numerous problems following the malware "sticky" steps

Hi ...

I've been able to run most but not all of the steps outlined in the malware "sticky" ... my computer is much more stable now but i'm still getting signs (like browser popups and Ad-Aware "critical objects") of problems ...

i'm attaching a HiJackThis log

here's some additional information:
i'm running Windows XP Pro SP1

i downloaded the MGTools for Windows XP Pro but couldn't get them to run.

from Safe Mode:
i ran CCleaner
i ran Microsoft Windows Malicious Software Removal Tool
i ran Spybot
i ran Counterspy (couldn't see the Take Action button and reran in Normal Mode)
could not get Bitdefender to run

i hope i've provided enough information to get started ...
any help you could provide would be greatly appreciated ...

 

i'm adding an attachment of the log from CounterSpy to provide additional information ... the log seems to capture most of the malware problems i'm having ... i quarantined all the files listed in the log but i'm still having problems with them ...

 

Did you manage to run any of the online scans ?

Where are the shownew and runkeys logs ? You should have no problem obtaining either of these.

 

hi Matt ...

i'm going to start the whole process over again ... i actually was not able to download the GetRunKey.zip and ShowNew.zip files when i began working through the script yesterday ... i got an error that said something about not having permission to download these files ...

the good news is that i was just able to download them and run them ... i've attached the log files for both scripts to this reply ...

I also got an error yesterday when i tried to run the online Bitdefender script ...

Thanks very much for your help with this ... it really is appreciated ...

- welshTerrier2

 

AS you can see from below you are infected with a lot of different things, I really need you to run an online scan, what AV program are you running, even the worst AV program should have picked up some of these.


Download:

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)



Run HijackThis. Click the 'Do a system scan only' button.

Click 'Config'

Click 'Misc Tools'

Click 'Open Process Manager'

Select each of the processes listed below and termintae them one by one by clicking 'Kill Process'

CLick 'back' to return to the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Post a fresh HijackThis log, fresh newfiles log, new runkeys log and try running one of the online scanners.

 

OK ... I've run all scripts as you instructed with no errors or problems ... just for the record, i didn't find any of the files listed in Windows Explorer so i didn't need to manually delete anything ...

Attached, find my new HiJackThis log as well as the logs for GetRunKeys and ShowNew ... i haven't noticed any of the previous problem behavior since running the scripts HOWEVER i did notice what appears to be a couple of bad registry keys in the new HiJackThis log such as:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=

I'll await further instructions before proceeding ...

I'll also try to run the bitDefender online scan but have not been able to get it to run thus far ...

thanks again for your help ...

 

Did you try activscan ?

Try the kaperski online scan

http://www.kaspersky.com/virusscanner

One of those was in my original fix, must have missed the other.

Select them both and fix. then redo the scan and see if they return.

I will wait and see if you can run either the panda scan or kaperski scan.

WHY AREN'T YOU RUNNING SERVICE PACK 2 ? Without it your operating system is incredibly out-dated and vunerable to loads of nastiness. once we are finshed ehre you need to sort this out.

 

Hi Matt ...

I had to set my Browser Security level down to Medium to enable the Kapersky scripts to run ... That was probably what was blocking the bitDefender scripts as well ...

I've attached new logs for Kapersky and HiJackThis ...

Kapersky found the following Trojan in my Hosts backup file but didn't seem to try to repair it:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060831-103751.backup Infected: Trojan.Win32.Qhost.hl skipped

In the HiJackThis log, I noticed the following two lines that might be a problem ... should I delete these items?

R3 - URLSearchHook: (no name) - {D399FA1E-3BD4-600F-A4A9-641331D36CB0} - C:\WINDOWS\System32\hbuwaq.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

I'll await your next update ... thanks, Matt ...

 

Those 2 lines were not in your first HJT log, possibly some other malware was hiding them and we can see them now from something we've fixed.

Goto Add/Remove programs from Control Panel and uninstall the following.

Java 2 Runtime Environment, SE v1.4.2_03"
MediaTickets by OIN <------ MALWARE

Please run all the setps in this thread: Look2Me VX2 Removal


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe.

Select:

• Delete on Reboot
• "Unregister DLL" (If available)
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

REBOOT to Normal Mode.


Post a fresh HijackThis log, post a fresh ShowNew log, post the log from the look2me procedure.

i'd also like to see the contents of: C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Goto Start --> Run and type in CMD

in the resulting Command Prompt Window type the following and press enter

dir C:\WINDOWS\SYSTEM32\DRIVERS\ETC > c:\listofhosts.txt

attacth the file created in the root of C: (c:\listofhosts.txt)

 

Hi Matt ...

I have not yet run any of the scripts you recommended in your last post.

Overnight, I upgraded my computer to SP2 and have since been able to run bitDefender and ActiveScan (logs attached) ... I have NOT been seeing any evidence of viruses or spyware but some of the scans seem to indicate they still may be present on my machine ...

I've also activated Automatic Updates from Microsoft and turned on the Microsoft Firewall.

After I post this, I'll go on to running the scripts from your last post.

Please let me know if you have other recommendations based on the new logs ...

Thanks again for all your help ...

Scans were run in the following order:
BitDefender
GetRunKeys
ShowNew
ActiveScan
HiJackThis

Note: due to the 3 uploads per reply limit, i'll send the remaining logs in a separate post ...

 

The two additional logs referenced in my previous post are attached here ...

 

The logs still contain things that will be fixed with the fix I just gave, lets run the fix and then post some more logs. I did say install sp2 AFTER we got your computer clean but lets see how we go.

 

I'm having trouble running Look2Me ...

I downloaded and ran the executable ... I got to the point where it was supposed to disappear for one minute but it never reopened ...

Should i try to run it again?

 

Check in your processes and see if it is there, if it is then terminate it and try again. Its probably your task sheduler service thats causing the issue possibly as a result of sp2.

Try it again and let me know.

 

OK ... i ran Look2Me and have been able to complete all the tasks you provided ...

Logs are attached to this post and my subsequent post ...

 

attached is the additional Host file log you requested ...

 

OK these lines are still persisting in your hjt log:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = livoma.com
O17 - HKLM\Software\..\Telephony: DomainName = livoma.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = livoma.com

Please run HJT and select them and select Fix.

The rerun the scan and tell me if they are still there.


You have aquired a new infection since we started:

(yzujbmo.dll Aug 31 2006 126976 "yzujbmo.dll")

I suspect its going to be hooked into explorer to prevent it being removed.

Please download the zip file attached to this post and extract both files to a folder on your desktop. run gethookeddlls.bat (NOT THE EXE) and upload the log created in c: (c:\gethookeddlls.txt)

 

I deleted the HijackThis "O17" domain items ... with a subsequent scan, they did not reappear ... HOWEVER, after a reboot and another scan, they did return ...

I'm not sure if it helps but the Domain being pointed to, i.e. livoma.com is my wife's employer's domain ... the machine was originally configured by someone setting up her office network so maybe the domain items are related to that ...

Attached is a new HijackThis log (run after a scan, fix and reboot) and the log from the getHookedDlls process ...

 

ok looks like we can remove it.

Delete the file using killbox in the same manner as we have used several times already.

c:\windows\system32\yzujbmo.dll

post a new HJT log

 

Ok ... killBox got rid of that .dll file ...

attached is a new hjt log ...

 

have hjt fix the following line:

Please post a new shownew log too. I think we are nearly clean now

 

new hjt and showNew logs are attached ...

the following message keeps popping up periodically ... i think it began yesterday after i updated java to the latest version to enable me to run one of the scripts:

java.exe - Bad Image

The application or DLL c:\Program Files\Java\jre1.5.0\bin\client\jvm.dll is not a valid Windows image. Please check this against your installation diskette.

Then, after i click "OK" on the pop-up message, a short time later another window pops up ... it's titled: "Java(TM) Update Checker" and it asks me if I want to send a report to Microsoft.

 

Goto Add/Remove programs and uninstall the old versions of the Java Runtime

Java 2 Runtime Environment, SE v1.4.2_03


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Ok ... here's the latest hjt log ...

I uninstalled the old java runtime using add/remove programs but i'm still getting the same error pop-up after a reboot ...

 

Run HijackThis. Click the 'Do a system scan only' button.
Click Config

Click Misc Tools

Click Open Process Manager

find the following processes and terminate them if found

Click back to return to the scan results.



Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.



If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Note: the full path isn't visible as you can see:

browser to the following location and delete the folder that starts with pppatch

C:\Program Files\Common Files



REBOOT to Normal Mode.

Post fresh logs. (Shownew, Runkeys HJT)

 

Hi Matt ...

Before I run your latest script, I wanted to ask you a question ... I noticed in the "Quote" section in your post for the first run of Pocket Killbox that no files were listed ...

Is that an omission or is it correct? Let me know and then I'll proceed with the script you provided ...

Thanks again for all your excellent help ... Hope you had a good weekend ...

 

Its an ommission, just skip the whole killbox part and boot to safe mode to delete the folder.

 

Ok ... I ran the script you provided with no problems ...

I did notice, however, that the following two lines (if they're a problem) have returned:

R3 - URLSearchHook: (no name) - {9E41B1F0-773C-77BC-14F0-74E2EE7972E3} - C:\WINDOWS\system32\evjqei.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

also, I'm still getting that pop-up about the java dll ...

 

Returned ? Thats a new one. where are you getting new infections from ? you also have other new infections

Lets go rootkit hunting! Download and install Sophos Anti-Rootkit 1.1

Run sargui.exe from the extracted location and select Start Scan. Once the scan is completed Goto Start --> Run --> and type in %TEMP%sarscan.log. This should open the log file in notepad, save it somewhere you will be able to locate and upload it here.

 

i installed and ran sargui.exe but it didn't find anything ...

when i looked for the log file, it didn't exist ...

 

Run HijackThis. Click the 'Do a system scan only' button.

Click COnfig --> Misc Tools --> Run Process manager and terminate the following:

CLick 'Back' to return to the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Note: notice the '?' in the file. something might be masking the full name from HJT and other programs (which is why I suspected a root kit) or it may actually appear like that.

C:\WINDOWS\?ssembly\ may be c:\windows\ assembly which is a system folder or it may be something else. you will have to look manually for a file matchng the pattern l?gonui.exe


REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

i think the "l&gonui.exe" has a full name of "logonui.exe" ... i'm not sure it will help at all but i did a search of my computer for "gonui" ... the attached Microsoft Word file is a printscreen of the search results ...

after i ran killbox, i got the "pending operations" message (this was the first time i'd seen it) ... after booting into safe mode, neither of the files i was looking for was present so no manual delete was necessary ...

i've also attached a new hjt log ...

 

oops ... here's the word doc attachment i referred to ...

 

Please do not use word documents. Word documents can contain macros and as such are dangerous if from a non trusted source especially one who is fighting an infection!

You can upload screenshots as jpg or png image files.

Logonui is a legitimate file. All the locations shown are legitimate.

Goto Start --> Run and type in CMD and press enter to run a command prompt

type in the following (or copy and paste) and hit enter and upload the c:\treeofwindows.txt file

This may take a few seconds to complete, please be patient. The file may be too large to upload, if so please zip it and upload it.

 

sorry about the Word file ... i wasn't sure how else to save it as a .jpg ...

attached is a zipped log of the windows tree ...

 

OK I can't see any evidence of it there, but I'm still wondering if something is using rootkit technology to hide it from the windows api.
Please reboot to safe mode and delete all files in the following folder

C:\windows\prefetch

then reboot to normal mode and post a new HJT log, lets see if its gone now.

 

just to clarify, after deleting all the files in c:\windows\prefetch in Safe Mode, did you want me to create the HJT log after a reboot to Safe Mode or a regular reboot?

 

Sorry, my mistake. it should have been reboot to normal mode. (HJT should always be run from normal mode for future reference)

 

Ok ... here's the latest HJT log ...

how's it look?

 

It looks clean now!

Lets just run your scans again to make sure though eh!

 

getrunkeys, shownew and hjt or should i also rerun the online scans?

also, any idea on the jvm.dll popups i keep getting? should i uninstall the java runtime?

 

Try uninstalling all versions of the java runtime then run the ccleaner cleanup issues section to remove any registry stuff and delete the folders in c:\program files\java and then reinstall the latest one from the link I gave you.

Just run the online scans for now, and shownew just to make sure we havn't missed anything.

How IS your computer running now ?

 

OK .. i'll do the java cleanup later so i don't hold you up ...

again, just to clarify, when you say online scans you mean bitDefender and Panda?

and to answer your question, the computer seems to be running perfectly ... btw, i'm using AVG, Spywareblaster and i periodically run Ad-Aware and Spybot ... i also have activated the Microsoft firewall ... does this seem like a sufficient amount of protection?

 

I'd reccomend a different software fire really, something like ZA free as the windows firewall in my opinion doesn't offer adequate protection for much. It doesn't have any control over what programs access the internet.

have a read of this thread: How To Protect Yourself From Malware

Theres several reccomentations on saftware and procedure to keep you from having to post in THIS forum again

 

OK ... here are the results of my BitDefender and Panda scans ... i've also attached another HJT log just in case ...

 

We still have a few traces

Reboot into safe mode and delete the following files:

Then you're done!