Please check my log files

Re: Getting into Safe Mode

Welcome to Majorgeeks!

Yes it is possible for malware to cause you problems with getting into safe mode.

You may want to give this link a run for your Smitfraud problem: SpywareQuake Removal Procedure

If the above does not help you resolve your malware problems, you should run our standard cleaning procedures which I will repeat below (if also is a sticky thread and contain the info you needed for getting into safe mode too). If you cannot get into safe mode as the READ & RUN ME requests then just run all steps in normal boot mode but tell us what you did.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Re: Getting into Safe Mode

You must install SmitRem to the Desktop of the same user account you will be booting to in safe mode. Only accounts with administrator priviledges will show in safe mode thus you must have installed it to the correct Desktop. It does not matter whether you find the folder/files or not. All steps must still be completed and you must attach the requested logs when you are finished. Do not waste time opening unnecessary browsers or doing any unrequested surfing while running the procedures. All you will do is possibly spread the problems or make them more difficult to remove. The procedures tell you this.

 

Re: Getting into Safe Mode

It is not necessary for you to run Sophos at this time, but if you would like to include running a full scan with it in safe mode it would not hurt anything. If you do run it, please try to save a log and attach it later with the other 3 requested logs.

 

I still need to see the smitfiles.txt log from the SpywareQuake procedure I had you run. Based on your other logs, you need to run it again but make sure you run it in safe mode. Then attach your smitfiles.txt log. Do this first, then continue with the below!

Is your copy of Ewido a paid version or a free trial?

Note these next two items are not malware but they are resource hogs and are unnecessary. Consider whether you want to stop them from loading at startup:
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE


Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Service Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WSCM

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to add into the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll
O4 - HKLM\..\Run: [BBStart] E:\Setup.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O15 - Trusted Zone: http://www.excite.co.uk
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1828.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\program files\common files\Totem Shared <--- delete the whole folder
c:\windows\BTGrab.dll
c:\windows\desktop.html
c:\windows\dlmax.dll
c:\windows\woinstall.exe
c:\windows\system32\runsrv32.exe
c:\windows\system32\shellgui32.dll
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir.dll
c:\windows\system32\tcpservice2.exe
c:\windows\system32\txfdb32.dll
c:\windows\system32\winapi32.dll
c:\windows\system32\winnook.exe
C:\WINDOWS\System32\service.exe <--- only delete service.exe if found. DO NOT delete services.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Some of the items I asked you to fix are still showing in your log:

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

Uninstall Ewido and Windows Defender (we will be reinstalling Windows Defender later though since you need full time blocking of malware like it offers but right now it could be getting in our way). After uninstalling both programs repeat the previous steps to fix the above lines and then reboot into safe mode and double check for the files againg and delete them if found.

Then boot back to normal mode and attach a new HJT log.

 

Sometimes rebooting a PC can cause problems with malware respawning itself. However, we will typically tell you when we do not want you to reboot the PC. So don't worry about it right now. Another, however, it is always in your best interest to follow up quickly though.

You can just use HijackThis to fix those two lines that you will see loading on O4 lines in your HijackThis log.

 

Oooops! I forgot to cut that out of my second message! It was not in my first set of instructions and should not have been in the second. That was for your modem to enable to internal speaker. Use HijackThis's Misc Tools to goto the Backups and restore this one from the Backups.

I still see the below in your HJT log. Did you miss this one?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


How are things working?

Back in my previous messages were you actually able to find and delete the below two files:
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe

I would have expected that you would have a problem deleting them.

 

Just one note about this OSA9.EXE process - if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

Delete the C:\windows\system32\runsrv32.dll file too.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!