Problems with a virus that has taken over

Discussion in 'Malware Help (A Specialist Will Reply)' started by nanotech99, Mar 9, 2009.

  1. nanotech99

    nanotech99 Private E-2

    Malware Post
    In December 2008 I was surfing and looking at adult pictures online with IE Explorer.
    I do not recall installing or clicking okay to any programs. I was getting a lot of pop up and high jacked browser windows.
    I run AVG 8.

    - I got the antivirus 2008 and xpolice malware.
    -It changed my wallpaper to a picture with colored blocks
    -did not allow me to change the background. The desktop tab of display properties is grayed out and inactive.
    - there was an icon on the taskbar that looked like a fake windows update symbol
    - there was a balloon popping up from the taskbar saying run antivirus 2008
    - an antivirus 2008 window would open and start scanning my computer.
    - IE explorer opens up window after window. It fills the screen, they keep opening up over and over.
    - Some times the computer will get stuck starting up.
    - I cannot run exe. Files. I get “the system administrator has set up policies to prevent installation”
    - I cannot use control-alt-delete.
    - the computer bleeps and freezes which causes me to have to reboot.
    - Google chrome will not open sometimes. Other time it pops open for a second and then closes.
    - firefox will not work properly.
    - get a window that says Google Installer has malfunctioned please send info to Microsoft.
    - I cannot go on stand-by when programs are open
    - The wrksqumczgeilnapirro.cn/s_t_t.php window from AVG pops up often.
    - at some point the file started saying antivirus 2009

    I have gone through the steps in the READ & RUN ME FIRST page.
    I have done all of the cleaning and scanning tests.
    I was not able to open
    SAS, SpyBot, Malwarebytes. Even in safemode as admin.

    CCleaner and MGlogs were the only one i could run.
    Please help me out.

    Thanks.
     

    Attached Files:

    nanotech99, Mar 9, 2009
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome :)

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.
    Kes
     
    Kestrel13!, Mar 12, 2009
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there...you have been infected for a long time, let's start with this:


    1) If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    2) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINDOWS\iehost.dll
    O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O4 - HKLM\..\Run: [runsql] C:\WINDOWS\runsql.exe
    O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
    O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\AcSignExtResx.exe
    O4 - HKLM\..\Run: [netx] C:\WINDOWS\svx.exe
    O4 - HKLM\..\Run: [netw] C:\WINDOWS\svw.exe
    O4 - HKLM\..\Run: [netsv32] C:\WINDOWS\sv.exe
    O4 - HKLM\..\Run: [netc] C:\WINDOWS\svc.exe
    O4 - HKLM\..\Run: [net64] C:\WINDOWS\svhoster.exe
    O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\AcSignExtResx.exe
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\e7Bp.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost] c:\e7Bp.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\e7Bp.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\e7Bp.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\e7Bp.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\e7Bp.exe (User 'Default user')
    O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)


    After clicking Fix exit HJT.

    3) Now we need to use ComboFix to remove a whole bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
C:\Ac4W.bat
C:\ae1OM.bat
C:\aEOffhW.bat
C:\asoQ.txt
C:\at4g7.bat
C:\B0l1sJFr.bat
C:\BOFvY1q.bat
C:\bS0FMTph.bat
C:\bt.bat
C:\Bug.txt
C:\BWD.txt
C:\bxqg6fs.bat
C:\CbE7.bat
C:\CuuH.bat
C:\CzI.txt
C:\DfC70Qki.txt
C:\DkcYrkyR.txt
C:\DrOZtxs.txt
C:\dti.bat
C:\dXgZOD5g.txt
C:\eaaoN3gq.bat
C:\ECPGl.bat
C:\EDMNo6zr.bat
C:\EFdAUXbf.bat
C:\Emal.bat
C:\EV1S2.txt
C:\eVU5FhS.bat
C:\EYc6D.bat
C:\f6QYdha.bat
C:\FAYMpU1H.bat
C:\FccZuud.txt
C:\fKUienip.txt
C:\fq4.bat
C:\FviqOPZE.bat
C:\fvmiW.bat
C:\g7lNtkcF.bat
C:\g91GC.bat
C:\gKKfxT.bat
C:\Gzt.bat
C:\h8MN9E.txt
C:\h8vAl.bat
C:\heLVlhP.bat
C:\hLf.bat
C:\HNJo6.bat
C:\hoo.bat
C:\hz8.bat
C:\I0RqSnH.bat
C:\I3xe24g.bat
C:\Ibb.bat
C:\ibFQD3bn.bat
C:\IJYafkT.txt
C:\ikyC.bat
C:\IRZFvais.bat
C:\iYSz.bat
C:\Jcw1rTAv.bat
C:\jHDvO.txt
C:\jUlu.txt
C:\K3nCiTHq.bat
C:\K8SqKnz.txt
C:\kBV.bat
C:\kkBvL.bat
C:\KkTD.bat
C:\Klo.bat
C:\koRJ.txt
C:\ksoelu0.bat   
C:\L00EU.txt
C:\L1kFgf9.bat
C:\LC3.txt
C:\lC7.txt
C:\Lk3oV.bat
C:\LstfzdU.bat
C:\m0MGuMm.txt
C:\M4eYo.bat
C:\m5P6cD.bat
C:\M9dUAQZK.txt
C:\MfpPAO0.txt
C:\MHkw2IVL.txt
C:\mkR.txt
C:\mr4u8OEl.bat
C:\MSD5SUdz.txt
C:\mTUQu.bat
C:\NAe.txt
C:\NBs2v7Xg.bat
C:\Ntm9b.txt
C:\nYsV.bat
C:\O0aMUVbe.txt
C:\odMun.txt
C:\OrLq.bat
C:\p4XESXx.txt
C:\PBBiR.bat
C:\PbC2BsPr.bat
C:\pe7.bat
C:\PHCCQE.bat
C:\PmzK.bat
C:\PnOTOh.bat
C:\PVxLDU8.bat
C:\PZ9u5.txt
C:\q1si2qu.bat
C:\QChs.txt
C:\qjuT.bat
C:\QOgtd.bat
C:\QSoC.txt
C:\qVe3B.txt
C:\qYB8.bat
C:\R0c.bat
C:\R8j.bat
C:\Rku49yKW.txt
C:\rlg78.txt
C:\s8H.bat
C:\script.txt
C:\Sex.bat
C:\sOd.txt
C:\sRPw.bat
C:\SYRWsf.bat
C:\testfile.bat
C:\TgqKxs4.bat
C:\tjB88ED0.bat
C:\tNOZqXc.bat
C:\TXQQhKLT.bat
C:\TxYB.bat
C:\UDmG3m.bat
C:\UEaxuHy.txt
C:\ULp.bat
C:\UN4.bat
C:\UTZV.txt
C:\VEE5exGK.bat
C:\vjwxVyL.bat
C:\vr2Lgt.bat
C:\W3u.txt
C:\WbBjp7RF.bat
C:\WCqr.txt
C:\WDOT.bat
C:\wGoi7jD.bat
C:\wGZFAf.bat
C:\wMr9yHk.txt
C:\wSlYSvE.bat
C:\X4Y.bat
C:\xEbX0tV.txt
C:\xsVphE.txt
C:\xYkFc8yX.txt
C:\YAD4Qz.bat
C:\Yd00.txt
C:\ydBB9xq.bat
C:\yg4C481d.txt
C:\YpCWFU.bat
C:\YSB.bat
C:\Yzsm.bat
C:\z0o3P3ST.bat
C:\Z4Uru2t.bat
C:\z7V.bat
C:\ZBjg6.txt
C:\ZbZ.bat
C:\zmKq.txt
C:\ZRr.bat
C:\zt3O.txt
C:\ZV269.txt
C:\ZwVGm9.bat
C:\WINDOWS\fuwabi._sy
C:\WINDOWS\jako.dat
C:\WINDOWS\mibigyquhe.exe
C:\WINDOWS\fuwabi._sy
C:\WINDOWS\jako.dat
C:\WINDOWS\mibigyquhe.exe
C:\WINDOWS\nejagudumi.dl
C:\WINDOWS\ntbtlog.txt
C:\WINDOWS\nuny.bat     
C:\WINDOWS\tyheje.bin
C:\WINDOWS\uxibyxo.dl   
C:\WINDOWS\vyluli~1.inf 
C:\WINDOWS\winupiqi._dl
C:\Program Files\Internet Explorer\SET4B.tmp
C:\Program Files\Internet Explorer\SET4B.tmpSET4C.tmp
C:\Program Files\Internet Explorer\SET4B.tmpSET4E.tmp
C:\Program Files\Internet Explorer\SET4B.tmpSETB2.tmp
C:\Program Files\Internet Explorer\SET4B.tmpSETB3.tmp
C:\Program Files\Internet Explorer\SET4B.tmpSETB4.tmp
C:\Program Files\Internet Explorer\SIGNUP\SET52.tmp
C:\Program Files\Internet Explorer\SIGNUP\setb5.tmp     

DirLook::
C:\Documents and Settings\Administrator\My Documents\Updater5

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


      http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4) Could you please get this enojifod.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    5) Run Ccleaner!

    6) Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    7) Try running SUPERantispyware, & Malware Bytes in NORMAL mode (not safe mode) If you are successful, attach the logs they create.

    8) Attach the log from ComboFix ...> (C:\Combofix.txt)

    9) Run the new MGTools.exe (also be sure you're in normal mode if possible!) and attach the log it generates in your next reply ...> (C:\MGlogs.zip)

    10) Let me know how things are running now!

    Thanks
    Kestrel13!
     
    Kestrel13!, Mar 12, 2009
    #3
  4. nanotech99

    nanotech99 Private E-2

    Thanks for starting with me.
    I tried all of the steps you gave me a few times.

    I was not able to run combofix, sas, or malwarebytes in any mode.

    here are the log files i was able to get.

    My computer is freezing and bleeping in normal mode after a few mintues of use.

    eek.

    What can I do now?

    thanks!
     

    Attached Files:

    nanotech99, Mar 13, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK Let's try a reg patch... first please do the below if you can:

    1) Download HostsXpert and then follow the below steps.

    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • click the Make Writeable? button.
    • click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program


    2) Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    3) Bring up the Task Manager by pressing Ctrl/Alt and Del. On the "processes" tab click on "image name" to alpebetize the list. Have a careful look for ---> e7Bp.exe and if it is running please right click it's entry and choose to "end process"

    4) Navigate to your C:\ Drive and locate e7Bp.exe and delete it.

    5) Also while you in the C Drive please carefully check my list of those .bat and .txt files that are in my Combofix script and manually delete them being careful to ONLY nuke the ones from my list and nothing else until I have seen fresh logs from you.

    6) Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    7) Run the new MGTools.exe and attach the MGlogs.zip that it generates ---> (C:\Mglogs.zip)

    8) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

    Thanks
    kestrel13!
     
    Kestrel13!, Mar 13, 2009
    #5
  6. nanotech99

    nanotech99 Private E-2

    I did all the steps.

    I did not find the e7Bp.exe.

    I removed all the .txt and .bat files on the c drive.
    That was kind of fun in a weird way.
    I wasn't sure the name of this file C:\WINDOWS\vyluli~1.inf.
    I saw a vylulipuk.inf.
    so i didn't delete it.

    I had to try to start up in normal mode three times. I am still getting the
    windows encountered a problem, please sen a report, and an avg pop ups.

    Please advice what to do next.

    thanks.
     

    Attached Files:

    nanotech99, Mar 13, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ensure that you also delete the below bold files, most importantly the first file in the windows directory.


    C:\WINDOWS\vylulipuk.inf

    C:\Program Files\Internet Explorer\SET4C.tmp
    C:\Program Files\Internet Explorer\SET4E.tmp
    C:\Program Files\Internet Explorer\SETB2.tmp
    C:\Program Files\Internet Explorer\SETB3.tmp
    C:\Program Files\Internet Explorer\SETB4.tmp


    Let me know the contents of this folder, without actually clicking on anything contained within.


    Please tell me exactly what you mean by avg pop ups. Are you saying that AVG is reporting it's finding something? If so please tell me what and at which location the threat is being flagged. Do you mean the below:


    Which file? Is AVG still reporting it's finding antivirus 2009?

    Please tell me how your machine is running now and get me fresh logs by doing the below:

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Thanks
    Kes
     
    Kestrel13!, Mar 13, 2009
    #7
  8. nanotech99

    nanotech99 Private E-2

    I deleted:
    C:\WINDOWS\vylulipuk.inf
    C:\Program Files\Internet Explorer\SET4C.tmp
    C:\Program Files\Internet Explorer\SET4E.tmp
    C:\Program Files\Internet Explorer\SETB2.tmp
    C:\Program Files\Internet Explorer\SETB3.tmp
    C:\Program Files\Internet Explorer\SETB4.tmp



    I looked for
    C:\Documents and Settings\Administrator\My Documents\Updater5
    The closest folder I can find to this is:
    C:\Documents and Settings\Administrator\My Documents
    This folder contains only the Adiministrator's Music, Picture and Videos folders.


    When I start up in normal mode i get the windows attached in .jpg.

    My original infection in December 2008
    It was a beige ballon saying "antivirus 2008" plus other things listed in the original post.
    AVG seemed to taked care of that ballon after a few days.
    Then in January I was reinfected by a ballon that stated "antivirus 2009".
    I am not sure if these are two separate infections or one continued infection.


    When I start up as admin in safe mode i get a Mircrosoft Phishing filter window.
    Normal mode freezes after a few mintues. It often freezes before it finishes booting. It freezes in a different spot each time I try to boot in normal mode.

    thanks for the continued help.

    nan.
     

    Attached Files:

    nanotech99, Mar 13, 2009
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1) Teatimer is running ---> it could interfere with our fix, please see the below on how to disable it:

    How to disable Spybot's TeaTimer

    2) Windows Messenger is running-

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    3) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [netzip] C:\WINDOWS\svzip.exe
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [PoliceAV] C:\Program Files\XPPoliceAntivirus\xppolice.exe (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\RunServices: [UpdateWin] C:\WINDOWS\system32\AcSignExtResx.exe (User 'nano')
    O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\nano\LOCALS~1\Temp\wndutl32.dll (file missing)


    After clicking Fix exit HJT.

    4) Now I would like for you to rename ComboFix to 123.exe ---> confirm this and now try the below:

    Lets try using ComboFix to remove a bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
C:\WINDOWS\enojifod.sys
C:\WINDOWS\svzip.exe
C:\WINDOWS\system32\1947222432.dat
C:\Program Files\XPPoliceAntivirus\xppolice.exe
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
C:\WINDOWS\system32\AcSignExtResx.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"netzip"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


      http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    5) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix if the run was successful.


    6) If the renaming of combofix as above did not work then please rename it to combofix.com or 123.com and try again.

    If it wont run at all let's use another little reg patch to take at least a bad start-up entry.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.



    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    7) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!!


    Thanks
    Kestrel13!
     
    Kestrel13!, Mar 13, 2009
    #9
  10. nanotech99

    nanotech99 Private E-2

    I did all of the steps you just gave me and they worked.

    I am now in normal mode and it seems to be stable.

    I am receiving the AVG pop up for the "wrksqumczgeilnapirro.cn/s_t_t.php".
    This is the same window from before. I have attached what it looks like.


    This is great, what should i do now?

    nan.
     

    Attached Files:

    nanotech99, Mar 14, 2009
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    -Not quite-


    But you ran MGTools.exe in safe mode. Let's see if you can do the below in normal mode now as things didn't get fixed last time round and we still have a bit to do.


    1) Can you tell me if you know anything about the below files? If you don't please use windows explorer to find and delete them.

    • c:\windows\enojifod.zip
    • C:\WINDOWS\enojifod.sys


    2) FYI: Windows Messenger is still running!


    3) Teatimer is also still running! Please follow my earlier instructions in the given link to disable it because it's entirely possible that it could be preventing certain things from getting fixed at this point.

    4) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [netzip] C:\WINDOWS\svzip.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [UpdateWin] C:\WINDOWS\system32\AcSignExtResx.exe (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [PoliceAV] C:\Program Files\XPPoliceAntivirus\xppolice.exe (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'nano')
    O4 - HKUS\S-1-5-21-1979992680-2795355733-2390286710-1005\..\RunServices: [UpdateWin] C:\WINDOWS\system32\AcSignExtResx.exe (User 'nano')
    O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\nano\LOCALS~1\Temp\wndutl32.dll (file missing)


    After clicking Fix exit HJT.

    5) Now we need to use ComboFix to remove a bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    

KILLALL::

File::
C:\DOCUME~1\nano\LOCALS~1\Temp\wndutl32.dll
C:\Program Files\XPPoliceAntivirus\xppolice.exe
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
C:\WINDOWS\sysguard.exe
c:\program files\Common Files\gumaweg.ban
c:\program files\Common Files\jaqurono.db
c:\documents and settings\All Users\Application Data\vatowocyf.dat
c:\documents and settings\nano\Application Data\hynebe.reg
c:\documents and settings\All Users\Application Data\nuqihovi.com
c:\documents and settings\All Users\Application Data\alake.dll
c:\documents and settings\All Users\Application Data\tinesa.dat
c:\documents and settings\All Users\Application Data\amaw.reg
c:\program files\Common Files\japusi.dl
c:\documents and settings\nano\Application Data\fuvili.bat
c:\documents and settings\nano\Application Data\ykaron.com
c:\program files\Common Files\jywi.ban
c:\documents and settings\nano\Application Data\yxowyt.exe
c:\documents and settings\All Users\Application Data\enek.com
c:\windows\Tasks\At48.job
c:\windows\system32\AcSignExtResx.exe


Folder::
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"netzip"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


      http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    6) Run Ccleaner!

    7) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    8) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

    Thanks
    Kes
     
    Kestrel13!, Mar 14, 2009
    #11
  12. nanotech99

    nanotech99 Private E-2

    I found them and deleted them
    I ran messengerdisable.exe twice. n normal mode and in safe mode

    I followed the steps in the teatimer link twice. Once in normal mode, once in safe mode.

    I did this

    Done


     

    Attached Files:

    nanotech99, Mar 14, 2009
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1) Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

AtJob::
DEL /A/F/Q "%Tasks%\AT*.job"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


      http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    2) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    3) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Mar 15, 2009
    #13
  14. nanotech99

    nanotech99 Private E-2

    done

    The computer seems to be running smoothly.
    No more pop ups.
    So far so good.

    My clock is set to military time.

    here are the logs.

    What else can I do.

    Thanks
    nan.
     

    Attached Files:

    nanotech99, Mar 15, 2009
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go to the control panel / Regional and Lang. / customize / time and change it to the format you want.

    Glad to hear it!


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Mar 15, 2009
    #15
  16. nanotech99

    nanotech99 Private E-2

    This is great.
    Thank you so much you've been such a fabulous help.
    Because of you are now know how to clean up my computer and to keep it safe.
    I have another friend to could use help with the computer because it's slow and I'll refer them to this site.

    I followed the suggestions on the other pages and now have up-to-date antivirus firewalls etc. I got this pop up earlier today. I guess that just means the antivirus is working.
    There are few programs that won't run with my PC Tools firewall. I guess I can work that out on my own.

    Thank you so much Kes.
    Is there something I can do to repay you or the Major geeks forum.
    You are very patient and explained all the steps in great detail so that I could follow them.
    I learned loads and even when my computer with wouldn't start up at all, it was still kind of fun to go through the process.
    I will continue to monitor the computer now and keep it clean.
    Thanks,
    Nan
     

    Attached Files:

    nanotech99, Mar 16, 2009
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there Nan, you are more than welcome for the help from us. :)

    I have to admit I enjoyed removing it too LOL
    We do what we do voluntarily, and don't mind helping at all, but if you should wish to show your appreciation to the website then you can always take a look at this great range of clothing for both men and women. Geekwear

    The attached screenshot just indicates that malware is in your system restore, and nothing can remove that apart from toggling system restore, which are part of the final steps I gave you.

    You take care ;)
    Kind regards
    Kes
     
    Kestrel13!, Mar 16, 2009
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds