Removal Process

Discussion in 'Malware Help (A Specialist Will Reply)' started by ktspree13, Aug 27, 2006.

  1. ktspree13

    ktspree13 Private E-2

    I have run all of the things in the directions and still find that there is spyware/malware on my computer. I will post the logs for you to look at. Thanks for your help. Ack...now my keyboard is bugging out!

    Thanks again.

    P.S. The BitDefender file is the scan from the second time that I ran the file. The first time I ran it, there was quite a bit of information on it, but at the end, the thing froze and I was unable to get the log file. I hope this one is alright!
     

    Attached Files:

    ktspree13, Aug 27, 2006
    #1
  2. ktspree13

    ktspree13 Private E-2

    Here, also is the getrunkeys, shownew, and the hijackthis logs.

    Thanks.
     

    Attached Files:

    ktspree13, Aug 27, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Let's have you correct a few minor issues first while I look at the rest of your logs and work up a fix.

    First install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Then uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03
    Mozilla Firefox (1.0.6)
    Search Bar

    You also need to run this and attach a log from it: Qoologic Removal Procedure
     
    Last edited: Aug 27, 2006
    chaslang, Aug 27, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After finishing the steps in my previous message, continue with the below.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to rundll.exe ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    rundll.exe

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.



    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aipdn.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ldwhxou.exe
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_13.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_13.exe
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
    O4 - HKLM\..\RunServices: [stratas] lockx.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\dnnm0151e.dll (file missing)
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\Program Files\Common Files\mzio\mziom.exe
    C:\Program Files\webHancer\Programs\whsurvey.exe
    C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
    C:\WINDOWS\Duce6.exe
    c:\windows\keyboard1.dat
    C:\WINDOWS\rundll.exe
    C:\WINDOWS\ms03319403-54.exe
    C:\WINDOWS\RDFX4.exe
    C:\WINDOWS\srvkpzjgtn.exe
    C:\WINDOWS\srvrkocruy.exe
    C:\WINDOWS\uninst104.exe
    C:\WINDOWS\uni_ehhhh.exe
    C:\WINDOWS\wnu_176.exe
    C:\WINDOWS\system32\lockx.exe
    C:\WINDOWS\system32\jyyynj.exe
    C:\WINDOWS\system32\aipdn.exe
    C:\WINDOWS\system32\tsuninst.exe
    C:\WINDOWS\system32\cnmodem.dll
    C:\WINDOWS\system32\dn4u01h9e.dll
    C:\WINDOWS\system32\icengine.dll
    C:\WINDOWS\system32\kxdsg.dll
    C:\WINDOWS\system32\m6ls0g37e6.dll
    C:\WINDOWS\system32\mensspc.dll
    C:\WINDOWS\system32\mv8sl9l71.dll
    C:\WINDOWS\system32\mxiwave.dll
    c:\windows\system32\guard.tmp
    C:\dfndrff_13.exe
    C:\kybrdff_13.exe
    C:\lockx.exe
    C:\deskbar.exe
    C:\Installer3.exe


    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

    After reboot locate the below folders and delete them if found:
    C:\Program Files\webHancer
    C:\Program Files\Common Files\mzio
    c:\program files\common files\Download


    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 27, 2006
    #4
  5. ktspree13

    ktspree13 Private E-2

    New Hijackthis, shownew, and getkeys.
     

    Attached Files:

    ktspree13, Aug 27, 2006
    #5
  6. ktspree13

    ktspree13 Private E-2

    I also uploaded the Qoofix Logfile, as you can see. I didn't seem to have many problems fixing anything with the steps you provided. Before I got your reply (thank you for a quick reply! I've been working on this since friday!) I ran a bunch of extra scans on my computer. Ewido, AdAware-SE, Trojan Scan, CWShredder, Kill2Me, and Trend Micro's Online Scan with Java (only on Mozilla). I couldn't seem to get logfiles for them, so sorry about that. Not sure if it would have made much of a difference anyways. I'm now wondering what I should do about the fixme registry file on my desktop. Do I keep it there? Move it somewhere? In addition, whenever I log into my computer, I get this message saying "Co Create Instance Failed. Status 0x80040154. Then, two Runtime Errors pop up for the program that runs my wireless card. Currently I am away at college and not using the wireless (because the dorms are not wireless) so I can't tell if it will affect whether or not I can use the wireless. Any thoughts? It did this before I followed your steps, by the way. So, no worries about that. The only other thing I can say about how my computer runs is that it starts up slow. I installed a personal firewall that you guys recommended and it takes a while for my Cisco Clean Access Agent to pop up because of that. I installed the Filseclab Personal Firewall, to be more specific.

    Recently I uninstalled the better version of Norton Anti-virus from my computer. It was a free version that came with the laptop that I bought. It had expired, and in order to get internet connection at my college, I needed an updated anti-virus software. That was uninstalled and a free symantec version was put onto my computer. Eight days later (this past friday) I had all of this spyware on my computer. Is there any specific anti-virus/internet (computer) protection that you would recommend?

    Thanks for all your help!

    KP
     

    Attached Files:

    ktspree13, Aug 27, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have a couple more files to delete. Try deleting them using Windows Explorer (use safe boot mode if necessary - or Pocket Killbox if they will not delete with normal methods). Delete these:
    C:\WINDOWS\sys0154319403-.exe
    C:\WINDOWS\win320703-543194.exe


    You will have to reinstall the software/drivers for your wireless card.

    Uninstall Ewido if it is the free trial version. That will help speed up your startup time a little.


    But what does your school require? Sometimes schools will require certain software to be used and they even provide it free. As far as Symantec is concerned, it is not on our list of things to use. The link below contains all of our recommendations.


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Aug 27, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds