several viruses, ad-aware and spybot will not work, uncontrollable pop-ups

Discussion in 'Malware Help (A Specialist Will Reply)' started by justann430, Mar 15, 2006.

  1. justann430

    justann430 Private E-2

    When I run AVG it shows Trojan-horseClicker.BSJ and Trojan-horseGeneric.QSF plus many others. It says they are healed but they come back up. My homepage has been hijacked by findthewebsiteyouneed.com. When I run ad-aware or spybot they both just close themselves randomly so I cannot get them to run completely. Whenever I get on the Internet I the pop-ups are unbelievable, like at this moment I have 20. I don't know what else yall would need but just let me know and I'll be glad to do it.
    I am attaching a summary report from the Aida32 program.
    Thank you so much for any help you can give me.
     

    Attached Files:

    justann430, Mar 15, 2006
    #1
  2. AbbySue

    AbbySue MajorGeeks Administrator

    Welcome to MajorGeeks!:)

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
     
    AbbySue, Mar 15, 2006
    #2
  3. justann430

    justann430 Private E-2

    I have done all the steps in the read me first file. I still have tons of pop-ups and icons I do not download keep appearing on my desktop. I was unable to run the Panda Scan I kept getting a message that said there was an error on the page. When I run AVG it finds tons of Trojanhorse viruses.
     

    Attached Files:

    justann430, Mar 23, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wow! You are what we call a malware collector! You have a load of problems.

    Please do not ZIP files unless it is necessary (like they are too large to upload).

    Before we get started, I need some more info.

    Let's get an installed programs list from HijackThis!

    Run HijackThis, click Open the Misc Tools section
    Click Open Uninstall Manager
    Click Save List (generates uninstall_list.txt)
    Click Save, to save it to a file where you can find it.
    Upload this file as an attachment too.
     
    chaslang, Mar 23, 2006
    #4
  5. justann430

    justann430 Private E-2

    Ok heres the installed programs list.
     

    Attached Files:

    justann430, Mar 23, 2006
    #5
  6. justann430

    justann430 Private E-2

    I am also attaching the results from AVG.
     

    Attached Files:

    justann430, Mar 23, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you have a few old Sun Java versions you should uninstall. So uninstall these:
    J2SE Runtime Environment 5.0 Update 1
    Java 2 Runtime Environment Standard Edition v1.3.1_04

    Did you install something called Quicklinks? As far as I know this is malware. If you did not install it, add it to the list below to uninstall.

    LimeWire 4.8.1 may contain malware. If you must use this (not recommended) at least uninstall this and get the new version which is supposedly malware free.


    Now you have a load of malware items to uninstall:
    Enhanced MediaLoads
    eSyndicate
    IE Host
    IE Host R3
    MaxSpeed
    New.net Domains 7.22
    RelevantKnowledge
    Web Nexus Network
    Web Savings from Ebates
    Web Savings from Ebates

    Now attach a new uninstall_list.txt log from HJT and also attach a new HJT log.
     
    chaslang, Mar 24, 2006
    #7
  8. justann430

    justann430 Private E-2

    Okay I uninstalle most things but when I tried to uninstall Web Savings From Ebates I got a WJView Error that said ERROR: Could not execute Main : The system cannot find the file specified.
     

    Attached Files:

    justann430, Mar 24, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What about Web Nexus Network ?

    I still see it. Did you try to uninstall it? What happens?

    Do you need this proxy server setting?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.24.229.15:80

    If not then add it to the list further down in the HijackThis fixes.

    Please download Look2Me-Destroyer.exe to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


    Now let's continue with some additional cleanup in my next message which is long!!!
     
    Last edited: Mar 24, 2006
    chaslang, Mar 24, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completer my previous message steps, continue here.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINNT\sizszz.exe
    C:\windows\mousepad5.exe
    C:\WINNT\system32\464D4E49484B4.exe
    C:\WINNT\CheckS02.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
    R3 - URLSearchHook: (no name) - {5783309D-19EA-C2BA-2591-716C75E488C6} - C:\WINNT\yvfbwrhd.dll
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\rvhkd.exe
    F2 - REG:system.ini: UserInit=userinit.exe,cronnqx.exe
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [vftmpc] C:\WINNT\System32\vftmpc.exe
    O4 - HKLM\..\Run: [htimyao] C:\WINNT\System32\htimyao.exe
    O4 - HKLM\..\Run: [mqigtqk] C:\WINNT\sizszz.exe
    O4 - HKLM\..\Run: [4F5k35R] javnpmgr.exe
    O4 - HKLM\..\Run: [Y3PwEe8oi] C:\windows\Y3PwEe8oi.exe
    O4 - HKLM\..\Run: [iB] C:\windows\iB.exe
    O4 - HKLM\..\Run: [suk] C:\windows\suk.exe
    O4 - HKLM\..\Run: [xload] "C:\WINNT\xload.exe"
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard5.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad5.exe
    O4 - HKLM\..\Run: [newname] C:\windows\newname5.exe
    O4 - HKLM\..\Run: [0B12130E0D10141] 464D4E49484B4.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CheckS02.exe
    O4 - HKCU\..\Run: [LouqRRd6P] dp-atext.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [WinFixer2006] "C:\Program Files\WinFixer_2006\uwfx6.exe" /min
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZC
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
    O15 - Trusted Zone: *.adextension.com
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.gimmycash.com
    O15 - Trusted Zone: *.gimmysmileys.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.proben.nu
    O15 - Trusted Zone: *.snet.ms
    O15 - Trusted Zone: *.snet.tc
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.snipernet.us
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.zango.com
    O15 - Trusted Zone: *.zangocash.com
    O15 - Trusted Zone: *.adextension.com (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: *.gimmycash.com (HKLM)
    O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: *.proben.nu (HKLM)
    O15 - Trusted Zone: *.snet.ms (HKLM)
    O15 - Trusted Zone: *.snet.tc (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.snipernet.us (HKLM)
    O15 - Trusted Zone: *.sxload.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.yoursitebar.com (HKLM)
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2BFEED4A-C72C-4C38-820B-29384891E882} - http://www.snap.emcp.com/Resources/DLLS/ZStubpack1.10.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/ign/blasterball2/install.cab
    O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINNT\system32\wdc1n.dll
    O20 - AppInit_DLLs: ehoblnlo.dll,Runner.dll,Runner.dll
    O20 - Winlogon Notify: Themes - C:\WINNT\system32\kt8sl7l71.dll
    O20 - Winlogon Notify: wincwg32 - wincwg32.dll (file missing)
    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    c:\installer <--- the whole folder
    C:\Program Files\Common Files\VCClient <--- the whole folder
    C:\Program Files\WinFixer_2006 <--- the whole folder
    C:\Program Files\EQAdvice <--- the whole folder
    C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
    C:\winstall.exe
    C:\WINNT\yvfbwrhd.dll
    C:\WINNT\system32\rvhkd.exe
    C:\WINNT\system32\cronnqx.exe
    C:\WINNT\System32\vftmpc.exe
    C:\WINNT\System32\htimyao.exe
    C:\WINNT\System32\javnpmgr.exe
    C:\WINNT\System32\464D4E49484B4.exe
    C:\WINNT\System32\dp-atext.exe
    C:\WINNT\System32\ms.exe
    C:\WINNT\system32\dmonwv.dll
    C:\WINNT\system32\wdc1n.dll
    C:\WINNT\system32\ehoblnlo.dll
    C:\WINNT\system32\Runner.dll
    C:\WINNT\system32\kt8sl7l71.dll
    C:\WINNT\bxxs5.dll
    C:\WINNT\CheckS02.exe
    C:\WINNT\sizszz.exe
    C:\windows\Y3PwEe8oi.exe
    C:\windows\iB.exe
    C:\windows\suk.exe
    C:\WINNT\xload.exe
    C:\windows\keyboard5.exe <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
    C:\windows\mousepad5.exe <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
    C:\windows\newname5.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Mar 24, 2006
    chaslang, Mar 24, 2006
    #10
  11. justann430

    justann430 Private E-2

    Okay. Im doing my best here so bear with me. :) When I go to remove WebNexusNetwork it says to reboot and then when I reboot it is still on my program list. I did the Look2Me-Destroyer then the HJT.
    On the HJT scan I could not find:
    O20 - Winlogon Notify: Themes - C:\WINNT\system32\kt8sl7171.dll
    When I booted in safe mode I could not find:
    C:\Program Files\WinFixer_2006
    C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
    C:\winstall.exe
    C:\WINNT\system32\rvhkd.exe
    C:\WINNT\system32\dp-atext.exe
    C:\WINNT\system32\ms.exe
    C:\WINNT\system32\dmonwv.dll
    C:\WINNT\system32\kt8sl7171.dll
    C:\WINNT\bxxs5.dll
    C:\windows\suk.exe
    C:\WINNT\xload.exe

    So far I don't seem to be getting so many pop-ups!
     

    Attached Files:

    justann430, Mar 24, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Your log is clean! How are things working now? Based on what you had before, I would say you are running a heck of a lot faster/better!!

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Mar 25, 2006
    #12
  13. justann430

    justann430 Private E-2

    WOW!! You rock. Thank you so much. My computer is running so much better. I really appreciate the help.
     
    justann430, Mar 25, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Mar 25, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds