Please, I don't understand what else I need to do.

bmcnair · Aug 14, 2006

I probably don't have enough information for you but here goes...
Last week I was on the internet and was basically attacked by something.... I don't know the difference between viruses, malware, and spyware. All I know is that there is something on my computer that is not suppose to be there. All of a sudden I had a "mirar" toolbar and things were popping up everywhere. I run Trend Micro OfficeScan, which was sending me large quantities of virus and outbreak alerts. I got online and looked up some of the names and followed instructions to delete out certain registry keys, and delete files, I even went through the processes running in task manager and deleted out what I could.
Then I found your site and followed the "READ & RUN ME FIRST" instructions. I ran all the scans and I have no idea what else I am suppose to do... Is running the scans all I do or am I suppose to go in and delete something else? I have attached 3 of the logs I have, and I do have the bdscan.txt also.
Here is what I know I have:

Windows XP
CPU= 1366 MHz
Mem= 512 MB

Please help, I have no idea what I am doing.

chaslang · Aug 15, 2006

Welcome to Majorgeeks!

You did not allow CounterSpy to fix what it found. Run it again and make sure you fix everything. This will make our job easier. Also attach a new log from CounterSpy. Do this now before continuing.

We need the complete set of logs as specified in the READ ME. You have attach only 3 of the 6.

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

CounterSpy - ONLY IF you were not able to run Windows Defender

Bitdefender - from step 6

Panda Scan - from step 6

HijackThis

bmcnair · Aug 15, 2006

I'm sorry, it will only let me upload 3 attachments at a time. Also, I am running CounterSpy because it wouldn't let me run Windows Defender. I don't know how to post more than 3 attachments so I will attach the CounterSpy.txt to a new one... sorry. I removed all of the items it detected... even the one's in quarantine.
Thank you....

bmcnair · Aug 15, 2006

Here is the CounterSpy.txt log.

chaslang · Aug 16, 2006

bmcnair said:

I'm sorry, it will only let me upload 3 attachments at a time.
Click to expand...

The READ ME refers your to this HOW TO: Attach Items To Your Post at least three times. It explains the 3 attachment limit to you.

Please download and run the current version of ShowNew which gives us some additional information. The previous log you obtained indicates there was some kind of problem running ShowNew. Attach the new log!

Did you setup the below policy settings yourself?

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"DisablePersonalDirChange"=dword:00000001
"NoDesktopCleanupWizard"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWelcomeScreen"=dword:00000001

Okay, Let's see if we can get a few things fixed!

Start by downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\ekuxpv3.exe
C:\WINDOWS\system32\uvzgi.exe
C:\dfndrfh_10.exe
C:\kybrdfh_10.exe
C:\WINDOWS\system32\zkdmg.exe
C:\WINDOWS\system32\FNTS~1\userinit.exe
C:\Documents and Settings\rmcnair\Application Data\?dobe\w?auclt.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mccdc.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://W2KSVR2:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Wfpmj Class - {A5AD8FF3-64A3-4A07-BE7E-A7E6C197DF73} - C:\WINDOWS\system32\vm7cmapox.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [zbXb] C:\WINDOWS\system32\ekuxpv3.exe
O4 - HKLM\..\Run: [Nm6NqZ] "C:\WINDOWS\system32\riwzkn.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrfh_10.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\FNTS~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Guscay] C:\Documents and Settings\rmcnair\Application Data\?dobe\w?auclt.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {9925D813-EAAC-44AA-BBA7-02DD66D3C6FE} - C:\WINDOWS\system32\vm7cmapox.dll
O20 - AppInit_DLLs:

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.inf
C:\asdf.txt
C:\dfndrfh_10.exe
C:\kybrdfh_10.exe
C:\WINDOWS\system32\ekuxpv3.exe
C:\WINDOWS\system32\uvzgi.exe
C:\WINDOWS\system32\riwzkn.exe
C:\WINDOWS\system32\vm7cmapox.dll
C:\WINDOWS\system32\zkdmg.exe
C:\WINDOWS\system32tpsd.exe
C:\WINDOWS\system32\poznfsqy.exe
C:\WINDOWS\system32\wtssvit.exe
C:\WINDOWS\system32\FNTS~1\userinit.exe
C:\Program Files\System Files\System.exe
C:\Documents and Settings\rmcnair\Application Data\?dobe\w?auclt.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete it if found:
C:\Program Files\System Files

Now attach a new HJT log and tell me how the steps went.

Make sure you tell me how things are working now!

bmcnair · Aug 16, 2006

I already understood the limit of 3, I don't know why I didn't just do a second post and add the others... panic mode I guess. Now: Before continuing with your instructions... when I get into HJT and try to kill the processes, three of them keep coming back. Should I just click kill it and continue even though it is still listed in the processes? I didn't want to continue the steps without knowing what to do here. These are the processes that keep coming back:
C:\WINDOWS\system32\ekuxpv3.exe
C:\WINDOWS\system32\uvzgi.exe
C:\WINDOWS\system32\zkdmg.exe
As for your question, no I didn't set up those setting myself.
Thank you.

chaslang · Aug 16, 2006

Just select all three at the same time (hold down the CTRL key while selecting) then kill all three at the same time. If they come back, just continue with all steps anyway. MAKE SURE to look at the procedure again! I updated the list of files to delete based on your new ShowNew log.

I see ShowNew ran properly this time. Looks like this time you remembered to extract ALL files from the ZIP file.

Log in or Sign up

Please, I don't understand what else I need to do.

bmcnair Private E-2

Attached Files:

hijackthis.log

CounterSpy.txt

Activescan.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bmcnair Private E-2

Attached Files:

bdscan.txt

newfiles.txt

runkeys.txt

bmcnair Private E-2

Attached Files:

CounterSpy2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bmcnair Private E-2

Attached Files:

newfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member