Need Help Please (attachments 1, 2 and 3)

Discussion in 'Malware Help (A Specialist Will Reply)' started by kevin123, Oct 18, 2006.

  1. kevin123

    kevin123 Private E-2

    SYMPTOMS:
    When I restart my PC, I get the following messages:
    "End Program - explorer.exe" followed by "This program is not responding" and,
    "End Program - Connections Tray" followed by "This program is not responding"

    As soon as my PC boots, approximately 3 black DOS type of windows appear and dissappear immediately while McAfee is loading (i have McAfee ActiveShield continuously running). On one of these black windows, I can read a file name that looks like txdv...exe.

    WHAT I DID:
    I followed the instructions on the READ and RUN ME.
    "MS Windows Malicious Software Removal Tool" found no malware.
    Spybot found 2 cookies and removed them.
    "MS Windows Defender" found and deleted two trojans with names similar to: "Microsoft Firewall Notify Disable" and "Microsoft AntiVirus Notify Disable"

    Attached are Logs for:
    1. Bitdefender
    2. PandaActiveScan
    3. GetRunKey

    My next message has the Logs for:
    4.ShowNew
    5.HiJackThis

    I appreciate any help and look forward to hearing from you.
     

    Attached Files:

    kevin123, Oct 18, 2006
    #1
  2. kevin123

    kevin123 Private E-2

    Need Help Please (attachments 4 and 5)

    Attached are the remaining two Logs:

    4.ShowNew
    5.HiJackThis
     

    Attached Files:

    kevin123, Oct 18, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Need Help Please (attachments 4 and 5)

    Is your copy of CounterSpy a paid or free version? If free, uninstall it now.

    Is your copy of eTrust PestPatrol Anti-Spyware a paid or free version? If free, uninstall it now.

    Is your copy of Spyware Doctor 3.2 a paid or free version? If free, uninstall it now. If paid, it is way out of date and you shoud get it updated.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0"

    Continue by downloading a tools we will need - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R3 - URLSearchHook: (no name) - _{A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
    R3 - URLSearchHook: (no name) - _{A18EBFD7-053D-09E7-1602-5EF07CCE61B3} - (no file)
    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vdbgxbh.exe
    O4 - HKLM\..\Run: [tphpmt] C:\WINDOWS\system32\txdxnv.exe reg_run
    O4 - HKCU\..\Run: [pmoqo] C:\WINDOWS\system32\txdxnv.exe reg_run
    O4 - Startup: Check for TWS Updates.lnk = C:\Program Files\InteractiveBrokersDemoTWS\Jts\WiseUpdt.exe
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp.coupons.com/v3123/cpbrkpie.cab
    O20 - AppInit_DLLs: dxclib303562752.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mfpyt.exe
    C:\Documents and Settings\Al\Application Data\Dxcknwrd.dll
    C:\Documents and Settings\Al\Application Data\Dxcuknwrd.dll
    C:\asdf.txt
    C:\deskbar_e21.exe"
    C:\WINDOWS\system32\dxclib303562752.dll
    C:\WINDOWS\system32\khucn.exe
    C:\WINDOWS\system32\txdxnv.exe
    C:\WINDOWS\system32\vdbgxbh.exe
    C:\WINDOWS\system32\wapisvtr.exe
    C:\WINDOWS\stkfe.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\?ystem <--- the questionmark will look like an "S" making this folder name look like "System"

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 20, 2006
    #3
  4. kevin123

    kevin123 Private E-2

    Thanks a lot again!! I did the following, and my pc is doing much better!! Here are my answers to your questions:

    My copy of CounterSpy was a free version, I uninstalled it per your request.

    I couldn't locate eTrust PestPatrol Anti-Spyware or Spyware Doctor 3.2 installed on my pc. If they are running on my pc somewhere, I cannot remember if they were paid versions or not. I looked at the "Add remove programs" in the Control panel, also looked at the start - programs, and couldn't find it. I did find installation files for both of those programs under my install files folder, which I deleted.

    Before I received your email, and after I had sent you the previous log files, I installed a paid version of "Spyware Doctor 4.00.26.18" and cleaned all 78 malware that it found.

    I uninstalled the JSE Runtime Environment 5.0.

    I ran Spybot Search and Destroy 1.4, Microsoft Windows Defender and "Microsoft Windows Malicious Software Removal Tool" in the modes you recommended, it found no malware. Then I ran BitDefender (worked only in normal mode), it also found no malware.
    I ran PandaActiveScan, it found 2 cookies (log is attached). What should I do with these cookies? Should I manually delete them in Windows Explorer?

    I ran HiJackThis and had it fix the lines you mentioned.

    I used PocketKillBox as you outlined.

    I couldn't find the C:\Program Files\?ystem

    I disabled System Restore, rebooted, and re-enabled System Restore.

    Attached are all five new logs in two messages. I look forward to hearing from you. Thanks again, you've been extremely helpful!
     

    Attached Files:

    kevin123, Oct 21, 2006
    #4
  5. kevin123

    kevin123 Private E-2

    ..and attached is the new HJT log that you had requested.
     

    Attached Files:

    kevin123, Oct 21, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welll now that you have a paid version of Spyware Doctor installed, you need to uninstall Windows Defender. Also I see a listing for Ad-Aware SE Professional in your log for ShowNew. Is this still installed? If so, make sure you do not use the Ad-watch feature because it will cause conflicts with Spyware Doctor and it will also cause excess use of system resources which will slow your PC down.


    Then you did not follow the directions in step 2 of the READ & RUN ME. The folder is still there and you need to delete it:
    Code:
    C:\Program Files\
YSTEM~1       Oct  5 2006              "?ystem"

    How is everything working? Because other than that folder you need to delete, you appear to be clean.
     
    Last edited: Oct 24, 2006
    chaslang, Oct 22, 2006
    #6
  7. kevin123

    kevin123 Private E-2

    I uninstalled Windows Defender.

    Ad-Aware SE Professional is installed. I’ll make sure I don’t use the Ad-watch feature.

    I had followed the directions in step 2 of the READ & RUN ME earlier, and I still don’t see the folder to delete it:

    C:\Program Files\
    YSTEM~1 Oct 5 2006 "?ystem"

    Could it be that the folder was there on Oct 5th, but it’s not there now? However, I did find a different blank folder: C:\Program Files\system and deleted it.

    Everything is working great..Thank you very much!!
     
    kevin123, Oct 22, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Read message number 3 again. That is exactly what I told you it would appear to be named.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Oct 24, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds