Please help

Discussion in 'Malware Help (A Specialist Will Reply)' started by eric53, Jun 2, 2007.

  1. eric53

    eric53 Private E-2

    I am having a problem with multiple pop-ups that make it almost impossible to use the internet. This happens at times when a browser is not running at all.

    I have followed all of the steps outlined in the malware removal guide. FYI, I had to run BitDefender and PandaScan in normal boot mode. Everything else was done as instructed. I have just finished the steps, and even though I have not seen any pop-ups yet, I think that I am still infected based on the results of the PandaScan.

    Attached are 3 of the logs, more to follow

    Eric
     

    Attached Files:

    eric53, Jun 2, 2007
    #1
  2. eric53

    eric53 Private E-2

    More log files and the highjack this log
     

    Attached Files:

    eric53, Jun 2, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay.
    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2_03
    Sunbelt CounterSpy
    WeatherBug Browser Bar - powered by MyWebSearch"
    WeatherBug"

    Now
    1. Download this file - ComboFix
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
    Run it twice.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Attach new logs for:
    ShowNew
    GetRun
    HJT
    ComboFix
    Avenger
     
    TimW, Jun 3, 2007
    #3
  4. eric53

    eric53 Private E-2

    I have made a few changed since my initial post. I hope this didn't mess anything up but I was trying to fix the problem. I have installed Firefox and Zone Alarm. I also ran Combofix prior to receiving your reply but continued to have problems afterward. I am running it again per your instructions.

    I also wonder what protection I should run after things are cleaned up. I plan on running AVast for virus protection and Zone Alarm as a firewall. I also have Spybot S&D and Ad-Aware.

    While ComboFix was running, AVG Anti-Spyware kept finding Adware.Virtumonde in the system32 folder, file FTSUPD.dll which I see is covered by your regedit.

    I ran Combofix twice as instructed and included the last log.


    I got this error when trying to fix with HJT. The line from your quote had a "G" at the end, when I ran HJT the line did not have the "G" at the end- I fixed it anyway. Also the first and third lines from your quote were not found when I ran HJT, so I was only able to fix the other 4

    An unexpected error has occurred at procedure modBackup_MakeBackup)sItem=O20 - AppInti_DLLs:c\windows\system32\yabbxvt.dll) Error #5 - Invalid procedure call or arguement

    Got this error whenn running Avenger
    Error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin\w6bar.dll
    The specified module could not be found.

    Thanks for your help, logs are attached

    Eric
     

    Attached Files:

    eric53, Jun 3, 2007
    #4
  5. eric53

    eric53 Private E-2

    The other log files
     

    Attached Files:

    eric53, Jun 3, 2007
    #5
  6. eric53

    eric53 Private E-2

    Forgot to say that I was unable to uninstall weatherbug browser bar in add/delete programs. i don't remember for sure if the error referenced in the previous post concerning the w6bar.dll file was from avenger or when i tried to delete the program in a/d programs. Sorry.

    Eric
     
    eric53, Jun 3, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking fix, just exit HJT

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
    Attach new logs for:
    ShowNew
    GetRun
    HJT
    Avenger

    Is this still showing in add/remove programs?
    WeatherBug Browser Bar - powered by MyWebSearch
     
    TimW, Jun 4, 2007
    #7
  8. eric53

    eric53 Private E-2

    The weather bug browser bar is still in add/remove programs. Got this error when trying to delete.

    Error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin\w6bar.dll
    The specified module could not be found.

    Got this error when running HJT
    An unexpected error has occurred at procedure modBackup_MakeBackup)sItem=O20 - AppInti_DLLs:c\windows\system32\yabbxvt.dll) Error #5 - Invalid procedure call or arguement


    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 7.0.5730.11
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan.

    After following steps in last message weather bug browser is still in add/delete programs.
    Attached are new logs.
     

    Attached Files:

    eric53, Jun 4, 2007
    #8
  9. eric53

    eric53 Private E-2

    Here is the last log file.
     

    Attached Files:

    eric53, Jun 4, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The weatherbug will not uninstall since files have been deleted ...just find the folder and delete it.

    Your logs look clean. You may uninstall any programs we had you download (including Counterspy).

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Jun 5, 2007
    #10
  11. eric53

    eric53 Private E-2

    Thanks so much for your help. I deleted the weatherbug browser bar directory on the C drive but the entry continued to show up in add/delete programs, and it still will not delete from there. As long as the program is gone, I can live with the entry remaining there. Thanks again.

    Eric
     
    eric53, Jun 5, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your welcome.
    Run CCleaner ----> both the cleaner and the issues (make the backup when prompted).
    Also see if it is in the installed program list in CCleaner ...
     
    TimW, Jun 5, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds