Recycler and possibly others.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Saky, May 2, 2005.

  1. Saky

    Saky Private E-2

    Ok, I have gone through the entire list of instructions posted "read first before asking for help" so now I wanted to double check if everything was removed so I went to symantec and it still found about 8 entries (better than the 25 or 30) so I went browsing my HDD and manually removed these entries except for one "RECYCLER" folder containing this doosy "515-21-448539723-299502267-725345543-1004". I managed to rename/move/delete but then the file & folder regenrates itself.

    Trend
    Symantec
    Avert stinger
    spybot + BHO
    ad aware +vx2
    cwsshredder
    ccleaner
    kill2me
    hsremove
    symantec again

    So, you can see I have taken every step mentioned and I am still having probs. yes, I disabled system restore. yes i diconnected from the net when scanning. yes, I was in safe mode. yes I got all the updates. Here is my hijack this log(from normal mode). hope you can help.
    here
     

    Attached Files:

    Saky, May 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you simply try emptying your Recycle Bin? You should not be doing manual deletion of files from the Recycle Bin.

    In the future, please do not post HJT logs unless they are requested. For us to properly determine everything that may be on your PC, you must stop using msconfig to control which items load at startup. Please run msconfig and select Normal Startup. Then reboot and post a new HJT log.
     
    chaslang, May 2, 2005
    #2
  3. Saky

    Saky Private E-2

    HJT log after Normal startup. ty.
     

    Attached Files:

    Saky, May 3, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you use Viewpoint Manager (crap from AOL)? Most people do not. If not, uninstall it using Add/Remove programs.
    Also use Add/Remove programs to uninstall:
    Wild Tangent or Wild Tangent Updater
    ClearSearch
    Weather Bug

    Have you run Spybot and Ad-Aware (in normal boot mode) since selecting Normal Startup with msconfig? If not, please do so. That may take care of a few problems.

    Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

    .NET Framework Service

    If that does not work try entering the short name: .NET Connection Service

    Then reboot and check your HJT log to see if the O23 line for that service is truly gone. If you get an error message while doing the above. The do the follow first:

    You need to run service.msc (like mentioned in step two of the READ ME FIRST) but look for the .Net Framework Service (or .NET Connection Service) instead of the ones in the READ ME. When found, do what it says, stop and then disable the service.

    Then use HJT to try to Delete the NT service again.

    I'm looking at the rest of your log now.
     
    Last edited: May 3, 2005
    chaslang, May 3, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\?hkdsk.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [vgvpcfogwuiw] C:\WINDOWS\System32\wrdsmo.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [sjeh] C:\WINDOWS\sjeh.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [2FtV33T] exesrvps.exe
    O4 - HKCU\..\Run: [Fyjwfmd] C:\WINDOWS\System32\?hkdsk.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
    O4 - HKCU\..\Run: [Jo29RTf2U] dx8osoft.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\NEWDOT~1 <--- the whole folder
    C:\Program Files\AWS <--- the whole folder
    C:\Program Files\Ebates_MoeMoneyMaker <--- the whole folder
    C:\Program Files\ClearSearch <--- the whole folder
    C:\WINDOWS\kdx <--- the whole folder
    C:\WINDOWS\wt <--- the whole folder
    C:\Program Files\Srng <--- the whole folder
    C:\WINDOWS\System32\wrdsmo.exe
    C:\WINDOWS\System32\SahAgent.exe
    c:\windows\system32\msbb.exe
    C:\WINDOWS\System32\exesrvps.exe
    C:\WINDOWS\System32\dx8osoft.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\alchem.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\sjeh.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 3, 2005
    #5
  6. Saky

    Saky Private E-2

    ok, i didn't find everything you listed in your last post (yes I disabled hiding of system and hidden files) but I deleted what I found from your list. I figure they are gone because of scan you requested me to do in your second to last post. Anyway this computer is still creeping but it may be because it needs to be defragmented (badly) or needs another RAM module (only 128MB so far). At any rate I haven't seen any evidence of pop-ups or such, but I have only been on again for a few mins. I'll let you know. Attached, is my current HJT. Let me know what you think.
     

    Attached Files:

    Saky, May 3, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You log is clean. Your speed problem may be due to garbage that you ISP put on your PC. Namely the CFD.EXE file. Look in the below link and scroll down to BJCFD.exe (which is the same program).


    http://www.answersthatwork.com/Tasklist_pages/tasklist_b.htm

    Notice how it states in can gobble up all of your resources.
     
    chaslang, May 4, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds