Rogue IE windows, and Norton AntiVirus going crazy!

Discussion in 'Malware Help (A Specialist Will Reply)' started by 11marini, Apr 16, 2009.

  1. 11marini

    11marini Private E-2

    Hello! I am joining the ranks of people who need help rescuing their computers from malware! I completed the "READ AND RUN ME FIRST: Malware Removal Guide", and here's the best descriptions I can give:

    Before I started the Guide, I had several problems:
    --> Rogue IE windows (I only use Firefox) popping up whenever I navigated anywhere in Firefox
    --> Processes (like ati2evxx.exe and LMIGuardian.exe) seemed to be replicated (as viewed in the Task Manager).
    --> Processor constantly under heavy load, and general computer use was very slow
    --> It suddenly took FOREVER for Firefox to load into memory to the point where it would display (internet speeds were fine, for the most part).

    The "House Cleaning & Setup" steps went fine (I never knew you weren't supposed to use msconfig!), as did enabling the view of hidden files, system files, and extensions. Then onto the directions for XP:

    SAS (try 1): Scan was successful, but I got a BSOD during "Quarantine and Delete". It read as follows:

    Windows Logon Process
    System process terminated unexpectedly with a status of 0
    STOP: c000021a {Fatal System Error}

    SAS (try 2): Scan and removal was successful, problem with the IE windows stopped.
    MB: No problems
    Combofix: No problems
    MGtools: Mostly no problems, but at the very end, I got this error message:

    ProcessDll.exe
    The application failed to initialize properly (0xc0000135)

    The current state: All problems except for the IE windows remain, although the load time for Firefox is slightly faster (but not much).

    That's about as much info as I think I can include. Thank you in advance for doing this. I know you guys and gals are volunteers, and it's really a big help to us who are having these problems. I look forward to a response!
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    File::
    c:\windows\Osulezibeceri.dat
    c:\windows\Ugimadisuvubovi.bin
    c:\windows\system32\guyetisu.dll
    C:\WINDOWS\system32\bovufotu.dll.tmp
    C:\WINDOWS\system32\fahimera.dll.tmp
    C:\WINDOWS\system32\fimigoyu.exe  
    C:\WINDOWS\system32\ralikute
    C:\WINDOWS\system32\robehenu.dll.tmp
    C:\WINDOWS\system32\takuliyo.exe
    C:\WINDOWS\system32\tarowata.exe  
    C:\WINDOWS\system32\tiwikuwu.exe  
    C:\WINDOWS\system32\tokupato.exe  
    C:\WINDOWS\system32\yumaluso.exe
    c:\windows\Ugimadisuvubovi.bin
    c:\windows\Osulezibeceri.dat
    c:\windows\system32\tiwikuwu.exe
    c:\windows\system32\tokupato.exe
    c:\windows\system32\tarowata.exe
    c:\windows\system32\fimigoyu.exe
    c:\windows\system32\yumaluso.exe
    c:\windows\system32\takuliyo.exe
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
  3. 11marini

    11marini Private E-2

    Tim,

    Thanks for taking up my thread. I ran the ComboFix scan with your script without any problems. The log is attached. I also ran the MGtools batch file, and received the same error about ProcessDll, but the rest went fine.

    I did not install the JRE for Java6 because I installed the latest JRE during the initial instructions. I actually decided to download the J2EE package w/ an application server that includes the Java6 JRE (I'm a Java developer), so it's in a non-standard location, but it's there. If you really think it's important to do, let me know and I'll do it, but otherwise, I'd prefer not to have more than one JRE on my machine if I can help it.

    Thanks for all your help, and I look forward to hearing from you soon!
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet......your logs are clean. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
  5. 11marini

    11marini Private E-2

    Great! Thanks for checking on them! But it's still really slow to do just about anything. The speed aside (there are so many factors that could cause that), I'm still seeing a lot of clutter on my list of Processes (59 processes with Firefox being the only thing I've manually started).

    My specific worry is that there are several processes (i.e. ati2evxx.exe, googleUpdate.exe, LMIGuardian.exe, and others) that appear more than once on the list. I know that it's normal to see severeal svchost.exe's, but I wouldn't think that would be the case for anything else. Any suggestions?

    Also, I really appreciated your help with my logs, and was wondering how exactly you learned to read the logs and/or get into helping people. It's a valuable skill, and I would love to eventually be able to help others like you've helped me.

    Thanks again for your work, and I look forward to hearing from you!
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would suggest you use one of these:

    Startup Manager

    Startup_CPL

    You can get further assistance in the software forum as to what processes to stop.

    I was fortunate in that Chaslang was willing to help me get started in this and has been an invaluable source of support.

    There are a few websites that provide training rooms. The process can take awhile to complete since there is a lot to learn and the people training you are doing it in their free time. Make sure that you are serious about wanting to spend the time to learn and have the time to perform malware removal this because it takes a strong committment. Check out the below sites:

    BootCamp

    Geek U!

    What the Tech Classroom
     
  7. 11marini

    11marini Private E-2

    Great! Thanks for the advice on places to get trained, and I'll go to the software forum to ask for some advice after I do the "final steps".

    Thanks for volunteering your time. It helped me a lot, and I'm sure lots of other people benefit from your generosity as well.
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are quite welcome....go forth and surf!! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds