Spyware and Slow Computer

Did you run the online scans in safe mode?
What OS do you have and what program are you using to unzip HijackThis? You need to make sure you are unzipping to the folder that you think. Many times the unzipping could be defaulting to a temp folder somewhere. Are you sure you selected Extract?

You could have a piece of malware blocking your use of HijackThis. Try downloading the hijackthis.exe file from Merijn again. But do not run until you first rename it to myhjt.com. See if that works. If so, post a log. Otherwise post your StartupList log (as an attachment please! Do not paste it into the thread!).

 

Hopefully you can run Task Manager. If so, use it to end the following processes (just the .exe part of the file name will show - like stcur.exe):

C:\WINDOWS\System32\msupd6.exe
C:\WINDOWS\msagent\CHARS\crmc.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\uzocmjse.exe
C:\WINDOWS\System32\ebbuaevj.exe

Now try to run HijackThis! And post a log if possible.

 

No browsers should be open when doing this! Did any of the process end? If so, which ones?

 

Try the following. Make sure you report back on all results.

Look in Add/Remove programs for the below and uninstall them if found:
CasinoOnline
WeatherBug

Make sure you have enabled viewing of hidden files and unchecked the Hide extensions for known file type option as mentioned in step 3 of the READ ME FIRST.

Physically disconnect from the Internet now (unplug your cable) and Exit all browsers.

Click Start > Run > type services.msc and Click OK

Locate a seemingly randomly named service that also contains (MsUpdate6) as part of the name and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

If you have the correct service you will see a reference to the follow file in the Path to executable box: C:\WINDOWS\system32\msupd6.exe

Now boot into safe mode with no network connection

Run Task Manager and end any of the following if found (if they do not end just continue):
C:\WINDOWS\System32\msupd6.exe
C:\WINDOWS\msagent\CHARS\crmc.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\uzocmjse.exe
C:\WINDOWS\System32\ebbuaevj.exe

Exit Task Manager!

Run Windows Explorer. Find and delete the following:
C:\WINDOWS\System32\msupd6.exe
C:\WINDOWS\msagent\CHARS\crmc.exe
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\uzocmjse.exe
C:\WINDOWS\System32\ebbuaevj.exe
C:\WINDOWS\Config\abrsrv.exe
C:\WINDOWS\System32\sesask.exe
C:\WINDOWS\System32\qsykgzfd.dll
C:\Documents and Settings\alir\Local Settings\Temp\cmrc.dat
C:\WINDOWS\System32\bzimqqfg.dll
C:\WINDOWS\System32\nbymdgvp.dll

Let me know which ones you find and can delete. Also which one not found? Also which ones were found but could not be deleted. If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Try running HijackThis in safe mode. Safe a log if you can.

Now reboot normal mode and reconnect your cable. See if you can run HJT now and save a second log from normal boot mode. Post both logs as attachments when you come back.

 

I should have noted that you will need to print or save my previous instructions locally since you will be offline and disconnected while running them. It should be obvious but I usually mention it.

Also when you come back run the below tool and let me know if it reports anything:

Symantec's new removal tool: Symantec Trojan.Vundo Removal Tool

I believe you have this problem present!

 

That's okay! If you have not started the steps yet! Run message number 9 first. And report. Then run message number 8's steps.

 

Yes continue with message # 8. Sometimes the Symantec tool does not find or fix the problems even though they are there. We may have some work cut out for us as these can be quite annoying to remove. Time for me to get some sleep. I'll get back to you tomorrow. Let me know the results of executing the steps in msg # 8.

 

Some more of your problems are now showing. You have a combination of some nasty stuff in here. One is Stopguard/Virtumondo as mentioned already and you also have a new form of the about:blank hijacker (the se.dll type). To top it off you have a bunch of items classified as unknown trojans and some bad Browser Helper Objects.

I think we are going to have a difficult time repairing this because your OS and IE are severly out of date. In addition you do not appear to have an antivirus application or a firewall installed which makes it even more difficult. We have to hold off on doing Windows Updates right now as it is not a good idea to try certain updates while infected. But please go to this next thread below and install an antivirus application (try Avast) and a firewall (try ZoneAlarmFree).

How to Protect yourself from malware!

Let me know when you complete that or if you have any problems trying to do that.

 

Also do the below after complete my previous message.


1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

Okay do the following:

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\mshdgm.dll
then click OK. If a dialog box confirming this action appears, click OK.

Run Registrar Lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\mshdgm.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows

Now just to be sure, exit Registrar Lite and then restart it and look at that same registry key now. Is it blank?

If so, see if you can delete the C:\WINDOWS\System32\mshdgm.dll file.

Now post a new HJT log and do not reboot your PC after this?

 

That's okay! Continue with the other steps! And tell me the results.

 

What's happening.....? Did you run into some kind of problem? It should not be taking this long to complete those few steps. Hopefully you just took a food break!

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezfastsearch.com/index2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\alir\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\alir\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {47B1991F-7BFC-E0B8-A7B2-89D8FBF660BB} - C:\WINDOWS\System32\qsykgzfd.dll (file missing)
O2 - BHO: (no name) - {710AFDA5-A01F-45E3-AE0E-CECA42EEEE57} - (no file)
O2 - BHO: (no name) - {B0A388D4-0DB0-C97A-8EC5-61D3C95B7D47} - C:\WINDOWS\System32\bzimqqfg.dll (file missing)
O2 - BHO: (no name) - {C5621C16-3D79-4993-BC8F-25E7F75A6DA9} - C:\WINDOWS\System32\pambdab.dll
O2 - BHO: (no name) - {EB04333C-9B8F-B176-783F-8984A66D18D6} - C:\WINDOWS\System32\nbymdgvp.dll (file missing)
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [p4mX37l] stcur.exe
O4 - HKLM\..\Run: [AutoLoaderpz5r1JYTXJIX] "C:\WINDOWS\System32\stcur.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [AutoLoaderpz5d1JYTXJIX] "C:\WINDOWS\System32\stcur.exe"
O4 - HKLM\..\Run: [uzocmjse] C:\WINDOWS\System32\uzocmjse.exe
O4 - HKLM\..\Run: [ebbuaevj] C:\WINDOWS\System32\ebbuaevj.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\alir\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Y357RXJ7g] sesask.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?
O18 - Filter: text/html - {FB7A7C23-6994-4A1A-85B4-1AB24EA72BF0} - C:\WINDOWS\System32\pambdab.dll
O18 - Filter: text/plain - {FB7A7C23-6994-4A1A-85B4-1AB24EA72BF0} - C:\WINDOWS\System32\pambdab.dll
O23 - Service: mbwjkuishveq (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\CasinoOnline <--- the whole folder
C:\Program Files\CSBB <--- the whole folder
C:\WINDOWS\System32\stcur.exe
C:\WINDOWS\System32\uzocmjse.exe
C:\WINDOWS\System32\ebbuaevj.exe
C:\WINDOWS\System32\sesask.exe
C:\Documents and Settings\alir\Local Settings\Temp\se.dll
C:\WINDOWS\System32\pambdab.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. Tell me how these deletions go!!!!

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

mbwjkuishveq

If that does not work try entering the short name: MsUpdate6

Now reboot in normal mode and post a new HJT log. And get ready for a lot of work ahead of you to cleanup the pile of Virtumundo problems. That's our next step assuming the above all worked properly.

 

My fault! Hang on a second I'll correct that line. The directions are wrong!

 

Okay! Read it thru now to make sure you follow all of it. It is best if you stay off line and do not run any browsers while doing these steps until the end for a post of your new log.

 

Please verify the following

Right Click Start.
Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Let me know if those three items in bold were already set as above.

 

I'm not sure why you cannot access the internet now. Reboot and try again. Do you see any error messages while booting?

Perhaps when of the bad items we had to remove was some how tied to internet access. But we still also have a bunch of bad stuff from Virtumundo to fix.

Please do the below:

1. At the command prompt, start your computer in Safe mode. To do this, follow these steps:
a. Restart your computer.
b. As your computer starts, press the F8 key repeatedly (one time per second).
c. This will display the Microsoft Windows Advanced Startup Menu options.
d. Use the UP ARROW and the DOWN ARROW keys to select Safe mode with Command Prompt, and then press ENTER.

2. Click Start, click Run, type cmd, and then click OK.

3. At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.

4. Type Dir /ah, and then press ENTER.

Copy back here the list of files & dates you get. It will look something like:

Code:

 Directory of C:\WINDOWS\system32\drivers
 
01/11/2005 09:18 AM			 13,824 gbqxmhia.sys
			 1 File(s)			13,824 bytes
			 0 Dir(s)	 961,425,408 bytes free

All I need are the complete lines that look like:

Code:

 01/11/2005 09:18 AM			 13,824 gbqxmhia.sys

 

Yes! Now you see the need to be following directions properly? (I'm not yelling! I'm just making a point for everyone reading this thread.) This is why you have not been finding files all along and why a keep asking about viewing of hidden files.

 

Let's do the below

1. Click Start, click Run, type cmd, and then click OK.

2. At the command prompt, type CD C:\windows\system32\drivers, and then press ENTER.

3. Type Attrib –s –h mhvxtusx.sys and then press ENTER.

4. Type Attrib –s –h ddihssju.sys and then press ENTER.

5. Type Attrib –s –h .sys and then press ENTER.

6. Type Ren mhvxtusx.sys mhvxtusx.old and then press ENTER. This renames the file.

7. Type Ren ddihssju.sys ddihssju.old and then press ENTER. This renames the file.

8. Type Ren .sys junk.old and then press ENTER. This renames the file.



Now reboot your PC. And tell me if you are still having any problems and what they are.

 

Look at the point where you plug the network cable into your PC. Are there any lights (LED's)? There normally are. And one typically is labeled Link . When there is connectivity this will normally be green. If you unplug the cable and then plug in the cable, do you see any change in status of the LED when it is unplug versus plugged in?

 

Then it sounds like one of a few things are wrong:

1) the other end of your cable is not plugged into anything or it is plugged into a piece of equipment where you need a cross over cable to talk properly

2) or you are using a crossover cable and should not be

3) your Network Interface Card (NIC) is not functioning. Look in Device Manager to see that your device is correctly configure and the drivers are loading

 

Are you saying there are two NIC interfaces in your PC? Are you sure you plugged yourself back into the correct one?

If you double click on the one with an X, what does the Device status box have in it?
And also what does the Device usage: box at the bottom say?

 

Do you have ADSL or Cable? You said you were using your roomates PC before. Does their PC working if you plug this same cable into it? Does their NIC card LED come on? I know earlier you said you were using a router but you also said something about changing the NIC card. Are sure this NIC card is good?

Doing a Reset of Web Settings like we did earlier will not impact your physically connectivity. If your LED is not coming on then as I said before, your NIC card is bad, the cable you are using is bad or is a crossover. It could also be the port on your router but you did say you swapped ports.

If your roomates PC works, this problem is not related to your ISP.

 

Okay! But update me on your current status! What probles are you having?

 

That would be a good idea and also tell me of any apparent problems that you have?

 

Do you have a preference for which antivirus program you prefer? Avast4 or AVPersonal?
You need to uninstall one of them now!

 

Step 1:

Look in this folder C:\WINDOWS\msagent\CHARS for all filenames beginning with the following crmc and cmrc (any of the following file name extensions may be found .ini, .exe, .dat, .bak,etc...). Delete what you can.

You should also run a search of your machine for crmc and cmrc and see where else they may be hiding out (Prefetch folder, etc...) and try to remove them. Make sure you set up windows search propery. See my instructions below:

Configuring Win Xp Search:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter crmc (without the extension so you get all matches)
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

Then click the Search button. Write down all filenames with full path info that you find matching. For example the below are fullpath and filenames:
C:\Documents and Settings\alir\Local Settings\Temp\cmrc.dat
C:\WINDOWS\msagent\CHARS\crmc.exe

Now repeat the search using cmrc.

Now repeat all of the above while looking for the below:
abrsrv.exe and .ini, .dat, .bak, etc also look for vrsrba
baknut.exe and .ini, .dat, .bak, etc also look for tunkab
mp3tcp.exe and .ini, .dat, .bak, etc also look for pct3pm
vssras.exe and .ini, .dat, .bak, etc also look for sarssv

Report back everything that you find for all of the above. I know this is alot of work but this is the only what to remove this stuff when tools like the Symantec scan do not work. And if you do not get all of it, it spreads and can get worse.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg We will use this later so just save it for now.

NEXT:
Make sure you are completely disconnected from the Internet.

Then, run CCleaner that you installed while running the READ ME FIRST.

Then doubleClick on the fixmundo.reg file you made and follow the prompts to allow it to add entries into the registry.

Please boot to Safe Mode.

Open a command prompt by clicking Start, Run, and enter cmd and click OK.
Please enter the following lines in the command prompt window and follow each with the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

cacls C:\WINDOWS\msagent\CHARS\crmc.exe /g Everyone:f
cd C:\WINDOWS\msagent\CHARS
attrib -r -h -s crmc.exe
del crmc.exe

cacls C:\WINDOWS\Config\abrsrv.exe /g Everyone:f
cd C:\WINDOWS\Config\abrsrv.exe
attrib -r -h -s abrsrv.exe
del abrsrv.exe

cacls C:\WINDOWS\AppPatch\baknut.exe /g Everyone:f
cd C:\WINDOWS\AppPatch
attrib -r -h -s baknut.exe
del baknut.exe

cacls C:\WINDOWS\Drivers\mp3tcp.exe /g Everyone:f
cd C:\WINDOWS\Drivers
attrib -r -h -s mp3tcp.exe
del mp3tcp.exe

cacls C:\WINDOWS\addins\vssras.exe /g Everyone:f
cd C:\WINDOWS\addins
attrib -r -h -s vssras.exe
del vssras.exe

exit

The exit command will close the command prompt window!

Empty your Recycle Bin and your C:\windows\Prefetch folder.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CATLEvents Object - {73529697-D46A-4F7D-8A93-01378FCAEDA4} - C:\DOCUME~1\alir\LOCALS~1\Temp\cmrc.dat (file missing)
O4 - HKLM\..\Run: [abrsrv] C:\WINDOWS\Config\abrsrv.exe
O4 - HKLM\..\Run: [*abrsrv] C:\WINDOWS\Config\abrsrv.exe
O4 - HKLM\..\Run: [*baknut] C:\WINDOWS\AppPatch\baknut.exe
O4 - HKLM\..\Run: [*mp3tcp] C:\WINDOWS\Drivers\mp3tcp.exe
O4 - HKLM\..\Run: [vssras] C:\WINDOWS\addins\vssras.exe
O4 - HKLM\..\Run: [*crmc] C:\WINDOWS\msagent\CHARS\crmc.exe

After clicking Fix, exit HJT.

Reboot to normal windows and tell me how things went. If you received any error messages along the way, let me know!
Post a new HJT log.