Need help with malware removal

Hello,
I am new to this website, but so far it seems like you all have been a big help to people who need your expertise. Well I need it too!

A few days ago I logged on to my computer at home and some spyware blocker popups started coming up on the screen. There was a balloon in my taskbar that said my Automatic Updates were turned off, and I couldn't get them turned back on. I already had Ad-Aware 2007 and Spybot installed on my machine so I ran them. One big thing I noticed was a trojan called Vitrumonde came up. I got rid of it using Spybot, but it still came up after rebooting. Long story short, I ran through your readme program last night, and it looks like the Automatic Update problem is fixed, but when I first log on, I get an error message that says "Error loading C:\WINDOWS\System32\tdxstmim.dll, Access is denied." I think there is still something fishy going on here!

Also, I was not able to run the Malwarebytes program. When I tried to install after downloading the .exe file, I got a message "Error loading database. Line #15054.."

I will try to attach the other logs you request below. Big thanks in advance to any help you can give me!

 

Hi jjlincoln,
Welcome to Major Geeks!

You have a couple of different infections which require different steps to fix them. I will give you a first set of instructions here and after you complete them and return the logs, I'll give you instructions for the other infection.


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {3E74A402-C165-49D0-A8AE-696FD421651C} - (no file)
O2 - BHO: (no name) - {45AE8B55-5EDF-4943-BE08-87F047A24C27} - (no file)
O2 - BHO: (no name) - {A2217123-90E9-4EFC-9B3A-C393039CF684} - (no file)
O2 - BHO: (no name) - {EB8E7CBB-EFA1-43E5-AB4C-FB16F3A30116} - (no file)
O3 - Toolbar: (no name) - {AE7C2D7A-58B4-4DDD-904F-E089A9514E0F} - (no file)
O4 - HKLM\..\Run: [dc14aae1] rundll32.exe "C:\WINDOWS\system32\tdxstmim.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab


After you click fix, just close hijackthis.


3) Now we need to use ComboFix to remove some malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\system32\tdxstmim.dll
C:\WINDOWS\elsq.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

FOLDER::
C:\Program Files\Enigma Software Group

DIRLOOK::
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\824223

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E74A402-C165-49D0-A8AE-696FD421651C}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45AE8B55-5EDF-4943-BE08-87F047A24C27}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2217123-90E9-4EFC-9B3A-C393039CF684}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB8E7CBB-EFA1-43E5-AB4C-FB16F3A30116}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dc14aae1"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

Uninstall the below old versions of software:


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log and the AWF report.


Let me know how things are running now?

abri

 

Abri,

First, thanks a lot for helping me. I really appreciate it!

Ok, I ran through the instructions you gave me. While running ComboFix, I got the report, but an error message popped up while it was creating the report. It said "Windows - No Disk, Exception Processing Message c0000013 Parameters 75b6bf9c 75b6bf9c 75b6bf9c" It had Cancel, Try Again, and Continue buttons. None seemed to do anything until I hit continue a few times and it went away. Not sure what it meant.

I've attached the reports you requested below. I rebooted my computer and did not get the "Error loading C:\WINDOWS\System32\tdxstmim.dll, Access is denied" message this time. So maybe everything is taken care of? I guess I'd like to know how to be sure. You mentioned something about another set of instructions?

Thanks again for your help!

 

Hi jjlincoln,
Thanks for being patient. You have another infection, which is what the FindAWF scan was for. What this infection does is to make a backup copy of an important program file in some of your programs and put them in a folder called BAK for each program. The virus then either deletes the original file or it replaces the file with one of its own. On your computer, this infection appears to be from January, so the results of the scan don't show clearly whether the original good files have been deleted, or if they have been replaced in the meantime by either good files (by some software that attempted to fix them) or bad files (by the virus). Or not replaced at all. Since it involves a number of your programs, I will need your help to find the best way to resolve this problem. To begin with, do you use all of the following? Are there any of these where we can simply remove the program via add/remove programs?

After you've decided if any of them can be removed via add/remove programs, I would like for you to do the following. I want you to look for the specific files in Windows Explorer in the list I've made for you below. Find the file, right click on it and select properties and in the appropriate properties tab, find the size of the file and if possible any dates (except today's date). You can find the files by doing a search of your C:\ drive. There should be one in a BAK folder. However, the one I'm interested in is the one that is NOT in the BAK folder. I need to know the file size, the file pathway, and the date of the file. If there's NO file, I need to know this too!

for Adobe Photoshop Elements 4.0 look for apdproxy.exe
for HP KBD look for KBD.EXE
for HP Boot Optimizer look for HPBootOp.exe
for HP Digital Imaging look for hphupd08.exe
for HP Software Update look for HPwuSchd2.exe
for HP DigitalMedia Archive look for DMAScheduler.exe
for Lexmark 6200 Series look for ezprint.exe
for Lexmark 6200 Series look for lxbumon.exe
for QuickTime look for qttask.exe
for RECGUARD look for RECGUARD.EXE
for ehome look for ehtray.exe

Thanks.
abri

 

Hey abri,

Regarding the programs you listed:

My wife uses Adobe Photoshop on a somewhat regular basis, but we could always uninstall the program until our computer is clean, then reinstall later. Would that work?

We have an HP Media Center computer, so I'm not sure how many of those HP programs you listed are actually needed. As far as we know, we don't use any of them directly.

The Lexmark 6200 Series is our printer, but we don't have a fax machine hooked up to it, so I think the Fax Solutions could go.

We don't use Quicktime at all, so I think it could go. It was just installed as part of iTunes when we got an iPod awhilie back.

I'm not sure what the last three programs are for sure, but a quick google search tells me that ctfmon is a part of Microsoft Office (which we use), is very annoying, is not needed, and is hard to get rid of. Any help with that?

Another quick search and it sounds like eHome has something to do with the "Media Center". Not sure what it is, if I should leave it alone, or if I should get rid of it. Can we leave it and just try to fix it instead?

Ok, last one: it looks like "recguard.exe is a process from HP that prevents a user from deleting or corrupting the WinXP Recovery Partition on Hewlett Packard computers." Another one where I'm not sure I know exactly what that means, but I don't think I should delete it.

Ok, hope that helps some. Let me know your thoughts. I will be at work today until probably about 5:00 pm (CT), but I will try to duck out earlier. Let me know if you think I should just gt rid of any of these programs instead of searching for the files you requested. When I get home I'll begin searching for the others.

Thanks a lot for your help, abri. I appreciate it!

 

Hi jjlincoln,
I think it would be easiest just for you to do a search of each file and see if there's one in existence which is not in the BAK folder. Then tell me whatever info you can with regard to file size, location and date. This will allow me to compare the files with those found in the scan you did. It would help to know if there are any outside of the BAK folders.
Thanks.
abri

 

Abri,

I did the search like you asked, and here is what I come up with:

For ehome-

C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe, 63 KB
Created 2006-05-25, 16:18
Modified 2005-08-05, 22:56
Accessed 2008-05-28, 17:23

C:\WINDOWS\ehome\ehtray.exe, 63 KB
Created 2004-08-10, 05:04
Modified 2005-08-05, 22:56
Accessed 2008-05-28, 17:26

C:\WINDOWS\system32\dllcache\ehtray.exe, 63 KB
Created 2004-08-10, 05:04
Modified 2005-08-05, 22:56
Accessed 2008-05-28, 17:30

C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB\ehtray.exe, 58 KB
Date 2004-08-10, 05:04
(this was in a cabinet file and would not let me right-click on properties)

C:\WINDOWS\Prefetch\EHTRAY.EXE-02EFC9BD.pf, 16.5 KB
Created 2008-05-28, 16:39
Modified 2008-05-28, 16:39
Accessed 2008-05-28, 16:39
(yes all three dates were the same-today)

For HP Software Update-

C:\hp\drivers\hpsu\Data1.cab\hpwuSchd2.exe.78B68ED8_D060_4142_9155_38AF01244550, 48 KB
Date 2005-02-16, 23:11
(this was also in a cabinet file and would not let me right-click on properties)

Everything else you had me search for was located only in the BAK folders. Let me know if you want file sizes and dates from those.

Thanks for your help!

 

hi jjlincoln,
I'll be gone for a few days. I think since your programs are functioning (or not being used), that it can wait till I get back.
Thanks for getting the info for me and for being patient!
abri

 

Abri,

Is there any chance you can help me get this finished up soon?

Thanks.

 

Hi jjlincoln,

Sorry, I really did forget you! The files you have are mostly valid, but however the infection got cleaned up originally, it left the valid files in the wrong places. Also, it left some empty BAK folders, so I'm simply going to ask you to delete the empty folders and for those that aren't empty, to copy the valid folder to its correct location and then delete the BAK folder. If you have any questions while you're working on it, just ask.)

Please do the following:

Begin by deleting these empty BAK folders: (only the BAK folders!!) To delete them, open Windows Explorer. Navigate to each of the following locations (Symantec, iTunes, System32 and EHome). One at a time, in each of the following directories select the folder called BAK, right click on it and select delete.

Next I'm going to have you copy some files out of their respective BAK folder into the original program folder. Then you'll delete the BAK folder.

When you finish the above, please run combofix again. Any remaining files should be in Combofix's quarantine which we'll delete in the final cleanup instructions. Be sure to attach the combofix log with your next post.

Let me know how this goes!

abri

 

Hey Abri,

I copied/deleted all the files you told me to with one exception. When I opened C:\WINDOWS\EHome\BAK, there was a file in it called etray.exe even though you thought it should be empty. I just left it alone, and I'll let you tell me if I should delete it or not.

I ran ComboFix and have attached the log below. FYI - when I ran ComboFix, I got the same error message I got last time:

"Windows - No Disk, Exception Processing Message c0000013 Parameters 75b6bf9c 75b6bf9c 75b6bf9c"

I hit the Try Again and Continue buttons a bunch of times and finally it continued.

Let me know what you think.

Thanks for your help!

 

Hi jjlincoln,

For that last one, rename the file C:\WINDOWS\ehome\bak\ehtray.exe to ehtray.exe.old and move it from the bak folder into the ehome folder. Then delete the empty bak folder under ehome. It's probable that both the files you have are valid ones, but in case they're not, you'll still have that one if you need it.

Then I would like for you to go ahead with the final cleanup instructions:

abri