Malware

Welcome to Major Geeks!

You skipped step 6 A of the READ ME. Please complete that step and attach the two requested logs from BitDefender and Panda.

Also since 6 A should have been run before steps 6B and 7. You will need to attach new logs from GetRunKey, ShowNew, and HJT after step 6A is completed.

 

I'm going to assume that you can either download files to this infected PC in safe mode or that you can download on another PC and copy them to this PC using a flash drive, CD...etc.

Let's start by doing some cleanup!

You did not empty your quarantine folder for NOD. Please empty it now. The quarantine folder is: C:\Program Files\ESET\infected

Let's also remove some items from your previous runs of VundoFix.
Delete this file: C:\VundoFix.txt
Delete this folder: C:\VundoFix Backups

Now uninstall the below old versions of software:
IBM 32-bit Runtime Environment for Java 2, v1.4.2

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
awtqo.dll
awtstrq.dll
ddcyyxw.dll
efcccax.dll
fqpvefki.dll
gebcdax.dll
hgghfef.dll
hiwouqge.dll
iifgeef.dll
khffcdc.dll
mljge.dll
mljgf.dll
opnkhhh.dll
rqromkj.dll
sablgisj.dll
urqqnlm.dll
vfldoiwc.dll
yayaaby.dll
yayaxya.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
awtqo.dll
awtstrq.dll
ddcyyxw.dll
efcccax.dll
fqpvefki.dll
gebcdax.dll
hgghfef.dll
hiwouqge.dll
iifgeef.dll
khffcdc.dll
mljge.dll
mljgf.dll
opnkhhh.dll
rqromkj.dll
sablgisj.dll
urqqnlm.dll
vfldoiwc.dll
yayaaby.dll
yayaxya.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
awtqo.dll
awtstrq.dll
ddcyyxw.dll
efcccax.dll
fqpvefki.dll
gebcdax.dll
hgghfef.dll
hiwouqge.dll
iifgeef.dll
khffcdc.dll
mljge.dll
mljgf.dll
opnkhhh.dll
rqromkj.dll
sablgisj.dll
urqqnlm.dll
vfldoiwc.dll
yayaaby.dll
yayaxya.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now back at the main Process Explorer window look for the below processes and if found right click on them and select Kill Process.
C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0768B019-73C3-43A6-8F80-1A09CA1906BB} - C:\WINDOWS\system32\mljge.dll
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\efcccax.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CCBD~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CCBD~1\Bar888.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O20 - Winlogon Notify: efcccax - C:\WINDOWS\SYSTEM32\efcccax.dll
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll
NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files
it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and

• choose copy):

C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}\Update.exe
C:\Program Files\Common Files\{3CCBDF4D-06C1-1033-0106-050602200002}\UnInstall.exe
C:\Documents and Settings\Fudjika\Local Settings\Temp\b104.exe
C:\Documents and Settings\Fudjika\Local Settings\Temp\b129.exe
C:\Documents and Settings\Fudjika\Local Settings\Temp\neniqynq.dll
C:\Documents and Settings\Fudjika\Local Settings\Temp\uqwdkfwy.dll
C:\Documents and Settings\Fudjika\Local Settings\Temporary Internet Files\Content.IE5\0XKRNIUI\104[1].net
C:\Documents and Settings\Fudjika\Local Settings\Temporary Internet Files\Content.IE5\7ZUVZKYY\129[1].net
C:\Documents and Settings\Fudjika\net.exe
C:\Program Files\Ipwindows\UnInstall.exe
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtstrq.dll
C:\WINDOWS\system32\ddcyyxw.dll
C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\fqpvefki.dll
C:\WINDOWS\system32\gebcdax.dll
C:\WINDOWS\system32\hgghfef.dll
C:\WINDOWS\system32\hiwouqge.dll
C:\WINDOWS\system32\iifgeef.dll
C:\WINDOWS\system32\khffcdc.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\opnkhhh.dll
C:\WINDOWS\system32\rqromkj.dll
C:\WINDOWS\system32\sablgisj.dll
C:\WINDOWS\system32\urqqnlm.dll
C:\WINDOWS\system32\vfldoiwc.dll
C:\WINDOWS\system32\yayaaby.dll
C:\WINDOWS\system32\yayaxya.dll
C:\WINDOWS\system32\egjlm.bak2
C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\ikfevpqf.ini
C:\WINDOWS\system32\oqtwa.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a
PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{3CCBDF4D-06C1-1033-0106-050602200002}
C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}
C:\Program Files\Ipwindows\
C:\Program Files\Viewpoint
C:\Documents and Settings\Fudjika\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint


Also delete all remaining files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files
from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Joe Santoro\Local Settings\Temp

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the
READ & RUN ME. This only applies to if using WinXP or WinMe.

 

No you are not clean yet. We have quite a bit more to do. And some of the items I had you fixing last time did not get fixed.

NOD32 is a good program! If you have paid for it and keep you subscription up to date then you should keep it.

Please follow the steps below in the exact order given! I need some additional info before a full procedure can be created.

First please run this Getting Uninstall Programs List From The Registry It will create this log file C:\GetUnKey.txt which I will ask you to attach later.

Now look in Add/Remove Program for any of the below and if found, try to uninstall them. Tell me what you find and what happens when you attempt to uninstall them.
Command or Command Service
Network Monitor or A394E835-C8D6-4B4B-884B-D2709059F3BE

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\akhhnstw.dll",realset

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{5CCBDF4D-06C0-1033-0106-050602200001}\Update.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\akhhnstw.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\opnnlli.dll
C:\WINDOWS\system32\qttotedt.dll
C:\WINDOWS\system32\vvreleuh.dll
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\wtsnhhka.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Fudjika\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\InetGet2
C:\Program Files\webHancer

Also after reboot, run Windows Explorer and double check for ALL of the files I had you deleting with Pocket Killbox and if you see any of them delete them. Some of these did not delete the first time so we need to be sure you get all of them deleted.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetUnKey log (C:\GetUnKey.txt)
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Download the attached uninstall_nmon.zip file and extract the contents to your C:\windows folder. The contents is one file named uninstall_nmon.vbs.

Once you have done this, see if you can then goto Add/Remove programs and uninstall Network Monitor.

Tell me what happens.

If this does not work, we will have to remove the remaining components of this infection manually. You can see them at the end of your newfiles.txt log. The last log only has Network Monitor remaining. Your previous log also had Command Service (CmdService) but the uninstall actually worked.

 

Congrats!

Sorry I meant at the end of the runkeys.txt log. You will see them listed under the ADSpy/Isearch.d.2 infection.

No! You just need very extensive knowledge of the Windows OS and also a loads of software designed to run under Windows.

I'll post manuall removal steps for Network Monitor in my next message.

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!