FF-DAC7-49FC-AA23-B34C4A2B017F} - C:\WINDOWS\IEDomhlp.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


Do you need for the following program to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

i am sorry abri for misunderstanding. i will pay closer attention. please bear with me as i go throught this again.

 

i have fixed the requested programs, but CCleaner still does not run. The CCleaner program opens for a brief split second and then closes. I sort of had this problem with analyse.exe also, but it stayed on long enough for me to remove the programs one at a time. I had to be fast.

 

avenger still also says it is not a valid Win32 application.

 

Hi chasgreghall,

1)Can you just go in and delete this folder? The whole folder. If it has contents, delete them first and then the folder.

C:\WINDOWS\system32\drivers\downld

Then do the following:

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Let me know if you get a success message after you run the above.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

abri

 

I got rid of the C:\windows\system32\drivers\downld using "cmd", including the directory.

Still cannot run CCleaner.

Here is the MGlogs.zip.

 

And i did the fixme.reg

 

Hi chasgreghall,

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 5
- CCleaner (remove only) <--- if this doesn't remove CCleaner, then reinstall it from CCleaner and then try to remove it!


3) Then please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  

Click Exit on the Main ATF Cleaner menu to close the program.

4) Now Reboot.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


Let me know how things are running now?

abri

 

Here is the new MGlogs.zip.

The CCleaner uninstall and the ATF install worked.

The Java update hung up at the very end. I tried it again and it said it was already installed. I contiued and it hung up at the end again. I don't know if that means anything.

I still have programs that are not working. Itunes is one.

 

Hi chasgreghall,

Go to How to properly run Combofix and see if you can get it to download and install to your desktop. If you already have a copy, install over the old one. Then try running it in safemode which you can get to by clicking on F8 during the bootup sequence. The folder I asked you to delete is back again and full of files which need to be removed. You may be getting the picture of where this is all going.

The reason the java update didn't work is because you didn't uninstall the old version first and then reboot your computer. Please uninstall both Java 6 update 5 and Java 6 Update 6 and then reboot your computer. Then reinstall Java 6 Update 6. Use the link in post 44.

Your temp files look better. There are still some that need to be removed. Run ATF Cleaner after you boot back up into normal mode and then again tomorrow. Then look in the folder C:\Documents and Settings\chall\Local Settings\Temp\ and see if all the windows media play logs are still in there. Those you should be able to delete manually. You cannot delete anything from the current day, that's why you should wait until the 14th to run ATF Cleaner again.

What happens when you try to run the Windows Messenger Removal Tool?

abri

 

Combofix still does not work. I cannot boot to safemode. I get a blue screen for a split second and then it reboots.

Windows Messenger is uninstalled (from the machine).

Java is fixed.

I ran ATF cleaner again.

My machine is running Panda ClientShield permanent protection. Is this a problem? I can't figure out how to disable it.

 

Here is the latest MGlogs.zip.

 

Hi chasgreghall,

1) Combofix doesn't work in either normal or safe mode even if you reinstall it over the old one? Can you're unable to disable Panda, can you uninstall it? It would be easier if you can get Combofix to run than trying to remove the files with Avenger.

2) You can also try SDFix, which might also work. Those instructions are here in the box:

3) If the above does not remove the files and the folder "C:\WINDOWS\system32\drivers\downld\" then I would like for you to set up those files as described below and remove them with Avenger.

This will be some work. The folder I asked you to delete called downld is back and full of .exe files that have to be removed. If you have Word, you can transform the data I'm going to give you and put the files together in the way they have to be set up for Avenger. Otherwise, it's copy/paste them together one at a time. Then put them in the box. In essence, you want to go from this piece of information:

"C:\WINDOWS\system32\drivers\downld\"
15105953.exe May 13 2008 39373 "15105953.exe"

to this piece of information:

C:\WINDOWS\system32\drivers\downld\15105953.exe

Please see the attachment for the list of files that needs to be converted.

The reason for using Avenger to delete these files, is because Avenger deletes them in a way that makes it harder for them to load again. Once you've completed the conversion so that all the files have this form:

C:\WINDOWS\system32\drivers\downld\15105953.exe

copy/paste the whole list into the Avenger Box below between the two lines of text Files to delete and Folders to delete. This means they will be the entries just after Files to delete. Each must have a separate line. After you do that, follow the instructions as they're listed. (To remind yourself about how Avenger should look, see post

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

 

:cryThis Malware is really frustrating me. I deleted the downld directory again. I tried to run the programs again. The real problem is this... it doesn't matter what program we try, we get the message...

Not a valid Win32 application.

I've tried...

SDfix
Avenger
Killbox
Combofix
ATFcleaner
CCleaner
MGtools
Spybot
Bitdefender

with no luck.

This bug will not allow anything to run. Can we do something else? I am getting dizzy rerunning all these programs.

I will follow your lead. You are my only hope.