Many problems at once

xxsullyxx · May 12, 2009

Hi,

I have tried a handful of sequences so far to fix my problems and none have worked thus far after 5 hours of work last night, I am desparate for help. I am on my work computer, because my use of internet explorer is limited at this time, as a program of some sort is blocking most access. I can still get onto the internet through AOL's browser (havent been on that in years!!)

I have CA's antivirus suite. All the problems seem to have originated with the Common / helper.dll, which seems to be gone at this point. i deleted it a few times and it came back, but one of the steps i ran must've gotten it.

Other problems are:

- When logging into Windows, Vetmsg.exe has an error message. This is followed by ccprovsp.exe problems. Also, it will not let me run a CA virus scan. it gets through about 17 files and and error message reading something about the CA Anti Virus GUI Scanner. Also from time to time "CA Anti Virus Real Time Messaging Service" has an error. So i'm assuming this all has to do with my software's ability to update.

- problem #2 is that when i go onto internet explorer (and only this program) another application is running in the background called "_x". i have maximized the program to see what it was an its a blank page, but it screws up my internet explorer and when i kill the process it closes IE.

- I would not assume the helper.dll is fixed, because i'm sure it could come back.

I have also tried running scans in safe mode and still nothing.

Brief descriptions of the two sequences I have done thus far that other people have had success with with similar problems is:
In the order I was told:

- Run ATF-Cleaner
- Run Malwarebytes' Anti-Malware
- Run SuperAntiSpyware
- Run ESET Online Scanner
- Do a system restore

this didnt work, so i ran a second sequence:

- Combofix including downloading windows recovery console
- JavaRa to uninstall previous versions and redownload newest version of runtime
- uninstall combofix
- malwarebytes
- i was supposed to do kaspersky at this point as the last step, but i was falling asleep and quit for the night.

Any help would be great. Thanks very much for all your time.

xxsullyxx · May 14, 2009

Hi, not meaning to BUMP, but I did do several things that have hopefully alleviated or eradicated the problems altogether, leaving much less for analysis or fixing.

I got rid of CA, it was a resource hog anyway. That got rid of the problems associated with that (ccprovsp.exe, vetmsg.exe, etc.) Now I am not sure it fixed what was causing the problem, maybe only the result. Unless the problem had weaved itself into the program and disappeared with the software's removal (i'm not an expert, so I'm not sure how that part works)

I took all of the protection advice from this website and downloaded:

Comodo Internet Security (both firewall and av)
CCleaner
Comodo BOClean
Spybot Search and Destroy
Spyware Blaster

All installed and are running perfectly (no problems updating them at this point although I hit a snag get the AV installed due to a lost internet connection. But a few restarts later and all is well and i have run scans in each where applicable).

I have downloaded and installed Firefox and am using that as my primary explorer now. The "_x" does not show up in applications when this is open.

because I have XP SP3 it won't let me uninstall IE7, and I didnt want to uninstall SP3 and mess something up. So instead I downloaded the new IE8 as a back up. Unfortunately, as with IE7, when i open IE8, the application "_x" is running parallel, and interestingly sometimes its now showing up twice in the task manager applications section.

Common / helper.dll has not shown back up, so I think that one has been nipped in the bud.

So without further rambling, it seems that so long as I don't use IE everything looks OK. But, it still kind of worries me that something is there under the surface. So if there is any way to get rid of the "_x" i woul dbe thrilled, and nothing i have done so far, inclusive of the new AV/Firewall and all the other goodies, seem to have taken care of that.

Hopefully i haven't just switched all the programs around, but all the same viruses are lingering under the surface.

chaslang · May 16, 2009

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs. Since you say you have already run SUPERAntiSpyware, Malwarebytes, and ComboFix then you can just skip those scans and attach the logs that you already have from them. Thus you will just need to attach the log from MGtools

READ & RUN ME FIRST. Malware Removal Guide

xxsullyxx · May 23, 2009

Hi, sorry for my delay, thank you so much for your help. I had oreviously deleted all those programs so i re ran everything according to your steps here, not steps from other forums i had looked at. Also, I am no longer running Comodo IS due to problems updating, so I have outpost's firewall and i haven't gotten an antivirus yet, as I have been running these scans.

Everything went smoothly with the exception of the Malwarebytes' Anti Malware. It would find stuff to quaranteen and then when i would click to do so an error message read: "Runtime error '48'. file not found wininet.dll"

and the program would close with no log saved, so i re ran it and saved a log before trying to quaranteen, at which time i tried again and it did the same thing, so im not sure if it will say "no action taken" but i needed to do this to get a log. Thanks again!!

xxsullyxx · May 23, 2009

I may be jumping the gun here, but I re ran Malwarebytes' just now after the other few things had ran, thinking that maybe one of the got rid of it and it found nothing and produced the attached log.

chaslang · May 25, 2009

You do not have the current database for Malwarebytes installed. Let's be safe and update it and then run a new scan.

Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.

Are you using a non-English version of Windows?

Do you have your Windows XP SP3 CD?

There is a strong possibility that some of your Windows system files are infected and need to be replaced. The 3 below files currently standout but there could be more.

C:\Windows\System32\kernel32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\wininet.dll

All copies of these file on your hard disk appear to have been touch/modified on 2009-05-24 at 00:08 AM.

xxsullyxx · May 26, 2009

Thanks,

I do have my windows CD but only sp2 (which i used) and it is the english version.

So after my last post i reinstalled IE8 because it wasn't working and I needed it for things like Microsoft updates and my Flash player wasnt working in Firefox. Needless to say, that crashed windows...

It wouldn't load anything but my background and my only access to files/programs was through task manager and ther error messages were reading explorer.exe error with something about the ordinal 421 for urlmon.dll. i tried reregistering the dll's and running ie8 and ie7 uninstalls to replace the urlmon.dll ...with no luck. It appears your gut was right, because with all the crap the computer had too many files were messed with, if not deleted.

What I ended up being forced to to was run the Windows XP Repair. it left all my apps and files intact and repaired windows. after another 10+ hours since then, I have all Windows up to date with all the latest stuff and both ie8 is working and the firefox flash that wasnt before, with no programs running on the sidelines. It seems to be running perfect (albeit a bit slower than before, so maybe the repair slowed things down somehow).

I ran a bunch of stuff and it all showed up clean.

chaslang · May 28, 2009

You're welcome. I suggest that you run a full scan of your system with your antivirus program now to see if it finds any problems. Also I suggest that you download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

C:\MGlogs.zip

xxsullyxx · May 29, 2009

Great thanks. I have run the new scan and attached the logs. I have also done a few things to speed the computer up, like the services.msc from blackviper (i think that was the suggested place) and disabled a bunch of other start up services i didnt need. Thanks!

Also, My Comodo AV has a file waiting for my review and I can't figure out what it is, and whether or not to allow or block it. the path is:

C:\Documents and Settings\John Sullivan\Local Settings\temp\uninst.dll

Any ideas?

chaslang · May 31, 2009

xxsullyxx said: ↑

Also, My Comodo AV has a file waiting for my review and I can't figure out what it is, and whether or not to allow or block it. the path is:

C:\Documents and Settings\John Sullivan\Local Settings\temp\uninst.dll

Any ideas?
Click to expand...

Just delete it as you don't need it anyway. It is just a temp file. probably just an for an uninstaller.

Note: You do not appear to have an antivirus installed. At least not according to your logs. It looks like only Comodo's Firewall is running. Are you sure the AV is active?

You now have fixed the 3 files that I was saying were infected. However the bad copies (lots of them) are still hanging around. They all showed up on 5/23/2009. There are also other signs of the malware that must be removed.

First uninstall Viewpoint Media Player as requested in step 1 of the READ & RUN ME.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::
DirLook::
C:\WINDOWS\SYSTEM32\UAs
C:\WINDOWS\SYSTEM32\xmldm

File::
C:\WINDOWS\PEV.exe
C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys
C:\WINDOWS\SYSTEM32\$winnt$.inf
C:\WINDOWS\SYSTEM32\CF10530.exe
C:\WINDOWS\SYSTEM32\CF16038.exe
C:\WINDOWS\SYSTEM32\CF9149.exe
C:\WINDOWS\SYSTEM32\krncode.dat
C:\WINDOWS\SYSTEM32\ldshyf1.old
C:\WINDOWS\SYSTEM32\licmgr10.dll
C:\WINDOWS\SYSTEM32\nsysk.ini
C:\WINDOWS\SYSTEM32\nsysp.ini
C:\WINDOWS\SYSTEM32\nsysw.ini
C:\WINDOWS\SYSTEM32\osysk.dat
C:\WINDOWS\SYSTEM32\osysw.dat
C:\WINDOWS\SYSTEM32\REN148.tmp
C:\WINDOWS\SYSTEM32\REN149.tmp
C:\WINDOWS\SYSTEM32\REN14A.tmp
C:\WINDOWS\SYSTEM32\REN152.tmp
C:\WINDOWS\SYSTEM32\REN153.tmp
C:\WINDOWS\SYSTEM32\REN154.tmp
C:\WINDOWS\SYSTEM32\srvblck2.tmp
C:\WINDOWS\SYSTEM32\sysk.tmp
C:\WINDOWS\SYSTEM32\sysw.tmp
C:\Documents and Settings\John Sullivan\Y9Y9
C:\Documents and Settings\John Sullivan\__8543~1
C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll
C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll
C:\WINDOWS\$NtUninstallKB935839$\kernel32.dll
C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll.000
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kernel32.dll
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
C:\WINDOWS\ie7\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\02e948ba5ac0e4be806c6a740042b5b2\SP2GDR\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\02e948ba5ac0e4be806c6a740042b5b2\SP2QFE\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wininet.dll

Folder::
C:\WINDOWS\SYSTEM32\cock
C:\be3afcc8351d93856493ddcda2aa3b

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DellSupport]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hpqSRMon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCMService]
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\John Sullivan\Local Settings\temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

xxsullyxx · May 31, 2009

It didn't go so well. I uninstalled the viewpoint (i must've missed that one on step 1) I ran the mgtools fix and that worked out.

My AV is running no problem, that is weird that it didnt show up. it is part of Comodo. The firewall, av and defense are all running.

To run Combofix, i disabled each aspect of comodo and then exited the program, but it still said it was running according to combofix. i ran it anyway, sure that i had closed everything.

after getting to somewhere around step 50, a blue screen came up and said windows had detected a problem and to restart, so i did. I'm not sure if it finished and created a log. That notepad document is gone from the desktop that i dragged before, so i stopped and am looking for advice be4 i continue anything. Thanks so much for your help.

chaslang · Jun 2, 2009

Just continue on and get me the new log from MGtools at a minimum. Check to see if there is a new ComboFix log and attach it if there is one.

Also tell me how things are currently working.

xxsullyxx · Jun 2, 2009

There was no Combofix log.

I went ahead and deleted the Temp files and then ran CCleaner (also they had an update that I downloaded) and then MGtools. The log zip is attached

Interestingly after deleting the temp files, Comodo had a virus alert flagging Combofix (which i hadn't tried to run or anything) but it has never done that before that's the only reason I mention it.

Everything seems to be running well, but not really different from the other day where you still said there are things lingering. Thanks

chaslang · Jun 2, 2009

You're welcome. Looks like ComboFix was able to remove things we wanted anyway. Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete any of the below folders if they still remain after uninstalling ComboFix:

C:\32788R22FWJFW.0.tmp

C:\32788R22FWJFW.1.tmp

C:\ComboFix

Also delete any of the below files if they still remain after uninstalling ComboFix:

C:\log1.txt

C:\log2.txt

C:\WINDOWS\SYSTEM32\CF15860.exe

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

xxsullyxx · Jun 3, 2009

Thanks very much. The only file that seems to have trouble deleting is the hidec.exe in C:\32788R22FWJFW.1.tmp as it seems to be protected....everything else has uninstalled successfully and been deleted. i noticed while deleting some of this stuff my internet connection disappeared, so now I'm at work on my computer here. I see this has happened, and you just have to "repair" the connection, but I wanted to wait until I was able to delete the last piece of combofix. Other than that, everything seems smooth and I thank you very much for taking the time to help me nurse my computer back to health. It seems better than it ever was since I got it

chaslang · Jun 6, 2009

xxsullyxx said: ↑

The only file that seems to have trouble deleting is the hidec.exe in C:\32788R22FWJFW.1.tmp as it seems to be protected...
Click to expand...

Boot in safe mode and right click on the file and select Properties. Make sure that it is not set to Read Only. If it is, uncheck it and click Apply. Then either way, right click on the file and select Delete. If it deletes, then delete the folder.

xxsullyxx said: ↑

i noticed while deleting some of this stuff my internet connection disappeared, so now I'm at work on my computer here.
Click to expand...

None of these items have anything to do with your internet connection. So I'm not sure what is happening here.

xxsullyxx said: ↑

Other than that, everything seems smooth and I thank you very much for taking the time to help me nurse my computer back to health. It seems better than it ever was since I got it
Click to expand...

You're welcome.

xxsullyxx · Jun 6, 2009

Perfect, actually after I posted i gave safe mode a try and it all worked out. So now it's all set and running great as I said before. Thank you

chaslang · Jun 8, 2009

You're welcome. Surf safely!

Log in or Sign up

Many problems at once

xxsullyxx Private E-2

xxsullyxx Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

Attached Files:

SASlog.txt

mbam-log-2009-05-23 (19-57-37).txt

ComboFix.txt

MGlogs.zip

xxsullyxx Private E-2

Attached Files:

mbam-log-2009-05-23 (20-37-14).txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

xxsullyxx Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member