MSIE Infected

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Please save this to notepad so that you can complete the instructions off-line.

Do you know what these are in your uninstall program list:
"2a3a47f"
"8551ad0f"

Use windows explorer to delete these folders/files:
C:\WINDOWS\system32\drivers\msusbbux.sys
C:\Program Files\Common Files\{60863F5B-0543-1033-0922-030707000001}\system.dll
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Mediacenter\Mediacenter0.4-by Coolstreaming.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\4072cfsb.dll
C:\WINDOWS\system32\42ccntos.dll
C:\WINDOWS\system32\92CF7CE6.DLL
C:\WINDOWS\system32\92CF7CE6.EXE
C:\WINDOWS\system32\92CF7CE6T.EXE
C:\WINDOWS\system32\u1171575075g.exe
C:\WINDOWS\system32\cacheur.exe
C:\WINDOWS\system32\drivers\ffpbek.sys
C:\WINDOWS\system32\mctet.dll
C:\WINDOWS\system32\drivers\erbnseh.sys
C:\WINDOWS\system32\winsys32_070212.dll
C:\WINDOWS\system32\drvcog.dll
C:\WINDOWS\system32\drvmez.dll
C:\161941~1
C:\bcqkcbsw.exe
C:\jwjbt.exe
C:\jxeqlgj.exe
C:\lodcvybl.exe
C:\ooqlp.exe
C:\vggba.exe
C:\voraiau.exe
C:\vyqnwwd.exe
C:\WINDOWS\system32\1010s.exe
C:\WINDOWS\SYSTEM32\cryptimg.dll
C:\WINDOWS\system32\40b2ntos.dll
C:\WINDOWS\system32\"4c70cfsb.dll"
C:\WINDOWS\system32\fcccccc.dll
C:\WINDOWS\system32\"ljjiffg.dll"
C:\WINDOWS\system32\pmkih.dll
C:\WINDOWS\system32\"winzxe32.dll"
C:\WINDOWS\system32\wjxgavpu.dll
C:\WINDOWS\system32\wvutrpn.dll
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\92CF7CE6.dat

* Return to Killbox, go to the File menu, and choose Paste from Clipboard. Check the box to unregister the .dll's.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You will need to update your JAva as well as your operating system!!!

J2SE Runtime Environment 5.0 Update 2 - the instructions asked you to delete this and install the latest version!

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

Be sure to tell us how things are running.

 

Please uninstall these thru add/remove programs:
webwork
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2

Reboot and install:
Java Runtime 6

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{60863F5B-0543-1033-0922-030707000001}
C:\Program Files\Common Files\sxco
C:\Program Files\Common Files\xing shared
C:\161941~1
C:\bcqkcbsw.exe
C:\jwjbt.exe
C:\jxeqlgj.exe
C:\lodcvybl.exe
C:\ooqlp.exe
C:\vggba.exe
C:\voraiau.exe
C:\vyqnwwd.exe
C:\WINDOWS\system32\40b2ntos.dll
C:\WINDOWS\system32\winsys16_070212.dll
C:\WINDOWS\system32\cryptimg.dll
C:\WINDOWS\system32\oldmywebhit.ini
C:\WINDOWS\system32\rrsut.ini
C:\WINDOWS\system32\00004a8e.DAT
C:\WINDOWS\system32\drivers\00004a8e.SYS
C:\WINDOWS\system32\drivers\ast.sys
C:\WINDOWS\system32\drivers\hidproc.sys
C:\WINDOWS\system32\drivers\onmrukid.sys
C:\WINDOWS\system32\drivers\restore.ini
C:\WINDOWS\system32\drivers\ttp~1.exe

* Return to Killbox, go to the File menu, and choose Paste from Clipboard. Check the box to unregister the .dll's.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll

After clicking Fix, exit HJT.

Run CCleaner

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

Be sure to tell us how things are running.

 

If all was done, why is Webwork still showing in the add/remove program list, as well as a lot of the other items from killbox list?

 

Run Killbox and have it delete these files:

C:\WINDOWS\pss\3ª¬ýøO.lnkStartup
C:\WINDOWS\system32\drivers\00004a8e.SYS
C:\WINDOWS\system32\00004a8e.DAT
C:\WINDOWS\system32\oldmywebhit.ini.tmp
C:\mdwgnjib.bat

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run HJT and have it fix this item:

O20 - Winlogon Notify: cryptimg - cryptimg.dll (file missing)

After clicking fix, exit HJT.

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

Be sure to tell us how things are running.

 

C:/KillBox is the backup list of deleted files .....I can't see if the files that we ask you to delete using PocketKillBox are actually being deleted.

Also the registry fix is not taking ...are you following the instructions on doing that?

 

Please remove all of your extensions and toolbars in your browsers......reboot and attach a new (please get the latest version) ShowNew and GetRun logs.

 

The new versions are now posted in the ShowNew and GetRun Links .....I suspect the problem is with the IE toolbars ...(what was installed?).

Post new logs:
ShowNew
GetRun
HJT

 

Please print these instructions out, or write them down, as you can't read them during the fix.

Download and Install RogueRemover Free http://www.majorgeeks.com/RogueRemover_d5360.html

Run RogueRemover and select Scan and the program will walk you through the remaining steps.

Remove:
Registry Fix and any others that it finds.

Step 1:
Download SmitfraudFix (c) S!Ri http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Do NOT run any other option other than 1

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

Step 2:
Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

Reboot

Follow the directions for Virtumonde aka Trojan Vundo Removal procedure.

Post the Following Logs:
1. rapport.txt from SmitFraudFix
2. ShowNew
3. GetRunKey
4. HijackThis

 

Please find this in your startup folder and delete it:
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\3ª¬ýøO.lnk

Do you know what this is in your add/remove program list:
Windows hckw UnInstall

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Do a search for msmsgs and delete anything found. Also check msconfig and see if it is in the startup tab ...uncheck it if it is.

Tell me how things are running.

 

I'm not seeing anything in your previous logs .....please run CCleaner (both the cleaner and the issues - make the backup when prompted).

Then reboot and attach a new HJT log.

 

The HJT log is clean ...are you still having any other issues?
If not:You may uninstall any programs we had you download.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnnine.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnnine.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.80.38.242:3127

After clicking Fix, exit HJT.
Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

 

Please use add/remove programs to uninstall:
Mysee WebTV
PPMateIoA‡æ‡EO 1.7.1.28 <---if you don't know what this is!?

Now go to start / run / and type "msconfig" without quotes and tell me what is in the startup tab. (Cancel to exit).

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You can have HJT remove this item unless you do use it as your homepage:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nothing.com/

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Tim,

There are other issues in the logs that you need to address.

• multiple antivirus applications are installed
• MSConfig is in use and at least one baddie is in the list of inhibited startups.
• runkeys.txt also shows the below:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
    "svchost.exe"=""
  • [HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
    "{613E7B70-5380-4063-A060-C147AB994C02}"=""
    "{4ED6E0B5-F47A-4609-A940-11CF60FDC3C3}"="NetCache" <--- I'm not positive on this one, but it does not look good!
• you need to download and use the current version of ShowNew.

 

If you look in the log from GetRunKey, you will see a lot more than that is disabled using MSconfig. You need to follow the directions given in the READ & RUN ME in at least two places and select Normal Startup in MSconfig.

Then you need to follow the directions in step 3 of the READ & RUN ME and uninstall all but one antivirus.

Then you need to download the current version of ShowNew as I stated in my last message.

After doing the above attach new logs from:
- GetRunKey
- ShowNew
- HijackThis

 

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rrsut.bak1

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new log from GetRunKey.

 

Are you still getting a popup about a missing DLL? If so post exactly what it says or give as a screen snapshot if possible.

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%System%\userinit.exe,

And is the below something you recognize? If not, fix it. It seems Chinese related too.
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.vivitv.com/KooPlayer.ocx

After clicking Fix, exit HJT.

Now attach a new HJT log here.

Are you still seeing the same message?

If so, does it appear in safe mode.
Does it appear when you log into other user accounts?

 

bookmark

 

Then there is a process or service that you are loading in normal boot mode that you do not load in safe mode. Attach a HijackThis log from safe mode.

Then from Normal Boot mode get a Startup List with Hijack This.

Generating Startup Lists with HijackThis

• Run HijackThis, click Open the Misc Tools section
• Put a check in the List also minor sections (full) check box.
• Now click the Generate StartupList Log button.
• This will create a file named startuplist.txt in the same folder that HijackThis is installed into.
• Also a notepad file will open with this startuplist in it.
• Attach the startuplist.txt file to your next message.

Put a copy of yprs_x.sys into a ZIP file and attach it here.

 

No this is strange. The problem you are having does not occur when you are in safe mode but the item that is causing it does show in safe mode. And the exact opposite is true for normal boot mode.

Boot in safe mode and run HijackThis. Select the below line and then click fix:

O4 - HKLM\..\RunOnce: [yprs_x] %systemroot%\system32\rundll32.exe %systemroot%\system32\yprs_x.dll,Run

Then exit HJT and reboot in normal mode.

Does the problem happen again?

The .SYS file you uploaded is a copy of a Microsoft file named BEEP.SYS which is just a speaker driver. I'm not sure who renamed/copied this or why. It does not seem to be malware but it is not normal.

 

Try booting into safe mode again and fixing that line in HijackThis again and then also delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\yprs_x

registry key that you found. Make sure you only delete the yprs_x subkey. If you are not sure how to do that, just use the below registry patch and then double check to make sure it really was removed.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

I tend to doubt that this is malware and it does not appear to be causing you any problems other than the popup about the missing dll. I still wonder what program that you use or used that installed this and what the purpose was in copying the beep.sys driver to a new name. Could it be related to the YSIGet Download Manager that you have installed.