Please check my attachments

Discussion in 'Malware Help (A Specialist Will Reply)' started by KC_Duncan, Jul 4, 2006.

  1. KC_Duncan

    KC_Duncan Private E-2

    I had a problem when ever I would try to use my browser. Sometimes it would take me to the website I selected, next it would just keep refreshing the same page automatically. I also experienced when I would search for things it redirecting me to another search instaead of the website I was looking for.

    I have done the read and run first and here are my logs.
     

    Attached Files:

    KC_Duncan, Jul 4, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install KillAndClean? Look in Add/Remove programs for it and if found, uninstall it. Let me know whether you find it or not and if you could uninstall it.

    Next time, please follow the directions for creating a Bitdefender log. What you posted is OK for now, but it is not what was requested.

    Where is the requested log from running CounterSpy?

    You have a whole bunch of different problems we need to fix, Virtumonde, Wareout, and a variety of other trojans. The reason you are so badly infected is because your Window's OS version is severely out of date with its updates. This will have to be addressed after we finish removing your malware.

    Download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Now look in Add/Remove programs for the below and uninstall if found:
    UnSpyPC
    KillAndClean

    Let me know whether you find them or not and if you could uninstall them.


    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. If it does not launch then run it yourself. Please click Scan, and check the following items if they still exist:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: (no name) - {6224F13B-4C11-0D28-A184-8EC5764548F0} - SYSTRAV.dll (file missing)
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O4 - HKLM\..\Run: [msag] ExchangeMaster.exe
    O4 - HKLM\..\Run: [MsNetHelper] KeywordFinder.exe
    O4 - HKLM\..\Run: [browsebar] hyandex.exe
    O4 - HKCU\..\Run: [lvagpujk] C:\WINDOWS\System32\lvagpujk.exe
    O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
    O4 - HKCU\..\Run: [runload32] Uint32.exe
    O4 - HKCU\..\Run: [MNTP] prcmon.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A0E086-B824-459A-9CF8-830336D1DB8E}: NameServer = 85.255.114.40,85.255.112.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15

    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\Program Files\KillAndClean <--- the whole folder
    C:\Program Files\UnSpyPC <--- delete the whole folder if found
    c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
    c:\windows\system32\SYSTRAV.dll
    c:\windows\system32\ExchangeMaster.exe
    c:\windows\system32\KeywordFinder.exe
    c:\windows\system32\hyandex.exe
    C:\WINDOWS\System32\lvagpujk.exe
    c:\windows\system32\Uint32.exe
    C:\windows\system32\prcmon.exe
    c:\windows\system32\tcpservice2.exe
    c:\windows\system32\txfdb32.dll
    C:\WINDOWS\system32\cydqjzha.exe
    C:\WINDOWS\system32\dmuxi.exe
    C:\WINDOWS\system32\gnbmbziy.mbo
    C:\WINDOWS\system32\pyfbykyr.exe
    C:\WINDOWS\system32\rlfispjf.exe
    C:\WINDOWS\system32\{74AF1BB2-DDEE-466B-95F1-EBA5E48A2635}.exe
    c:\windows\BTGrab.dll
    c:\windows\dlmax.dll
    c:\windows\susp.exe

    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log.
     
    chaslang, Jul 4, 2006
    #2
  3. KC_Duncan

    KC_Duncan Private E-2

    Chas,

    There is no KillandClean or UnSpyPC that i can find.

    Attached is the log from hijack this and the report from fixware.
     

    Attached Files:

    KC_Duncan, Jul 5, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have not attached the log from CounterSpy!

    Also the fixwareout log shows a file that I asked you to delete:

    {74AF1BB2-DDEE-466B-95F1-EBA5E48A2635}.exe

    You need to delete this file as indicated in my previous instructions. It is in the system32 folder.

    Why is MSconfig running? You must always select Normal Startup after using MSconfig to boot into safe mode.

    Your log is clean but you have major issues in that your Windows & IE versions are seriously out of date. This is a severe security risk.

    How are things working right now?
     
    chaslang, Jul 5, 2006
    #4
  5. KC_Duncan

    KC_Duncan Private E-2

    I did everything in the order it was writtern. I did delete it, but that was after the scan.

    here is the counterspy log, sorry about that.

    I have no idea why MSCONFIG is running.

    Everthing seems to be running as good or better than before the latest issue of the auto-refreshing.
     
    KC_Duncan, Jul 5, 2006
    #5
  6. KC_Duncan

    KC_Duncan Private E-2

    Forgot the log.
     

    Attached Files:

    KC_Duncan, Jul 5, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As long as it is delete now, you are ok!


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 5, 2006
    #7
  8. KC_Duncan

    KC_Duncan Private E-2

    Thanx alot Chas, this is the third or fourth time you and your group have helped fix my computers. I recommend you to any of my friends who have pc issues, especially with malware or spyware. Again thanx for all your time and effort.

    KC
     
    KC_Duncan, Jul 5, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely and thanks for recommending us.
     
    chaslang, Jul 5, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds