malware/windows update help

Welcome to Majorgeeks!

You MUST attach all the logs requested in the READ ME. You did not attach the logs from GetRunKey and ShowNew.

Also you did not allow CounterSpy to fix what it found. You told it to Ignore eveything. Run it again and this time fix everything. Attach a new log from CounterSpy too.

Also please rename HijackThis as requested. Your name is still too close to being the same. You will find it is typically best to follow our directions as written, it will save time in the long run.

 

That will not work. Once your trial is over, it is over forever on this PC. Uninstall CounterSpy and leave it uninstalled.

Please follow the steps in this Running Ewido Anti-Malware

And then attach the requested log from Ewido. Make sure you allow it to fix what it finds.

I will work up a procedure on what I see in your logs anyway and I'll post it in my next message. Note that running Ewido may cause some items that I post for removal to no longer be seen. Just ignore those items and continue.

You have a major problem in that your Windows XP version is severely out of date with updates. After we fix your current malware problems, you must get updated to help avoid problems like this. You have too many security holes in the version you are running.

 

Okay! Due to the fact that you are so badly infected, this is a long procedure. Make sure you do all steps and do them in the order given.
Goto Add/Remove Programs and Uninstall the below software:
Norton AntiVirus 2002
SlotchBar
Continue by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=152473
Did you configure the below ProxyServer setting for something? If so, skip it. Otherwise fix it.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O4 - HKLM\..\RunServices: [C7D9E95D] C:\WINDOWS\System32\xoysiugfgjtbtc.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection SubSys] msacroprot32.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Denise James\Local Settings\Temp\powerscan.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\avserve2.exe
c:\windows\csrss.exe
c:\windows\Key2.txt

C:\WINDOWS\oyecq.exe

C:\WINDOWS\4k1oa4oe.exe
C:\WINDOWS\7fdugacu.exe
C:\WINDOWS\91yqeyhj.exe
C:\WINDOWS\msbb.exe
C:\WINDOWS\omb.exe
C:\WINDOWS\p4rj12dl.exe
c:\windows\sepsd.bin
C:\WINDOWS\umwt7r4z.exe
c:\windows\unstsa2.exe
C:\WINDOWS\Updreg.exe
C:\WINDOWS\wykkfwcy.exe
C:\WINDOWS\yml1fdqt.exe
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll
C:\WINDOWS\Downloaded Program Files\istactivex.inf
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
c:\windows\system32\auto_update_uninstall.log
c:\program files\common files\wintools\rmhgxlmu.wzg
c:\windows\system32\searchbar.htm
c:\windows\system32\ide21201.vxd
c:\windows\system32\searchx.htm
C:\WINDOWS\System32\xoysiugfgjtbtc.exe
C:\WINDOWS\System32\smnp.exe
C:\WINDOWS\System32\msacroprot32.exe
C:\WINDOWS\System32\winv32.exe
C:\WINDOWS\System32\msblast.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\xmrjto.exe
C:\WINDOWS\System32\svxhost.exe
C:\WINDOWS\System32\muamgrd.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\ushgutj.exe
C:\WINDOWS\System32\syscfg32.exe
C:\TEMP\ncmyb.dll
C:\TEMP\salm.exe
C:\TEMP\salmhook.dll
c:\temp\salm.log
C:\TEMP\optimize.exe
c:\temp\webrebates_cdt_installsilent.exe
c:\install.exe
C:\vixen.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folders and delete if found:
c:\documents and settings\all users\start menu\programs\web search tools
c:\program files\common files\wintools
C:\Program Files\AutoUpdate(2)
c:\program files\ezula
C:\Program Files\ISTbar
C:\Program Files\ISTsvc
c:\program files\maxspeed
c:\program files\media access
c:\program files\memorywatcher
c:\program files\power scan
c:\program files\sidefind
c:\program files\spyspotter3
c:\program files\toolbar
c:\program files\web offer
C:\Program Files\WebRebates4
C:\Program Files\Winad Client
c:\windows\elitetoolbar
C:\WINDOWS\SYSTEM32\TFTP1956
C:\WINDOWS\SYSTEM32\TFTP2776
C:\WINDOWS\SYSTEM32\TFTP2984
C:\WINDOWS\SYSTEM32\TFTP348
C:\WINDOWS\SYSTEM32\TFTP852

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Temp
C:\WINDOWS\Temp
C:\Documents and Settings\Denise James\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Download the newest versions of both GetRunKey and ShowNew and get new logs. Then try to attach them. If you still cannot attach them, put them into a ZIP file and attach the ZIP file. Also make sure you get a new HijackThis log and attach it (or put it in the ZIP too).

What is in the 3 folders (asheuristic, ICD2.tmp and ICD3.tmp) that you could not delete?


I will be away for 9 days! Hopefully one of the other helpers here can continue to help you! Or you will have to wait until I get back!

 

You must not use MSCONFIG to control startups! This was covered in the READ ME.

Please set your system back to Normal Startup mode and attach new logs from HJT and GetRunKey.

Try using Pocket Killbox to delete the icd2.tmp and icd3.tmp files

 

Your PC is very badly infected again. This is more than like due to the fact that your PC is WAY out of date with system updates. This is a major security risk. AFTER we complete your fixes, you MUST get updated.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Windows System Version 32] winv32.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [vJCrZ] C:\WINDOWS\oyecq.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\xmrjto.exe
O4 - HKLM\..\Run: [SVX Control Service] svxhost.exe
O4 - HKLM\..\Run: [Services] C:\vixen.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Microsoft Update] muamgrd.exe
O4 - HKLM\..\Run: [Microsoft Macro Protection SubSys] msacroprot32.exe
O4 - HKLM\..\Run: [Media Player] wmplayer.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ushgutj.exe
O4 - HKLM\..\Run: [Configuration Loader] syscfg32.exe
O4 - HKLM\..\Run: [blah service] smnp.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [5702A33A] C:\WINDOWS\System32\xoysiugfgjtbtc.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\vixen.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\oyecq.exe
C:\WINDOWS\Updreg.exe
C:\WINDOWS\avserve2.exe
C:\WINDOWS\System32\muamgrd.exe
C:\WINDOWS\System32\msacroprot32.exe
C:\WINDOWS\System32\msblast.exe
C:\WINDOWS\System32\smnp.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\svxhost.exe
C:\WINDOWS\System32\syscfg32.exe
C:\WINDOWS\System32\ushgutj.exe
C:\WINDOWS\System32\winv32.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\System32\xmrjto.exe
C:\WINDOWS\System32\xoysiugfgjtbtc.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\ISTsvc
C:\Program Files\Media Access
C:\Program Files\Power Scan
C:\Program Files\Winad Client

Now IMMEDIATELY, install this ZoneAlarmFree and make sure you do not allow anything to have access to the internet that you do not recognize. ZoneAlarm will popup warnings as things try to go out or come in. Obviously if you see any of the file names we were deleting with Kilbox, don't allow them access.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You are using very old outdated versions of GetRunKey and ShowNew too. Please download the current versions and attach new logs from them.

You have eTrust EZ Antivirus installed. Are you saying it does not work properly or that it is outdated?

 

I understand your problem however you must understand that wating even a few days can allow malware to totally reinfect a PC. Normally we require that the READ & RUN ME be started over again after 10 day lapse in time. We will try to continue based on what you just posted, but if you cannot do this at a faster rate, we may never be able to remove your problems. Especially since the Windows version is so out of date.

Well you have some Norton stuff still showing too! We will take care of both of these during the fixes.

Goto Add/Remove programs and uninstall the below:
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot into safe mode and delete the below file if found:
C:\WINDOWS\csrss.exe <--- only delete this exact file. Do not delete C:\WINDOWS\system32\csrss.exe

Now reboot in normal mode.

Now make sure you do the below exactly how written and in the order writting.

• Download this AVG Free Edition but do not install yet
• now disconnect your cable to the internet
• uninstall your CA eTrust software
• make sure you reboot NOW!
• now install AVG Free.
• Connect to the internet
• Download all updates for AVG
• run a full system scan with AVG and fix anything found.

Attach new logs from ShowNew and HJT.

How are things working?

 

Attach the logs I requested.

 

Okay you are basically free of malware. We just have a few more things to fix and then I will give you final steps
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Ccleaner


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You will have to work problems with Windows Update in the Software Forum as this is not a malware problem. I will give you a few quick things to try, but if they don't help, post a new message in the Software Forum.

• first don't even continue if your copy of Windows is not a valid licensed Windows XP that is owned by you.
• Shutdown your firewall & antivirus and see if you can get updates
• Try adding windowsupdate to your trusted zone.
• If you are getting any error messages you need write down the exact messages and error codes. See the below for potential solutions:
  • http://www.petri.co.il/wu_problems_8007007e.htm
  • http://www.petri.co.il/wu_problems_800a138f.htm
  • http://v4.windowsupdate.microsoft.com/troubleshoot/
  • http://support.microsoft.com/kb/910341/en-us