obfuskater virus help

Please follow the instructions in the Read and Run First sticky and attach the requested logs...HJT should be the last log to attach.

Find and delete: (My web search -- the whole folder)
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe


In the meantime:
Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking fix, exit HJT.

Now attach the requested logs from the Read and RUn.

 

Try deleting it in safe mode.

These are what we need:

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Your GetRunKeys log is empty ....did you get an error message when you ran it?
Please note these instructions for fixing any errors: GetRunKeys

Also your ShowNew log is not showing the uninstall program list...
Download the attach GetUnKeys.zip to your PC someplace you can locate it. Then extract all the files from the ZIP. Locate the GetUnKeys.bat file using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) and double click on it to run it. It will create a file named GetUnKey.txt in the root of drive C: (C:\GetUnKey.txt) . This log will also popup in a notepad window which you can just close. Upload the GetUnKey.txt file here as an attachment.

Getting Uninstall Programs List From The Registry

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach new logs for:
ShowNew
GetRunKeys
GetUnKey
HJT
Avenger

 

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 1"
J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 5"
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player
SmartShopper
Reboot and install:
Java Runtime 6

Now ....do you do online banking? If so, please alert your bank that your passwords may be compromised!

Disconnect from the internet ---> physically unplug and do the following:

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach new logs for:
ShowNew
GetRunKeys
HJT
Avenger

 

Please download GMER and save it to your desktop:

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.



Do the rest of my previous post and attach the logs...

 

Yes....try highlighting and then Control + C and paste into notepad.

You can also try running....AVG Anti-Rootkit

Did you do the rest of the fix that I gave you?

 

Definitely!!!

Then get off the web....turn off all of your active anti-virus and spyware programs and do the fixes again that I posted:
Disconnect from the internet ---> physically unplug and do the following:

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach new logs for :
ShowNew
GetRunKeys
HJT

 

Smartshopper is still there ....

Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt
Attach the avenger log.

 

Your logs look clean. You may uninstall any programs we had you download (including CounterSpy, etc).

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

Boot into safe mode ...do you still have a problem there with the default admin account?

Check each user account in safe mode and reset the permissions.

 

Please run combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

And also HJT.

Attach both logs.

 

We tried removing the wsnpoem in an earlier post ...oh, twell ...glad that got it ...

Only problem I still see is :
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll

You should do a search for SmartShopper and remove all of it ...is it in your IE toolbars or addins?

Use windows explorer to find and delete:
C:\WINDOWS\system32\shdocvw.dll

If everything is running well ...follow the link to How to protect yourself ....

 

No this should not be deleted! It is a required system file.


It is Shell Doc Object and Control Library which isa library used by Windows applications to add basic file and networking operations.