Malware problem

I, like humandrone am having malware problems (including that virtual doodad). While im writing this i cann see how slow this comp is. I will wait until asked to post my HJT log, and i hope you all can help me with this so i can get back to SWG.
Thanks in advance,
Cryil.

 

Please follow the same advice given to Humandrone. The cleanup tutorial removes a lot of crap from a HJT log that the few moderators and volunteers here would otherwise have to wade through.

You will likely not be able to remove the StopGuard/Virtumundo (if you have it also) & someone should be able to assist you with that.

Best
PP

 

Im sorry for not stating it earlier, but i did go thru the basic spyware,virus, and trojan removal guide last night, and while it cleaned up alot that was wrong with my computer, it wont get rid of Virtumundo like you stated. Sorry for not stating this in the begining.
I eagerly await your reply,
Cryil

 

Hi Cryil,

If you have exhausted all of the options in the tutorial, then please go ahead and send us a HijackThis Log.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll try to check back when I get a chance. (Not sure when that will be)

Best
PP

 

theres the log, i hope it helps,
Cryil

 

Please run the Online Scans as per the tutorial. I suggest that you try the scans in the Alternative Scans section as well.

You still have a lot of trojan activity in addition to the StopGuard/Virtumundo.
After doing the above, please post a fresh log and somebody will take another look.

PP

 

alright, here is a fresh log, ive tried my best to get rid of the trojans. I really hopoe yoiu guys have help me with this virtumundo thing, its slowing down my computer pretty badly.

 

Hey Cryil,

There is still a ton of stuff to wade through. I'll work through it for you, but I am heading out and probably won't be able to post anything until tomorrow night. Also, bear in mind that I will be pretty liberal in cutting stuff out - There's a lot to deal with.
So, enjoy your weekend and check back tomorrow night!

Best,

PP

 

Hi Cryil,

WOW! Frankly, I’m surprised this machine didn’t spontaneously combust!!

AFTER you are finally able to get this mess cleaned up, you would be well served to follow ALL of Chaslang’s recommendations HERE:

How to protect yourself from malware!


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them (if possible & if found). If some refuse to end, make a note to tell me and move on to the next step:

antifax.exe
bakc.exe
faxps.exe
modno.exe
fmifs.exe
eqncfgex.exe
prctect.exe
Ashlt.exe
cwrvzwl.exe
tsm.exe
imwireup.exe
utildos.exe
swprv.exe


NEXT:
Look in C: > WINDOWS > PREFETCH & Delete faxps.exe ( or any faxps or spxaf entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\Stav\LOCALS~1\Temp\spxaf.dat

O2 - BHO: iasracjt - {1F017C84-48FE-67DE-D1E0-A8838AFD8134} - C:\WINDOWS\System32\iasracjt.dll

O2 - BHO: Var2Helper Class - {7412C042-43B8-4F63-AEF3-E786DFAD1484} - C:\WINDOWS\System32\imwire28.dll

O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\ncy.dll

O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\System32\dsktrf.dll

O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

O2 - BHO: Cbho Object - {E155EDD6-FA1E-4876-8FB2-5FB358014EBE} - C:\WINDOWS\sequitur1b.dll

O4 - HKLM\..\Run: [ASHLT] C:\WINDOWS\Ashlt.exe

O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe

O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe

O4 - HKLM\..\Run: [*utildos] C:\WINDOWS\Cursors\utildos.exe

O4 - HKLM\..\Run: [*antifax] C:\WINDOWS\Help\starter\antifax.exe

O4 - HKLM\..\Run: [*bakc] C:\WINDOWS\inf\bakc.exe

O4 - HKLM\..\Run: [*faxps] C:\WINDOWS\Tasks\faxps.exe

O4 - HKLM\..\Run: [7F3V3FO] modno.exe

O4 - HKLM\..\RunOnce: [cwrvzwl.exe] C:\WINDOWS\System32\cwrvzwl.exe /k

O4 - HKCU\..\Run: [swprv] C:\WINDOWS\System32\swprv.exe

O4 - HKCU\..\Run: [fmifs] C:\WINDOWS\System32\fmifs.exe

O4 - HKCU\..\Run: [Mos9RPi4h] eqncfgex.exe

O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe

O4 - HKCU\..\Run: [prctect] C:\WINDOWS\System32\prctect.exe

O4 - HKCU\..\RunOnce: [cwrvzwl.exe] C:\WINDOWS\System32\cwrvzwl.exe /k

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18f7b3e5bad89353a914/netzip/RdxIE601.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50181/QDow_AS2.cab


Click FIX and then while still in HijackThis , look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Tasks\faxps.exe and click OPEN.
A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\Help\starter\antifax.exe
C:\WINDOWS\inf\bakc.exe
C:\WINDOWS\system32\modno.exe
C:\WINDOWS\System32\fmifs.exe
C:\WINDOWS\system32\eqncfgex.exe
C:\WINDOWS\System32\prctect.exe
C:\Program Files\CxtPls - - -> The Folder
C:\WINDOWS\System32\iasracjt.dll
C:\WINDOWS\System32\imwire28.dll
C:\Documents and Settings\All Users\Application Data\RDSA - - ->The Folder
C:\WINDOWS\system32\ncy.dll
C:\WINDOWS\System32\dsktrf.dll
C:\Documents and Settings\All Users\Application Data\x1ff- - -> The Folder
C:\WINDOWS\sequitur1b.dll
C:\WINDOWS\Ashlt.exe
C:\WINDOWS\kjberup.exe
C:\WINDOWS\Cursors\utildos.exe
C:\WINDOWS\inf\bakc.exe
C:\WINDOWS\Tasks\faxps.exe
C:\WINDOWS\System32\swprv.exe
C:\WINDOWS\System32\fmifs.exe
C:\PROGRAMS\COMMON FILES\tsa- - -> The Folder
C:\WINDOWS\System32\prctect.exe
C:\WINDOWS\System32\cwrvzwl.exe
C:\Program Files\Ebates_MoeMoneyMaker- - - > The Folder

THEN:
Use Windows Explorer to run a search of your computer for:

faxps
bkinst
spxaf
utildos
bakc
antifax

and DELETE the related files. (We especially want to get rid of faxps.ini & faxps.dat & faxps.bak AND spxaf.ini & spxaf.dat & spxaf.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now. We may have to take another spin through this one. I'll check back when I get a chance.

ALSO, use Notepad to open your Hosts File and let me know what it says. You can find your hosts file here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Best luck
PP

 

ok, quick question. between the time i posted my log and today i had to shut down my comp, does that mean i need to make a fresh log?

 

Run through what I gave you as best you can. It'll get rid of a lot of crap. Then post a fresh log. If you cannot delete a file, go on to the next one.
We will probably have to take another run through anyway.

I'll try to check back tonight.

PP

 

ok, i did what you asked, and not only is my IE running great again, i can also play my game. here is my fresh log, and thank you so much, you have truelly helped me

 

Hi Cryil,

Wow! You did a pretty good job on that first run! Looks like you knocked out the Virtumundo with no problem as well

Only a few loose ends to clean up - Same stock instructions:

Look in Add or Remove Programs for People on Page, POP, or Apropos Media and uninstall them.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW: look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them (if found):

AutoUpdate.exe
tskfiles.exe
tsbilang.exe

Now: scan with HijackThis and Check the Boxes for the following:

R3 - Default URLSearchHook is missing

O2 - BHO: iasracjt - {1F017C84-48FE-67DE-D1E0-A8838AFD8134} - C:\WINDOWS\System32\iasracjt.dll

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [7F3V3FO] tskfiles.exe

O4 - HKLM\..\RunOnce: [cwrvzwl.exe] C:\WINDOWS\System32\cwrvzwl.exe /k

O4 - HKCU\..\Run: [Mos9RPi4h] tsbilang.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if they remain (again, make sure you can view hidden files):

C:\Program Files\AutoUpdate- - -> The Folder
C:\WINDOWS\system32\tskfiles.exe
C:\WINDOWS\system32\tsbilang.exe
C:\WINDOWS\System32\cwrvzwl.exe
C:\WINDOWS\System32\iasracjt.dll
C:\Program Files\Ebates_MoeMoneyMaker - - -> The Folder

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP

 

ok, i couldnt find cwrvzwl, or the ebates folder. I also went ahead and followed your prior instructions, and i am have an antivirus program and am using mozilla firefox. My computer runs great, thank you very much PP

 

Hey Cryil,

Happy to help! Good to see that you have found AVAST!

You still have a few stragglers.

Have HijackThis fix these:

O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\ncy.dll

O4 - HKLM\..\RunOnce: [cwrvzwl.exe] C:\WINDOWS\System32\cwrvzwl.exe /k

O4 - HKCU\..\RunOnce: [cwrvzwl.exe] C:\WINDOWS\System32\cwrvzwl.exe /k

Then, boot to safe mode with the viewing of hidden files enabled and Delete these:

C:\WINDOWS\System32\cwrvzwl.exe
C:\WINDOWS\system32\ncy.dll

That ought to be the last of it.

PP