Requested logs from new Member (Post 1)

rengaw · Dec 7, 2012

Hello, new problem child here,
There may be a second post to cover the number of log files as Malwarebytes was run a few times prior to finding the MajorGeeks tutorial.
The OS is XP SP2, and 3 days ago lost function of Avast, Firewall and Internet.
This may have been a result of updating Spybot and Adaware a few days prior, (along with Avast).
While I know better than to run more than one general anti-virus at once, one of the two specialty programs seemed to include a "general" anti-virus feature I was unable to disable.
But then again, maybe not.
Let me mention here that the "Restore" was toggled prior to finding this guide.
I have attached requested log files in 2 .zip files. Please let me know what ever else may be required.
I am using a separate machine to make and monitor this thread, as the effected computer no longer has internet access, (until it's fixed). Please be patient with me
Great thanks and kudos for any help in getting the machine back running well!

dr.moriarty · Dec 8, 2012

Welcome to MajorGeeks, rengaw

I'm looking over your logs and will work up a fix.
dr.m

rengaw · Dec 9, 2012

Thank you, your help is greatly appreciated!

dr.moriarty · Dec 9, 2012

You're welcome.

*I will caution you against complicating our removal steps and final cleaning by not following our instructions in the READ ME guide -

"C:\Documents and Settings\Garage\Desktop\
Shortcut to MGtools.exe.lnk
Shortcut to RogueKiller.exe.lnk
Shortcut to tdsskiller.exe.lnk
Shortcut to HitmanPro.exe.lnk"
Click to expand...

- MGtools.exe is where it should be, but the other programs are not found. Please re-download RogueKiller to your desktop... we will need to use it soon.

We recommend an absolute MINIMUM of 2 GB for Windows XP

Total Physical Memory 1,024.00 MB
Available Physical Memory 566.02 MB
Click to expand...

Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall thes outdated software versions. If you get any errors just make a note and continue on.

Java 2 Runtime Environment, SE v1.4.1_02
Java(TM) 6 Update 7
Click to expand...

NOTE: Mozilla Firefox 16.0.2 (x86 en-US) <--- outdated and needs updating

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now double-click RogueKiller.exe to run it. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button, then select the Registry tab and then select any of the below that exist and then click the Delete button.

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : EPSON WorkForce 840 Series (C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIGMA.EXE/FU"C:\WINDOWS\TEMP\E_S532.tmp" /EF "HKCU") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-73586283-1682526488-839522115-1003[...]\Run : EPSON WorkForce 840 Series (C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIGMA.EXE /FU "C:\WINDOWS\TEMP\E_S532.tmp" /EF "HKCU") -> FOUND

When it is finished there will be a log on your desktop called RKreport[2].txt, attach it to your next reply.
Then immediately reboot your PC.

After reboot, run a new scan with both RogueKiller and attach that new log to your next reply.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1A348B64-62FC-4668-B76E-27C3A5060EF0} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: (no name) - {2106345C-2237-4D2C-B5A6-9267B53BA3DF} - (no file)
O2 - BHO: (no name) - {221E3DFC-5379-4C0C-A278-28D1E25F5FD1} - (no file)
O2 - BHO: (no name) - {23E43271-42B5-4D4E-9943-4C87C4749E15} - (no file)
O2 - BHO: (no name) - {24B616C1-EEB7-42AE-BFC1-33E5A2D9D1C3} - (no file)
O2 - BHO: (no name) - {3085001E-1BB1-4DD6-86CC-141CCCBF47F7} - (no file)
O2 - BHO: (no name) - {41E48C00-BF1A-485C-908C-711A277F8D7A} - C:\WINDOWS\system32\urqpp.dll (file missing)
O2 - BHO: (no name) - {4B4CD9D6-F63E-4D10-88C3-69169BF8D1B9} - (no file)
O2 - BHO: (no name) - {542718A0-7646-4E09-9255-0BDD70F07ABB} - (no file)
O2 - BHO: (no name) - {5B82AEEB-7B56-42BE-8AAF-10E67BE289BF} - (no file)
O2 - BHO: (no name) - {610A441F-92C2-4709-BB79-81675CD976D9} - (no file)
O2 - BHO: (no name) - {642A7BB3-57C4-431C-94A3-83E4AF6B675A} - (no file)
O2 - BHO: (no name) - {6E38CB93-91AC-4E74-9A65-C05BF40CCA5C} - (no file)
O2 - BHO: (no name) - {77278183-8d10-4ba6-ab99-373e2983c982} - (no file)
O2 - BHO: (no name) - {AC901AEA-FACF-43D1-AC76-FD005D3F51A0} - (no file)
O2 - BHO: (no name) - {ae189308-cf92-4e52-831e-3813099b9e90} - (no file)
O2 - BHO: (no name) - {B24712D9-AFBC-40F9-BFFF-F8CA9EDCF7A6} - C:\WINDOWS\system32\xxwxx.dll (file missing)
O2 - BHO: (no name) - {B7408DB9-1E29-4BCD-AC1E-144FCE00CF04} - (no file)
O2 - BHO: (no name) - {B8D247A1-E922-4E1D-8C4D-16BF9A9EDD7C} - (no file)
O2 - BHO: (no name) - {BE78B5B7-8EDA-4DC3-80DA-0F2AB8E0835B} - (no file)
O2 - BHO: (no name) - {C4F9F4E1-546D-426C-95B4-C8B64E0B2ABE} - C:\WINDOWS\system32\iifdb.dll (file missing)
O2 - BHO: (no name) - {C79D7703-E180-457D-8DD5-2C9DD5620D6A} - (no file)
O2 - BHO: (no name) - {D0388469-80A8-4FB1-BA07-15355B8042E6} - (no file)
O2 - BHO: (no name) - {DA73BE73-E75A-439D-A2F1-5124EC1E1F99} - (no file)
O2 - BHO: (no name) - {DF176785-8632-49EF-A58B-D1F103C9D944} - (no file)
O2 - BHO: (no name) - {DF5A45A4-5EFA-45A3-9A96-80BD0C330129} - (no file)
O2 - BHO: (no name) - {DFF2DABD-4AB1-4FB0-BB7D-4D6F799CFCA6} - (no file)
O2 - BHO: (no name) - {E306ECA7-A595-46A9-B461-0620BA2B3B04} - (no file)
O2 - BHO: (no name) - {E3744D8F-857A-4D5C-909B-40D810F3721D} - (no file)
O2 - BHO: (no name) - {FC818AE3-ED5C-434F-9BC2-53649C6BD022} - (no file)
O2 - BHO: (no name) - {FD2817E3-2AE8-4E0F-885F-4610A53EABCA} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKCU\..\Run: [EPSON WorkForce 840 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIGMA.EXE /FU "C:\WINDOWS\TEMP\E_S532.tmp" /EF "HKCU"
O20 - Winlogon Notify: fccywvu - fccywvu.dll (file missing)
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe (file missing)
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (file missing)
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe and select Run as administrator to run it.

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
Code:
:Processes
killallprocesses

:Files
C:\Documents and Settings\All Users\Application Data\blekko toolbars
C:\WINDOWS\system32\urqpp.dll
C:\WINDOWS\system32\xxwxx.dll
C:\WINDOWS\system32\iifdb.dll 
C:\Program Files\AskBarDis
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c

:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A348B64-62FC-4668-B76E-27C3A5060EF0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2106345C-2237-4D2C-B5A6-9267B53BA3DF}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{221E3DFC-5379-4C0C-A278-28D1E25F5FD1}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23E43271-42B5-4D4E-9943-4C87C4749E15}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24B616C1-EEB7-42AE-BFC1-33E5A2D9D1C3}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3085001E-1BB1-4DD6-86CC-141CCCBF47F7}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41E48C00-BF1A-485C-908C-711A277F8D7A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B4CD9D6-F63E-4D10-88C3-69169BF8D1B9}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{542718A0-7646-4E09-9255-0BDD70F07ABB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B82AEEB-7B56-42BE-8AAF-10E67BE289BF}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{610A441F-92C2-4709-BB79-81675CD976D9}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{642A7BB3-57C4-431C-94A3-83E4AF6B675A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E38CB93-91AC-4E74-9A65-C05BF40CCA5C}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77278183-8d10-4ba6-ab99-373e2983c982}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC901AEA-FACF-43D1-AC76-FD005D3F51A0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae189308-cf92-4e52-831e-3813099b9e90}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B24712D9-AFBC-40F9-BFFF-F8CA9EDCF7A6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7408DB9-1E29-4BCD-AC1E-144FCE00CF04}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8D247A1-E922-4E1D-8C4D-16BF9A9EDD7C}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE78B5B7-8EDA-4DC3-80DA-0F2AB8E0835B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4F9F4E1-546D-426C-95B4-C8B64E0B2ABE}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C79D7703-E180-457D-8DD5-2C9DD5620D6A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0388469-80A8-4FB1-BA07-15355B8042E6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA73BE73-E75A-439D-A2F1-5124EC1E1F99}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF176785-8632-49EF-A58B-D1F103C9D944}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF5A45A4-5EFA-45A3-9A96-80BD0C330129}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DFF2DABD-4AB1-4FB0-BB7D-4D6F799CFCA6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E306ECA7-A595-46A9-B461-0620BA2B3B04}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3744D8F-857A-4D5C-909B-40D810F3721D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC818AE3-ED5C-434F-9BC2-53649C6BD022}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD2817E3-2AE8-4E0F-885F-4610A53EABCA}]

:Commands
[purity]
[EMPTYFLASH]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach the JRT.txt to your next message.

Now install the latest Sun Java Runtime Environment

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

C:\MGlogs.zip

JRT.txt

C:\_OTM\MovedFileslog

updated RKlog.txt

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

rengaw · Dec 15, 2012

Dr. M,

My sincere apologies for the delay in responding; have medical issues to address.

Problems;

I realize the recommendation for 2 gb of RAM. General understanding was that 32 bit Windows would not handle more than 1 gb back around 8 years ago when I built this machine. I will attempt to find another compatible DDR module if they are still available. I believe everything you requested ran alright however.

I cannot update Firefox as the malware took out internet as originally stated.

The registry entry "O4 - HKCU\..\Run: [EPSON WorkForce 840 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIGMA.EXE /FU "C:\WINDOWS\TEMP\E_S532.tmp" /EF "HKCU"" was not found when C:\MGtools\analyse.exe was run. All others were.

Still no internet, AVAST shows error and firewall error.

Please find requested log files attached.

Thank you again for your help and patience...

Steve

Kestrel13! · Dec 15, 2012

No internet yet due to

Dynamic Host Control Protocol -DHCP- is NOT running
TCP/IP Protocol Driver -TCP/IP- is NOT running
Click to expand...

and firewall broken because:

Windows Firewall Service is NOT running
Click to expand...

rengaw · Dec 15, 2012

Thanks for the reply Kestrel13!.
It seems you may have identified the cause, can you now identify the cure?

Thanks again!

Steve

dr.moriarty · Dec 15, 2012

Hello, rengaw

Since you need to update your service pack level anyway, please download this file Microsoft Windows XP Service Pack 3 Final and save it to your "Downloads" folder.
After disabling your protection software, double-click the file then after the installation has completed - re-start your pc.
Then re-enable your protection and test for internet access.

Now give me a new MGLogs.zip ---> run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

dr.moriarty · Dec 15, 2012

Note:

In your case of no internet access, download and transfer the file via flashdrive or CD/DVD.

dr.m

Log in or Sign up

Requested logs from new Member (Post 1)

rengaw Private E-2

Attached Files:

MGlogs.zip

LOGS.zip

dr.moriarty Malware Super Sleuth Staff Member

rengaw Private E-2

dr.moriarty Malware Super Sleuth Staff Member

rengaw Private E-2

Attached Files:

Logs.zip

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

rengaw Private E-2

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member