same but different

I'm experiencing the same problem as others who get antispyware pop up

1) window says "Security system protection control panel"
! possible spyware infection detected to remove detected threat click here....a web page opens from "Antispyware-Reviews.biz". This page gives you a choice to download or buy "PC-Antispyware or PC-Cleaner"
2)Window says "Security system warning"
Alert details: File c:\windows\wml.exe
Threat Abebot
Click here to visit PC-Antispyware web site
-Also a yellow triangle with a pop up "Security system Warning" balloon is on the task bar.

but when I try to follow the steps as posted on other threads for ex. using HJT I dont get the same results as other people are getting. I look for the lines to fix but I dont have the same ones. so I'm not sure if I should keep going to the next step.

are these solutions custom to each system configuration ???:confused

 

Hi ohoh,
Welcome to Major Geeks!
Are you having some trouble with your thread? Or why are you posting mulitple times? Please keep with one thread until the current problem has been resolved. Also, it is best to follow instructions which have been tailored to your computer as using instructions for another computer could cause damage to your own.

Please begin by following the instructions in Removing Zlob aka SmitFraud, SpySheriff, Infections. This will produce two logs both called rapport.txt. Attach the first rapport.txt here before continuing with the cleaning procedure. After running the cleaning procedure, then attach the second rapport.txt.

When you finish these, please go to the READ & RUN ME FIRST and follow the instructions. When you're finished, please attach the requested logs.

Thanks.
abri

 

yes I was having posting trouble please forgive

will do when finish will post thanks.

 

1st rapport attachment

 

rapport after smitfraudfix option 2 done in safe mode

 

SuperAntiSpyware scan log

 

malwarebytes log

 

mgtools logs

 

Hi ohoh,

1) Please disable your guest account if this has not already been done.

2) What is in the following folder? Do not open any files.

C:\Documents and Settings\All Users\Application Data\belgfmha

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [qublgijr] C:\WINDOWS\system32\rcnyxoxe.exe
O4 - HKCU\..\Run: [araxfiib] C:\WINDOWS\system32\ujejwfaf.exe
O4 - HKCU\..\Run: [ptjsbuur] C:\WINDOWS\system32\uxclshsp.exe
O4 - HKLM\..\Policies\Explorer\Run: [NJH0RtKs5N] C:\Documents and Settings\All Users\Application Data\belgfmha\zqvgniho.exe
O21 - SSODL: BmbVQHU - {4CEE71E1-E644-DB4B-DB53-2C92700D3BC2} - C:\WINDOWS\system32\onhim.dll

Does the following belong to a program you know or want to keep? If not, please fix it as well.

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe

After you click fix, just close hijackthis.


5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

the folder is unknown to me and I am willing to anialate it to fix the problem

C:\Documents and Settings\All Users\Application Data\belgfmha


will start working on your response ASAP Thanks

 

I do think it's malware, but is there anything in it?

 

I followed your steps to the T
I removed the belgfmha folder it didnt want to go easy but I used taskmanager to halt some processes until it cooperated.

I ran analyse.exe all were removed but this one

O21 - SSODL: BmbVQHU - {4CEE71E1-E644-DB4B-DB53-2C92700D3BC2} - C:\WINDOWS\system32\onhim.dll

also removed this one I have no idea what it was I very sure I didn't use it intentionally
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe

I included the log incase you want to see it.



but I'm up and running for 30 mins no popups
so good so far!

I will leave the machine on all night and give you an update in the mornning.

Thanks:cool

 

Hi ohoh,

Please continue as follows:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) What's in this folder? Do not delete it and do not open any files. Just tell me what, if any files, are in it:

C:\ELI

3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message with this patch.

5) Your computer does not appear to be in normal startup mode. Please go to Start / Run and type in msconfig and click on ok. In the Window that opens up, check the box next to Normal Startup and then click on accept and ok.

6) Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Let me know how your computer is working now.

abri

 

Hi Abri

So far my system has been popup free... thanks to you.

1) MSN was allready disabled.

2) c:\eli was just a folder I made for my sister with some spreadsheets no big deal.

3+4) Downloaded erunt, backed up reg merged with fixme.reg I had to pick regedit as application to open was successful

5) checked msconfig it is in normal mode but I had messed with it before my post to try and get an idea of what was going on.

6) fresh MGlogs.zip is attached


?? any sugestions or any previous post that you can recomend so I can keep my system clean I have left SAS on it and I have Norton360(not so great).


Thanks so far it seems to be working great !!

 

Hi ohoh,

MSN Messenger is not the same as Windows Messenger. I can see that it's not been disabled, because it's still showing up in your HijackThis log. It is best disabled by running the removal tool I gave you the link for.

We're still having trouble getting rid of one of you hijackthis entries that is malware, so please do the following:

1) Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
onhim.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
onhim.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
onhim.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

2) Run HijackThis (found in the MGTools folder as analyse.exe) and select Do a system scan only. Then select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O21 - SSODL: BmbVQHU - {4CEE71E1-E644-DB4B-DB53-2C92700D3BC2} - C:\WINDOWS\system32\onhim.dll

After clicking Fix, exit HJT.


3) After doing the above I would like for you to run Avenger again, only this time use the contents of this box:

4) Now run CCleaner.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

1) I ran Messengerdisable and removed it.

I was confusing it with the other as you said Thanks.

I ran process explorer but i did not see onhim.dll in a thread for any .exe

Ran Hijack again and selected the 2 lines closed all browsers including the one I was reading from. and selected fix then closed

I used avenger to delete onhim.dll

rebooted

ran cleaner

then getlogs.bat

here are the files.

my machine has been running fine since the last time I told you no popups.

I see that onhim still shows up but it says file missing...


thanks
ohoh

 

I did your steps again it looks like its gone now I must of did something out of order but here is new logs

Thanks
ohoh

 

That's good. Let's see if we can get him this time:

1) Run HijackThis (found in the MGTools folder as analyse.exe) and select Do a system scan only. Then select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O21 - SSODL: BmbVQHU - {4CEE71E1-E644-DB4B-DB53-2C92700D3BC2} - C:\WINDOWS\system32\onhim.dll (file missing)

After clicking Fix, exit HJT.

2) Run HijackThis (found in the MGTools folder as analyse.exe) and select Do a system scan only.. See if the above 021 entry is now gone.

If so, I will post the final cleanup instructions to you.

abri

 

Abri please see my last post

I did your steps again it looks like its gone now I must of did something out of order but here is new logs

I didn't see it that time.

Thanks
ohoh

 

Hi ohoh,

Sometimes the files have to be damaged before you can remove them.

Please do the final cleanup instructions in the box:

abri