Serious Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by tiamarie223, Sep 27, 2006.

  1. tiamarie223

    tiamarie223 Private E-2

    My step-father brought me his mother's computer to try and clean off for her. It has been seriously infected, and I need help. In the past I have been able to clean off others computers just by following your do this before you post thread.
    I have gone through that post, but I have not been able to do everything on the list.
    The problems she had were when she went from dial-up to high speed, w.in 3 days she had a zillion pop-ups. I have encountered more problems since trying to clean her computer.
    I have tried removing programs through the add/remove programs
    She said she had anti-virus, but when I tried to run it, I found out she just had the get a free trial here from Mcafee. I am rarely able to boot in normal mode since when I try the computer continuely restarts itself, until I open it in safe mode or shut it all the way down. Even installing the programs was a problem, I ended up having to just run them from the internet (instead of saying save, I would choose run, then once it was downloaded the installer would run) otherwise the installer would experience an error and quit. I have run CCleaner and Microsoft malicious software removal tool. I have run Spybot a couple times and some of the things it says are cleaned keep coming back, one of which was SpySheriff (even though I had no symptoms of that-no blue screen, etc.) so I did the special removal procedure for that and it has stopped popping up on spybot. I have run Counter Spy, and have attached the log files. I was able to run bitdefender and have also attached those as well. Panda scan would not run. I am unable to update her computer's java or security pack until this is cleared up. The only way I have been able to open her compouter in normal mode is if I revert to a last known good configuration, but I'm not sure if I should do that. And I'm not sure if I can start in normal mode with the diagnostic settings.
    All help will be appreciated
    Thanks
    Tia
     

    Attached Files:

    tiamarie223, Sep 27, 2006
    #1
  2. tiamarie223

    tiamarie223 Private E-2

    Also, since smitfruad is one of the recurring problems being found, I ran the smitfruad special removal and got the message that the wininet.dll filoe was infected and there was not one available to replace it. Also when I am able to restart in normal mode I get a lot of error messages.
     
    tiamarie223, Sep 27, 2006
    #2
  3. tiamarie223

    tiamarie223 Private E-2

    Ok, I was able to open in normal mode so here are the get new, show me, and hjt logs I wasn't able to run before. Internet explorer now experiences an error everytime it's opened, so I am using netscape navigator. (It was on the computer) Also, I noticed that the mirar toolbar is back on explorer.
    I am going to try and install AVG and run it.
    Thanks
    Tia
     

    Attached Files:

    tiamarie223, Sep 27, 2006
    #3
  4. tiamarie223

    tiamarie223 Private E-2

    And here is another logfile.
     

    Attached Files:

    tiamarie223, Sep 27, 2006
    #4
  5. tiamarie223

    tiamarie223 Private E-2

    I installed avg and ran a scan. It removed a lot of stuff
    Also I got a new wininet.dll file from Microsoft.com and fixed that. I am now able to open in normal mode, but I'm still experiencing pop ups and I can't remove the mirar toolbar. On the add/remove programs (It's called related page) a blank box with the title uninstal mirar pops up.
     
    tiamarie223, Sep 27, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please note that each time you add a message to your thread, you increase the length of time before getting a response. Oldest threads are worked on first, so when you add a message you goto the bottom of the queue. It is always best to post ALL info in one thread (or two to get all logs as required - but only seconds apart) and then wait.

    Also since you ran other procedures after posting the logs, we will now need new logs from:
    - GetRunKey
    - ShowNew
    - HJT

    Otherwise we will waste out time fixing things that may already be fixed.
     
    chaslang, Sep 27, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Boy this PC was VERY BADLY infected!

    I want you give you an important heads up so that you can tell your step father to talk with his mother (does that make her your step-grandmother????) This is very important if the PC was being used for anything financial related (internet banking, purchasing online, credit card stuff etc).

     
    chaslang, Sep 27, 2006
    #7
  8. tiamarie223

    tiamarie223 Private E-2

    Here are the new logs requested.
    Thanks for the info, I called my dad and he's going to tell her.
    Thanks
    Tia
     

    Attached Files:

    tiamarie223, Sep 27, 2006
    #8
  9. tiamarie223

    tiamarie223 Private E-2

    I had to go ahead and run microsoft updates, so here are new logfiles.
    Tia
     

    Attached Files:

    tiamarie223, Sep 28, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was a bad idea! Quite often upgrades to WinXP SP2 will fail or will get corrupted when malware is present. And this PC has a load of malware present. Hopefully it will not become an issue. Please do not do anything else unless I ask you to do it. It is best while trying to fix problems like this that no other software be installed and no other steps be performed except what we ask.

    I see signs of three antivirus applications AVG, McAfee, and Symantec. However AVG seems to be the only one properly installed. The McAfee and Symantec applications appear to be broken and also improperly/incompletely uninstalled. Let's start your fixes by correcting this!

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee WSC Integration ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the above stop and disable for the following services:
    McAfee Task Scheduler
    McAfee SecurityCenter Update Manager
    Windows Network Security Management Service
    SymWMI Service

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    McDetect.exe

    Now repeat the Delete NT Service steps for:
    McTskshd.exe
    mcupdmgr.exe
    nsms
    SymWSC

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Can you tell me what PSDream is for?

    Now goto Add/Remove Programs and uninstall the below:
    Java 2 Runtime Environment, SE v1.4.0_03
    Search Bar

    NOW!!!! On to the heart of your malware problems! As you will see from the below, there is much to fix!


    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of WLogon.dll once and then click the kill button. After you have killed all of the WLogon.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
    swprodte.dll

    Next double click on explorer.exe and again click once on each instance of WLogon.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    swprodte.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\TEMP\D9DF.tmp
    C:\WINDOWS\sys0265000958-2.exe
    C:\kybrdff_e16.exe
    C:\dfndrff_e16.exe
    C:\WINDOWS\Duce6.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    O4 - HKLM\..\Run: [rdcnbcb.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rdcnbcb.dll,nuvwdld
    O4 - HKLM\..\Run: [xjjggfg.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xjjggfg.dll,jfcjzkg
    O4 - HKLM\..\Run: [ugibodbA] C:\WINDOWS\ugibodbA.exe
    O4 - HKLM\..\Run: [sys0265000958-2] C:\WINDOWS\sys0265000958-2.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [ple729a5] RUNDLL32.EXE waddd9af.dll,n 004729a100000003addd9af
    O4 - HKLM\..\Run: [ms0500958-2650] C:\WINDOWS\ms0500958-2650.exe
    O4 - HKLM\..\Run: [ms04000958-265] C:\WINDOWS\ms04000958-265.exe
    O4 - HKLM\..\Run: [ms035000958-26] C:\WINDOWS\ms035000958-26.exe
    O4 - HKLM\..\Run: [mqletrm.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\mqletrm.dll,oykxbw
    O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
    O4 - HKCU\..\Run: [iprtrmgr] C:\WINDOWS\System32\iprtrmgr.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll
    O20 - Winlogon Notify: swprodte - C:\WINDOWS\System32\swprodte.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
    O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Pamela Compton\Start Menu\Programs\Startup\TA_Start.lnk
    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\Program Files\Common Files\{F0346802-096B-1033-0514-031024200001}\Update.exe
    C:\asdf.txt
    C:\dbg.txt
    C:\avuqk.exe
    C:\deskbar.exe
    C:\deskbar_e11.exe
    C:\deskbar_e13.exe
    C:\deskbar_e14.exe
    C:\deskbar_e15.exe
    C:\dfndrff_e14.exe
    C:\dfndrff_e15.exe
    C:\dfndrff_e16.exe
    C:\gawpnlj.exe
    C:\kybrdff_e15.exe
    C:\kybrdff_e16.exe
    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\DXCecho.exe
    C:\WINDOWS\ms0500958-26502006.exe
    C:\WINDOWS\ms0500958-2650.exe
    C:\WINDOWS\ms04000958-265.exe
    C:\WINDOWS\ms035000958-26.exe
    C:\WINDOWS\srvilqvsgq.exe
    C:\WINDOWS\srvkyvjvhh.exe
    C:\WINDOWS\srvtijjbfi.exe
    C:\WINDOWS\sys0265000958-2.exe
    C:\WINDOWS\ugibodbA.exe
    C:\WINDOWS\uninst108.exe
    C:\WINDOWS\uni_e6h.exe
    C:\WINDOWS\win32098-265000952006.exe
    C:\WINDOWS\win3210-2650009582006.exe
    C:\WINDOWS\system32\druid.exe
    C:\WINDOWS\system32\image.gif.exe
    C:\WINDOWS\system32\msimnpwm.exe
    C:\WINDOWS\system32\regapi.exe
    C:\WINDOWS\system32\sachostm.exe
    c:\windows\system32\stonedrv.exe
    C:\WINDOWS\System32\iprtrmgr.exe
    C:\WINDOWS\system32\dwdsregt.exe
    C:\WINDOWS\system32\wnstssv.exe
    C:\WINDOWS\system32\crsidif.dll
    C:\WINDOWS\system32\dminupnp.dll
    C:\WINDOWS\system32\dpmomspr.dll
    C:\WINDOWS\system32\ejwkmjk.dll
    C:\WINDOWS\system32\esddocn.dll
    C:\WINDOWS\system32\inyz32.dll
    C:\WINDOWS\system32\jsfmh32.dll
    C:\WINDOWS\system32\lgzi32.dll
    C:\WINDOWS\system32\mqletrm.dll
    C:\WINDOWS\system32\msripok.dll
    C:\WINDOWS\system32\nugle32.dll
    C:\WINDOWS\system32\ozcd32.dll
    C:\WINDOWS\system32\pkhsg32.dll
    C:\WINDOWS\system32\rdcnbcb.dll
    C:\WINDOWS\system32\rdpwiasn.dll
    C:\WINDOWS\system32\srrmeg32.dll
    C:\WINDOWS\system32\srvc.dll
    C:\WINDOWS\system32\swprodte.dll
    C:\WINDOWS\system32\weczvgm.dll
    C:\WINDOWS\system32\waddd9af.dll
    C:\WINDOWS\system32\xjjggfg.dll
    C:\WINDOWS\system32\xzeg32.dll
    C:\WINDOWS\system32\zbxrftn.dll
    C:\WINDOWS\system32\ac7D.tmp
    C:\WINDOWS\system32\aaa00000.ini
    C:\WINDOWS\system32\inistone.ini
    C:\WINDOWS\system32\loadinfo.ini
    C:\WINDOWS\system32\80.tmp
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folders and delete it them found:
    C:\Program Files\Deskbar
    C:\Program Files\Common Files\misc002
    C:\Program Files\Common Files\{F0346802-096B-1033-0514-031024200001}
    c:\program files\mcafee.com
    C:\Program Files\Common Files\Symantec Shared

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp
    C:\Documents and Settings\Pamela Compton\Local Settings\Temp

    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
    chaslang, Sep 28, 2006
    #10
  11. tiamarie223

    tiamarie223 Private E-2

    Ok, I'll be able to do this in the morning. Thanks! Since this is not my computer I have no idea what PSDream is. As far as I'm (and my dad)concerned we can get rid of it too. She keeps all her discs from programs she buys so if it's something important she'll be able to reinstall it. I'm of the opinion that it's probably not needed. And possibly bad. There has been so much crap downloaded on that computer that that's probably where it came
    from.
    I ran the updates because I was supposed to have to give the computer back today and I figured there was no way we could walk her through the rest of the repair and updating. Now I know better! Hopefully the seriousness of these infections will make her realize that this is important.
    I'll let you know how things went, thanks again! And if you want to add the removal of psdream, I'll do that too.
    Tia
     
    tiamarie223, Sep 28, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I really don't know exactly what PSdream is. It could be photography/photograph related based on a quick Google search. Just leave it for now and let's see how everything is working after the other fixes.
     
    chaslang, Sep 29, 2006
    #12
  13. tiamarie223

    tiamarie223 Private E-2

    This went well, except it wouldn't let me delete SymWSC. It said it was essential and didn't give me the option to bypass the warning.
    Uninstalled these with no problems.

    I couldn't find any instances of WLogon but swprodte was there and I was able to kill them.

    The temp, sys, and duce6 ones were not there.

    Some of these listed were not there. I have not made any changes since I posted the last logs, but I just realized that AVG and Counter Spy were running and possibly they did something last night?
    Done without error

    The pocket killbox went as described, and I deleted the folders and files requested. Deskbar was not there.
    I have run new logs for you. I am still experiencing pop-ups though. And I am receiving more error messages when I restart the computer. They are:
    Error Loading C:\WINDOWS\System32\ejwkmjk.dll
    The specified module could not be found.
    The other dll's giving me this same error are:
    xjjggfg.dll
    rdcnbcb.dll
    mqletrm.dll
    crsidif.dll
    And another similiar error for waddd9af.dll. It's the same as the ones above except no path is listed.
    Also, on the pop-ups, I am now getting one that is trying to download the file 1search.php from www .netsearchdog. com
    And a file called promos.php from www. 247query. com and www2. totallookup. com
    I just click cancel when the do you want to download this file box pops up.
    I also had a question about a folder I saw in program files. Its called blstoolbar.
    And how do I stop Bellsouth FastAccess DSL Help Center and Support.com Agent from loading everytime I restart. (They have the same icon and close together) But there is no reason for them to be running in the background.
     

    Attached Files:

    tiamarie223, Sep 29, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did say to ignore any errors! ;)

    That's strange because they were there and still are (also although the sys.... one renamed itself).

    We have some more things to get fixed. Let's continue.

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now please downloadThe Avenger by Swandog46 to your Desktop.
    • Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop
    • Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing
      CTRL+C
    • Now, run The Avenger program by double clicking its icon on your Desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    The Avenger will automatically do the following:
    • It will Restart your computer. (When the script being executed contains "Drivers to Unload",
      The Avenger will actually reboot your system two times.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the reboot, it creates a log file that should open with the results of Avenger’s actions. This log
      file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped
      them and moved the zip archives to C:\avenger\backup.zip.
    Please attach the c:\avenger.txt file to your next message.

    Run HijackThis and select any of the following lines that still remain (if you don't see them just skip and continue) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O20 - AppInit_DLLs: dpmomspr.dll dminupnp.dll
    O20 - Winlogon Notify: swprodte - C:\WINDOWS\System32\swprodte.dll (file missing)


    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Also download the current version of ShowNew and then attach new logs from ShowNew and GetRunKey.

    Make sure you tell me how things are working now.
     
    chaslang, Sep 30, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds