Should be routine for you guys!

Discussion in 'Malware Help (A Specialist Will Reply)' started by is300gsxr600, Feb 21, 2006.

  1. is300gsxr600

    is300gsxr600 Private E-2

    My case is probably going to be easy for you to walk me through, but it is just too tough for me with my experience. I downloaded a ton of anti-spyware (after I made sure they were legit) and now I have found your site. My anti-virus/anti-malware programs have helped but I still have a problem: I get tons of popups, Internet Explorer runs dial-up slow (I am on Cable) and spy-bot keeps showing HotSearchBar and Windows Defender keeps showing QuickLinks and KaZaA (which I do not use). These are probably remnants of the super trojan I got and also proof that there is more that I cannot yet see. Another problem is that sometimes I cannot open the Task Manager (with CTRL+ALT+DELETE or right clickin the taskbar)

    If it helps, this all happened on Friday morning at 3:00. Tons of garbage was installed.
    I have followed the READ & RUN first (except BidDefender would not run due to an error in the webpage). Please find the attached attachment.

    Thanks in advance for your help!
    Paul
     
    is300gsxr600, Feb 21, 2006
    #1
  2. is300gsxr600

    is300gsxr600 Private E-2

    And now for the attachment!
     

    Attached Files:

    is300gsxr600, Feb 21, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    Please install HijackThis properly per step 7 of the READ ME. And also attach your PandaActiveScan log as requested in step 6.
     
    chaslang, Feb 21, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After installing HijackThis properly, continue with the below instructions.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\SYSC00.exe
    C:\Program Files\wmplayer\wmplayer.exe
    C:\Program Files\Common Files\W?nSxS\d?dplay.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmdsfs.dll
    O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [{99-91-1A-AB-ZN}] C:\windows\system32\dwdsregt.exe IMG001
    O4 - HKCU\..\Run: [Lrbs] "C:\Program Files\eeda\sdcn.exe" -vt yazb
    O4 - HKCU\..\Run: [Ifo] C:\Program Files\Common Files\W?nSxS\d?dplay.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\wmplayer <-- the whole folder
    C:\Program Files\Common Files\W?nSxS <-- the whole folder
    C:\Program Files\eeda <-- the whole folder
    C:\Program Files\Jalmp\jalmp.dll <-- the whole folder
    C:\WINDOWS\system32\irsmdsfs.dll
    C:\WINDOWS\system32\unirimon.exe
    C:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\SYSC00.exe

    C:\Documents and Settings\Paul Benvie\Local Settings\Temporary Internet Files\Ssk.log
    C:\Documents and Settings\Paul Benvie\Local Settings\Temp\i19.tmp
    C:\Documents and Settings\Paul Benvie\Local Settings\Temp\u1E.tmp
    C:\Documents and Settings\Paul Benvie\Local Settings\Temp\u23.tmp
    C:\Documents and Settings\Paul Benvie\Local Settings\Temp\u31.tmp
    C:\WINDOWS\winsysban9.exe
    C:\PROGRAM FILES\winupdate <--- the whole folder

    Additional step to delete UERS_0001_N68M1801NetInstaller.exe:
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key

    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s UERS_0001_N68M1801NetInstaller.exe
    del UERS_0001_N68M1801NetInstaller.exe
    exit

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Feb 22, 2006
    chaslang, Feb 21, 2006
    #4
  5. is300gsxr600

    is300gsxr600 Private E-2

    Here is the information you requested, including a new HJT log. On to the next step.
     

    Attached Files:

    is300gsxr600, Feb 21, 2006
    #5
  6. is300gsxr600

    is300gsxr600 Private E-2

    I tried copying the quote box into notepad and saving as fixme.reg, but when I clicked on it and selected yes, I received the following error message:
    REGISTRY EDITOR
    Cannot import C:\Documents and Settings\...\Desktop\fixme.reg: The specified file is not a registry script. You cannot import binary registry files from within the registry editor.

    I am not sure what all that means, but maybe you can point me in the right direction. I stopped there and did not complete the rest of that step because I figured the latter portions relied upon the changes from the fixme.reg
     
    is300gsxr600, Feb 21, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that! That was my mistake. I left a beginning REGEDIT4 line out. Try it again (copy and paste it again).

    Based on your Panda log, I also added a few more items to delete so make sure you re-read the whole procedure.
     
    chaslang, Feb 22, 2006
    #7
  8. is300gsxr600

    is300gsxr600 Private E-2

    Done. It looks like my malware problem is gone, please check my attached HJT log.

    I have a new issue though:

    I get the following prompts and error messages anytime I do anything with MS Office or IE:

    Windows Installer: Preparing to install.

    Microsoft Office Standard Edition 2003:
    Please wait while Windows configures Microsoft Office Standard Edition 2003.

    Then the following error message is displayed:
    Microsoft Office Standard Edition 2003:
    Error 25090. Office Setup encountered a problem with the Office Source Engine, system error: -2147024893. Please open C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM and look for "Office Source Engine" for more information on how to resolve this problem.

    If I go there, I open the file (into Notepad) and it is all random symbols)

    If I try to open Excel, it tries to intall as above, but I get the following error message:
    ERROR: The operating system is not presently configured to run this application.

    What should I do about this?
    Thanks,
    Paul
     

    Attached Files:

    is300gsxr600, Feb 22, 2006
    #8
  9. is300gsxr600

    is300gsxr600 Private E-2

    I went ahead and reinstalled MS Office as well as McAfee anti-virus because both were missing things that are required to make them work properly. Hopefully this is okay. The computer still is slow (due to antivirus and heavy duty firewall settings?) but atleast the malware seems to be gone! Please check the newest HJT log, run after reinstalling MS Office and McAfee to make sure I am clean. Once you say its okay, I will then disable the Recovery, reboot and then re-enable it.
    Thanks,
    Paul
     

    Attached Files:

    is300gsxr600, Feb 22, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Feb 22, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds