Please Help with spyware removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by spiritt, Apr 15, 2006.

  1. spiritt

    spiritt Private E-2

    Hello...

    I have been working on this problem now for over a week and have gotten as far as I seem to be able to get with it.

    This is from a computer that my daughter has at her dad's house. Turns out they had NO virus protection on it for a long time and she was getting pop-ups for various adware and virus removal tools and saying yes to them...probably the best thing I could have done was to just reformat the hard drive...
    Symptoms:
    Computer started with BSOD on boot and could only boot into safe mode with networking. Problem was with an Avast file. Uninstalled and re-installed Avast. Ran a boot-time scan and found THOUSANDS of virus, mostly trojans. (note, run 4 more boot time scans since and each time it still finds, and removes a few things, but they come back.)

    Unable to run Ad-aware - have installed 3 times. Still getting a BSOD fairly soon into the scan.

    Followed instructions here.

    Ran CCleaner, it found and removed things with no problems.

    Ran Malicious Software Removal Tool. Only able to partially remove the following:
    worm:Win32/Alcan.B
    worm:Win32/Alcan.C

    Unable to run Ad-aware. Still getting BSOD.

    Stop:C000021a Fatal System error. The windows logon Process System process terminated unexpectedly with a status of 0XC0000005 (0X00000000 OX00000000) The system has been shutdown.

    Ran Spybot S&D. Removed ALOT, but after running it several more times, it is not able to remove:
    exact advertising.BargainsBuddy from
    HKEY_Local_Machine\System\Current Control Set\Services\ISExEng.Control Set (and a second one, same path, Control Set 001).

    Unable to install Windows Defender.

    Ran Counter Spy. I did not create a log file, but it found and removed ALOT.

    Was then able to install and run Windows Defender. It kept finding Qoologic.

    Ran the 3 Qoologic tools and am attaching those logs, and a HJT log that I ran last thing.

    I turned on normal start-up to run the 4 attached logs...the system became sooooooo slow, and all these warnings pop up that a program with scrambled symbols for a name cannot be found.

    I just want to say I have been using your site for 2 years and have always had great success using the tools and info here. This is the first time I have had to ask you for help!
     

    Attached Files:

    spiritt, Apr 15, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please complete the below procedures in the order given:

    1) Virtumonde aka Trojan Vundo Removal make sure to attach the requested log

    2) Run the two online scanners from step 6 of the READ & RUN ME which you skipped and attach the logs.

    3) Attach a new HJT log so we can work up a fix for your remaining issues and Qoologic.

    Note: You really should have saved the CounterSpy log as requested in the READ ME. Don't worry about it now. But always make sure you follow directions and it will make our job and yours easier and faster. ;)
     
    chaslang, Apr 15, 2006
    #2
  3. spiritt

    spiritt Private E-2

    Hi!

    Sorry it has taken me so long to get back, I have not had access to the computer with the problem.

    I ran the virtumondo,exe and am attaching the log.

    For some reason (and I apologize for not documenting this in my original post) I am not able to run the 2 online scans. The buttons to do so simply are not active, no matter if I use Firefox or IE as my browser.

    Also attaching the most recent hijack this log. Thanks!!
     

    Attached Files:

    spiritt, Apr 28, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Step 7 of the READ & RUN ME clearly states not to use MSconfig to control startups. Please select Normal Startup! We must see everything that could load. Then continue onto the below.

    You still have a load of problems to fix! We still need to work thru other mutiple other procedures starting with the below:

    E2Give Removal Procedure

    Then do the below!

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to SMX regulator... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Windows SMX
    If you receive any error messages just ignore them and continue.
    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now let's continue with more fixes.

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\Program Files\winupdate\winupdate.exe
    C:\WINDOWS\UNWN.EXE
    C:\WINDOWS\winsmx.exe
    C:\WINDOWS\system32\w005d950.dll
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\ukcossp.exe
    C:\WINDOWS\system32\jouli.exe
    C:\WINDOWS\system32\sfehin.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jouli.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ukcossp.exe
    O4 - HKLM\..\Run: [swiyil] C:\WINDOWS\system32\sfehin.exe reg_run
    O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
    O4 - HKLM\..\Run: [w005d950.dll] RUNDLL32.EXE w005d950.dll,I2 000345bd0005d950
    O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\Program Files\winupdate <--- the whole folder
    C:\WINDOWS\UNWN.EXE
    C:\WINDOWS\winsmx.exe
    C:\WINDOWS\system32\w005d950.dll
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\ukcossp.exe
    C:\WINDOWS\system32\jouli.exe
    C:\WINDOWS\system32\sfehin.exe

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Apr 28, 2006
    #4
  5. spiritt

    spiritt Private E-2

    I checked and I do have normal startup selected, not sure what happened there...

    Everything ran smoothly, the only thing I would note is that I was not able to stop the SMX regulator service, all options to start, stop, etc were grayed out. I disabled the service, rebooted, and when it came back up, the service was not running and is disabled, so I proceeded.

    The system is running alot better. Have not had any blue screens.

    Thanks for your help again. I'm attaching the requested logs...
     

    Attached Files:

    spiritt, Apr 29, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! Looks like one item (ukcossp.exe) was missed and it may have cause a few other issues to popup. I'm going to try one more cleanup attempt and if more stuff shows up in your next log, we will have to install a software firewall like ZoneAlarm to help block all this junk. You PC just may have too many bad things on it and too many bad sites may know about your PC. This can make it difficult to fix unless we block them with a firewall. But let's try one more big fix first.

    Look in Add/Remove programs for the below and uninstall if found:
    BullsEye Network
    Gator or Comet
    Media Access
    MediaGateway
    NewDotNet
    SurfSideKick 3
    webHancer
    Zeno (or anything with Zeno in the name)


    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
    C:\WINDOWS\SYSTEM32\express.exe
    C:\WINDOWS\SYSTEM32\dwdsregt.exe
    C:\windows\system32\qjdsrego.exe
    C:\WINDOWS\system32\mwinkrag.exe
    C:\WINDOWS\system32\savlho.exe
    C:\WINDOWS\system32\ukcossp.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F3 - REG:win.ini: load=??? ?
    F3 - REG:win.ini: run=??? ?
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ukcossp.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [wcoxqkb] C:\WINDOWS\system32\ldaifxxv\wcoxqkb.exe
    O4 - HKLM\..\Run: [tvs_b] c:\Program Files\tvs\tvs_ln.exe
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
    O4 - HKLM\..\Run: [rlqcrmrk] C:\WINDOWS\system32\gttuns\rlqcrmrk.exe
    O4 - HKLM\..\Run: [otkvuuqf] C:\WINDOWS\system32\prllqwvm\otkvuuqf.exe
    O4 - HKLM\..\Run: [nxhevt] C:\WINDOWS\system32\uiptckp\nxhevt.exe
    O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
    O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
    O4 - HKLM\..\Run: [hedkxopf] C:\WINDOWS\system32\eagdqy\hedkxopf.exe
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwinkrag.exe CORN001
    O4 - HKLM\..\Run: [bcnko] C:\WINDOWS\system32\pjeym\bcnko.exe
    O4 - HKLM\..\Run: [ajoklx] C:\WINDOWS\system32\mpsdec\ajoklx.exe
    O4 - HKCU\..\Run: [uufm] C:\PROGRA~1\COMMON~1\uufm\uufmm.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
    O4 - HKCU\..\Run: [savlho] C:\WINDOWS\system32\savlho.exe
    O4 - HKCU\..\Run: [Outlook Mail Services] express.exe
    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\mwinkrag.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
    O4 - Global Startup: strings.exe



    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    <--- the whole folder
    C:\Program Files\BullsEye Network <--- the whole folder
    C:\Program Files\COMETS~1 <--- the whole folder
    C:\Program Files\MediaGateway <--- the whole folder
    C:\Program Files\Media Access <--- the whole folder
    C:\Program Files\Network <--- the whole folder
    C:\Program Files\NewDotNet <--- the whole folder
    c:\Program Files\tvs <--- the whole folder
    C:\Program Files\snss <--- the whole folder
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\Program Files\webHancer <--- the whole folder
    C:\Program Files\Common Files\uufm <--- the whole folder
    C:\WINDOWS\system32\eagdqy <--- the whole folder
    C:\WINDOWS\system32\gttuns <--- the whole folder
    C:\WINDOWS\system32\ldaifxxv <--- the whole folder
    C:\WINDOWS\system32\mpsdec <--- the whole folder
    C:\WINDOWS\system32\prllqwvm <--- the whole folder
    C:\WINDOWS\system32\pjeym <--- the whole folder
    C:\WINDOWS\system32\uiptckp <--- the whole folder

    C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
    C:\WINDOWS\SYSTEM32\express.exe
    C:\WINDOWS\SYSTEM32\dwdsregt.exe
    C:\windows\system32\qjdsrego.exe
    C:\WINDOWS\system32\mwinkrag.exe
    C:\WINDOWS\system32\savlho.exe
    C:\WINDOWS\system32\ukcossp.exe
    C:\WINDOWS\srchupdt.exe

    C:\windows\newname9xe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
    C:\windows\mousepad9EXE <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
    C:\windows\KEYBOARD9EXE <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
    C:\windows\GIMMYSMILEYS9EXE <--- delete any files using the starting with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
    Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too


    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Apr 30, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Because you are so badly infected, I just decide that after completing my cleanup instructions below, I want you to run Ewido as directed in the below link:

    Running Ewido Anti-Malware

    Make sure you attach the Ewido log when finished.
     
    chaslang, Apr 30, 2006
    #7
  8. spiritt

    spiritt Private E-2

    OK, we seem to be making alot of progress here...thank you SO MUCH for all of your help. I think if I encountered another computer as bad off as this one I would just reformat! The things you do for family...

    Anyway...I am not having any pop-ups or "weird" errors, messages coming up. This was the first time I have been able to boot into safe mode also.

    Ewido found ALOT of stuff. There was some sort of archive(infected) in her documents and settings which we were able to delete with this program.

    Attached are the latest logs. I did not know if you wanted me to run HJT again after running Ewido. If you do, I can, I will be shutting this computer down until I hear from you again, so nothing should change.

    OK, The Ewido log is huge - almost 5mb. I zipped it, and it is 305 kb, can't upload it. Should I break it into 2 files and zio each of those? Or now that it has deleted so much, run it a second time?
     

    Attached Files:

    spiritt, May 1, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes split the Ewido log into parts and attach it. Why is it so large? Was it due to many cookies or was it files in System Volume Information?

    Your HJT log is clean now but delete the below file (use safe mode if necessary):
    C:\WINDOWS\RIYCU.DLL

    Are CounterSpy and SpywareDoctort paid versions or free trials?

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link.

    How to Protect yourself from malware!

    Make sure you get one of those firewalls listed in step 3 installed ASAP.
     
    chaslang, May 1, 2006
    #9
  10. spiritt

    spiritt Private E-2

    The majority of the files that came up on Ewido were in a hidden archive file called C:\Documents and Settings\Cindi\Complete I'm thinking it was something that came in while she was downloading from either Kazaa or Limewire.

    Here are the Ewido logs. I was able to delete the C:\WINDOWS\RIYCU.DLL file.

    Counter Spy and Spyware Doctor are free trials.
     

    Attached Files:

    spiritt, May 2, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well someone got what they paid for downloading all those programs illegally! ;)
    Also look like she has a load of diskspace to waste.

    Uninstall CounterSpy and SpywareDoctor. Keep Ewido for now but you really need to replace Ewido with a full protection program that is not a trial. Ewido will expire in 15 days. Windows Defender is free but you said you could not install it.

    Make sure all steps in the How to protect thread are followed.
    Make sure everyone reads step 10 and understands the dangers of P2P programs.
     
    chaslang, May 3, 2006
    #11
  12. spiritt

    spiritt Private E-2

    Thank you SO MUCH for all your help with this. The computer has been up running all week and so far things are clean. If you ever need more volunteers to help others on this forum, I'd help out in a sec!!

    Melissa :D
     
    spiritt, May 7, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, May 7, 2006
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds