need help removing nastys

udefender mong others ive already found,but theres somethigs i cant remove im actually clueless as of what to do i get this popup sound when ie is closed.Then it starts playng commercials audio only but i can stop it in processes or if i open ie it opens. also i have had udefender com ing back and and fake windows security windows that link me to other sites of shinatigance.............icould use some help this my first timeactually posting a thread like this usually i figure it out just by reading them,im goin back to do the read me and run me first then brb.

 

Hi jimbo!
Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST and attach the requested logs so we can take a look at what's going on in your computer.

Thanks.
abri

 

ok now im screwed when i got to the read me run me first part thats said to change to normal startup somethings happened and easyspycleaner installed and then windows has changed and i cant get to my control panel ive tried system restore and i can getin safe mode to uninstall easyspycleaner but now i cant connect to the internet im using my laptop to post now any advise?

 

thinkmaybe ccleaner caused the change in windows?

 

ok i got back to being the administraator so im conected now and ready to finish the readme

 

im not surehow to attach they avg log but my time is up for now anyways and it seems like no popups but i have errors when i bootup,also i usually dont load so many things on startup,

 

Hi jimbo,

What errors are you getting at bootup?

Please do the following:


1) Disable the guest account if you don't use it and if this has not already been done.

2) Run CCleaner in the default setting with the Windows tab as the one on top.


3) I don't see an antivirus program on your computer. This is not a good idea. Please go to How to Protect Yourself from Malware and download one of the recommended free antivirus programs and install it.

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BinaPC3] "C:\Program Files\BINA\BINA486.exe"
O4 - HKCU\..\Run: [Kyphs] C:\WINDOWS\?ymbols\w?auboot.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: winbgg32 - winbgg32.dll (file missing)


Optionally fix the following if you don't need them to load at startup.


O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized


After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger



6) Download and install Erunt. Use it to create a backup of your registry.

7) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

thankx il get to work

 

i hope this is the fresh mgtools.zip,man that was hairy but it seems to be better at one point i couldns even do anything because of the amount of errors" c:/windows system32drutew.dll specified modules cant be found " i got all sorts of these constantly and alot of this " userinit.exe=bad image"....and floating point is bad but now thats stopped aslo hope this is fixed but i thought it was earlier ty 4all yer help

 

arrg im still ettin redirected on the web,

 

Hi jimbo142345,
Your computer is by no means okay yet. We haven't gotten it into normal startup mode so the startup items can be fixed, so please be patient and do the steps one at a time.

I would like for you to continue as follows:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RestartNeroSetup] "E:\Installation\Setupx.exe"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvtew.dll,startup
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\SCURIT~1\winlogon.exe" -vt yazb
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O21 - SSODL: zip - {cefde85a-bb41-4a59-bffd-7146bcede695} - C:\WINDOWS\Installer\{cefde85a-bb41-4a59-bffd-7146bcede695}\zip.dll
O21 - SSODL: KernelRom - {e44dfa62-8cab-4699-b85f-ab07e5509d8a} - C:\WINDOWS\Installer\{e44dfa62-8cab-4699-b85f-ab07e5509d8a}\KernelRom.dll (file missing)
O21 - SSODL: CDRunOnce - {5c91a1f6-1853-49ab-85e4-5e11375abddc} - C:\WINDOWS\Installer\{5c91a1f6-1853-49ab-85e4-5e11375abddc}\CDRunOnce.dll (file missing)
O21 - SSODL: RomKernel - {a11ba0c3-ef2e-4c58-ae0d-a29bcb043f96} - C:\WINDOWS\Installer\{a11ba0c3-ef2e-4c58-ae0d-a29bcb043f96}\RomKernel.dll (file missing)
O21 - SSODL: DriveMon - {0e7b9761-049b-4d15-b81f-f2cf8ecb38e8} - C:\WINDOWS\Installer\{0e7b9761-049b-4d15-b81f-f2cf8ecb38e8}\DriveMon.dll (file missing)
O21 - SSODL: RunOnceRom - {2eae04dd-941a-4fa2-b37e-a7e42ead941f} - C:\WINDOWS\Installer\{2eae04dd-941a-4fa2-b37e-a7e42ead941f}\RunOnceRom.dll
O21 - SSODL: CDVolume - {909cf538-18c5-4400-9ef4-709a443e7ed2} - C:\WINDOWS\Installer\{909cf538-18c5-4400-9ef4-709a443e7ed2}\CDVolume.dll
O21 - SSODL: MonSrv - {1a06de38-c306-49a6-af96-fa4e3e7fb511} - C:\WINDOWS\Installer\{1a06de38-c306-49a6-af96-fa4e3e7fb511}\MonSrv.dll
O21 - SSODL: UnknownCD - {ff50af7f-3db4-4545-ac01-967b6f5c6eb8} - C:\WINDOWS\Installer\{ff50af7f-3db4-4545-ac01-967b6f5c6eb8}\UnknownCD.dll

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe

After you click fix, just close hijackthis.


2) Use Erunt to create a backup of your registry.

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Rerun Avenger as in step 8 of post number 7 only this time use the contents of this box:

4) Then please refrun ATF Cleaner as in step 9 of post number 7.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

boc 425:boc425.exe.- bad image.........../system 32/wowfx.dll is not valid wondows..............how should i treat this?

 

boc425 is comodo, part of your firewall.

C:\WINDOWS\system32\wowfx.dll can be deleted in the Files to delete section of Avenger. I might have missed it. See if it will delete despite any warnings.

 

i didnt startup comodo firewall and tried avenger twice,also atf cleaner wont seem to work either, and occasonally theres an error that says invalid floating point and the task bar dissappears til i rstart but this may be already fixed ill try again tommorrow ty 4 helpin

 

not sure if im loading the wrong log for avenger.avenger.txt?

 

Hi jimbo,
When you download Avenger to your desktop, you need to then extract the files. You can't run it from inside of the zip file. Did you do that?

When you ran the registry patches in post 11 and post 7, did you get success messages?

You already ran Avenger properly in post 7. Are you doing something different this time? Did you get a log (Avenger.txt), even one that says it didn't run this time? It would be helpful to see if it ran and if it didn't, to see any error messages it's generating.

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


abri

 

avenrge.txt

 

couldnt get it to upload butheres what it says....................................Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jvmpkubv

*******************

Script file located at: \??\C:\Program Files\kkqsqtat.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\tempdel.bat not found!
Deletion of file C:\tempdel.bat failed!

Could not process line:
C:\tempdel.bat
Status: 0xc0000034



File C:\Program Files\tmp198093.exe not found!
Deletion of file C:\Program Files\tmp198093.exe failed!

Could not process line:
C:\Program Files\tmp198093.exe
Status: 0xc0000034



File C:\Program Files\tmp198015.exe not found!
Deletion of file C:\Program Files\tmp198015.exe failed!

Could not process line:
C:\Program Files\tmp198015.exe
Status: 0xc0000034



File C:\Program Files\tmp198062.exe not found!
Deletion of file C:\Program Files\tmp198062.exe failed!

Could not process line:
C:\Program Files\tmp198062.exe
Status: 0xc0000034



File C:\Program Files\tmp198484.exe not found!
Deletion of file C:\Program Files\tmp198484.exe failed!

Could not process line:
C:\Program Files\tmp198484.exe
Status: 0xc0000034



File C:\Program Files\tmp206765.exe not found!
Deletion of file C:\Program Files\tmp206765.exe failed!

Could not process line:
C:\Program Files\tmp206765.exe
Status: 0xc0000034



File C:\Program Files\tmp211656.exe not found!
Deletion of file C:\Program Files\tmp211656.exe failed!

Could not process line:
C:\Program Files\tmp211656.exe
Status: 0xc0000034



File C:\Program Files\tmp213843.exe not found!
Deletion of file C:\Program Files\tmp213843.exe failed!

Could not process line:
C:\Program Files\tmp213843.exe
Status: 0xc0000034



File C:\Program Files\tmp361765.exe not found!
Deletion of file C:\Program Files\tmp361765.exe failed!

Could not process line:
C:\Program Files\tmp361765.exe
Status: 0xc0000034



File C:\Program Files\tmp8924859.exe not found!
Deletion of file C:\Program Files\tmp8924859.exe failed!

Could not process line:
C:\Program Files\tmp8924859.exe
Status: 0xc0000034



File C:\Program Files\tmp9071468.exe not found!
Deletion of file C:\Program Files\tmp9071468.exe failed!

Could not process line:
C:\Program Files\tmp9071468.exe
Status: 0xc0000034



File C:\Program Files\ucleaner_setup.exe not found!
Deletion of file C:\Program Files\ucleaner_setup.exe failed!

Could not process line:
C:\Program Files\ucleaner_setup.exe
Status: 0xc0000034



File C:\Program Files\xloader30029.exe not found!
Deletion of file C:\Program Files\xloader30029.exe failed!

Could not process line:
C:\Program Files\xloader30029.exe
Status: 0xc0000034

File C:\WINDOWS\system32\wowfx.dll deleted successfully.


Folder C:\327882R2FWJFW not found!
Deletion of folder C:\327882R2FWJFW failed!

Could not process line:
C:\327882R2FWJFW
Status: 0xc0000034



Folder C:\Program Files\SysCleaner not found!
Deletion of folder C:\Program Files\SysCleaner failed!

Could not process line:
C:\Program Files\SysCleaner
Status: 0xc0000034



Folder C:\Program Files\SystemDefender not found!
Deletion of folder C:\Program Files\SystemDefender failed!

Could not process line:
C:\Program Files\SystemDefender
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

 

i think this is the right mgtools log, idk hot to get mgtools to make a fresh .zip file? butit made this log

 

Hi jimbo!

Avenger ran correctly. Thanks.

To get the MGlogs.zip, please do the following:

Go to the MGTools folder under C:
The pathway is this: C:\MGTools

Open the folder and look for the file called GetLogs.bat. It'll be over on the right side of Windows Explorer. Double click on it and allow it to run. When it's finished, it'll say something like click any key to close this window and produce a log.

After it runs, go back to C:
Click on C: in Windows Explorer and look over on the right side towards the bottom for the superman icon. Just above the superman icon, you'll see the MGlogs.zip file. This is what I want you to upload as an attachment.

Thanks.
abri

 

thanks i stayed up pretty late so i lost some bandwith in my brain,this should be right file

 

is there a less annoying firewall comodo drives me nutz,and i had avg when i got all this stuff i had uninstalled alot b4 i sstarted read me,is ive had avast also and i wouldnt update,what do you recomend?

 

sorry i thought i uploaded the zip now i see theres an error managing the attachments and itsays mgtools.zip has already been added to post 7. im tryin again

 

heres the new one

 

Hi jimbo,
Comodo is fairly complex. Zone Alarm is a bit easier to use. If you want to uninstall Comodo and install Zone Alarm, you can get it at the thread called How to Protect Yourself from Malware

Let me know how you like Zone Alarm.
abri

 

Hi jimbo,
Please do the following:

1) Please clean up this: C:\Documents and Settings\Owner\Desktop\ by doing the following. You can delete anything that has the word setup in the file name. Those are installation files and if you've already installed the program, you don't need the installation programs anymore. Anywhere you have a file ending with .exe.part you can delete those. You can delete the hijackthis programs, because hijackthis is incorporated into the MGTools in the MGTools folder under C:\ It's called analyse.exe. If you run it from the desktop it gives you faulty readings, so if you want an accurate hijackthis you can run it from the MGTools folder by double clicking on analyse.exe. You don't need to have both Spybot and Spybot.lnk. Just keep the Spybotsd152(2).exe and get rid of the other two.

For your future downloads, set your browser options to allow you to decide where downloaded files will be downloaded to. Make a folder somewhere on your computer, but not anywhere temporary, where you can have things downloaded to. For instance, you could make a folder under Program Files and name it Downloads or Downloaded Program Files or something like this.

2) If you do not know what the following files belong to, please upload them with your next post.

C:\Program Files\balrwbec.txt
C:\Documents and Settings\vcvmbnuc.txt

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Does the following belong to programs you know or want to keep? If not, please fix it as well.

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab

After you click fix, just close hijackthis.

4) Now please do the following:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the one on top.


6) And finally run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

running great, seems to be no sign of malware, shows my processes is 47 is that too many,its usually lower but then again om not usually in normal startup because of this.is this making my pc slower with more processes?
also i didnt reallylke the toolbar style of zonealarm so im usin sunbelt software. avg keeps saying its finding virus after virus all seems well thanks alot

 

ok i tried to make all my downloads go to c;program files/downloadedfiles but firefox keeps putting them inc:\documents and settings\temp

 

Right, you have to change this in Firefox itself. Open up Firefox and then go up to the top and click on Tools / Options / Main and on that first tab called Main you'll see a section called Downloads. There you have some options as to how to deal with downloads, like showing the download progress in the downloads window. Like turning off this progress window when it's done. Like always downloading things to such and such a folder (you can manually enter this). Or like always ask you where to download something when you download it. Figure out what you want there and check the appropriate boxes and then click on ok.

In post 18 step 2 I asked you to upload those two files. Will you see if you can find them and upload them with your next post as attachments?

Also, I need for you to attach the Avenger log.

Thanks.
abri

 

Hi jimbo,
After you finish the previous post, please continue with this:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to BOCore - COMODO
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste BOCore - COMODOinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

[FONT=&quot]Now scan with (this is analyse.exe in the MGTools folder under C) and check the boxes for the following entries[/FONT][FONT=&quot]:[/FONT]
[FONT=&quot]( Make sure ALL browser windows are closed when you click FIX )[/FONT]

O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe

After you click fix, just close hijackthis.

Finally, please run CCleaner at the default setting with the windows tab as the one on top. You have a lot of temp files that need getting rid of. You need to use CCleaner often for awhile, like before you shut down your computer.

Are you having any further signs of malware? I'll go ahead and post you the final clean-up instructions:

abri

 

i think the two files were the registry commands from the registry changes we made i looked in them then deleted them,heres my avenger log

 

Thanks Jimbo,
That looks good. Let me know how your final cleanup goes.
abri

 

Hi Jimbo,
If you plan to uninstall AVG Antispyware after their trial version is over, please reinstall BOClean so you will have real time protection against spyware.
Thanks.
abri

 

great thanks so much! i still dont know what heppened but im sure glad you helped me fix it.any idea howi got this mess? anywho thanx!

 

Hi jimbo,
Read the article I refer to in post 30 called How to Protect Yourself from Malware Safe surfing involves a combination of preventative measures as well as some luck and an eye for bad websites. Malware makers set traps and it's not possible to stay clear of every trap, but you can avoid most of them over 95% of the time if you follow the instructions in that article. Doing regular scans helps and being careful with risk programs like chat clients, peer to peer, file sharing, e-mail attachments. There's no one who wants to quit using these, but some ways of using them are safer than others. Use CCleaner regularly. It doesn't hurt to run it everytime you get off the internet. Use System Restore if something downloads onto your computer that you know you didn't want. Don't open e-mails that are forwards. Things like this.

Good luck and if you have time, take a look at the other forums here. There's a lot of useful information.
abri

 

hey abri , ive uninstalled firefox because i couldnt get rid of tooseeka but then iaccidently removed google from firefox so i want to reinstall it but whenever irun setup.exe it sayserror while writing disk, please run checkdisk utllilty.....think you can help me?

 

Hi jimbo,
Try going back one restore point and see if that helps. To do that click on Start / All Programs / Accessories / System Tools / System Restore and click on Restore my computer to an earlier time. Select the highlighted date just prior to when you uninstalled Firefox. Tell me if this got Google and Firefox back. It might be easier to get rid of tooseeka another way.
abri

 

hey thanks abri eventually my pc ran chkdsk on its own and friefox was there but im still stuck without plain google as a search i am currently using glite instead cuz i dont knoew how to get it back in there....appreciate your help

 

Hi Jimbo,
What exactly disappeared? Was it your toolbar? The search window for Google? The little window up in the corner of Firefox? I'm not sure which problem occured?
abri

 

hello again abri its been a while so i wonder if you will get this idk how it wworks , but i have a question about my usb ports ok here it goes i have emachine with two front ports that wont work and i think two rear that have been workin but wont anymore, i failed tryn to repair them myself if you can help it would be very cool thanks