Still in trouble?

Discussion in 'Malware Help (A Specialist Will Reply)' started by quaudiophiliac, Jan 8, 2006.

  1. quaudiophiliac

    quaudiophiliac Private E-2

    Hi there,

    First of all, thanks a lot for the great malware removal list! I'm not a complete computer idiot, but I have been struggling with trojans for some time now and these instructions offer a great strategy for removing them.

    I have followed all the instructions from step 0-7 (and I think almost every program found some infection and removed it) and also did everything from step 9 to keep my computer safe and secure. My computer seems to run okay now, but the online scans still found some problems, see attached logs. I also attached the HijackThis log. Can you guys tell me if I'm still in trouble and if I am, how to fix it??

    I have also installed Sygate Personal Firewall, but now I get messages now and then that Generic Host Process for Win32 services, NT Kernel & System and NDIS User Mode I/O Driver are blocked. Do I have to allow these or not and how can I do that??

    Little question that has got nothing to do with the malware but is quite annoying, when using my mouse to scroll, the scrolling is not smooth at all, does anybody know how to fix this?

    Thanks for all the help in advance,
    Music Mike
     

    Attached Files:

    quaudiophiliac, Jan 8, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    Please remember to post HJT logs from normal boot mode as indicated in the READ ME. Your was obtained in safe mode. I will give you some things to fix below but they may not find everything or be correct (so I have to make some assumptions) because of the safe mode log.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft Windows Update (if that is not found, look for the short name: Windows Update)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the about stop and disable for the following service: sdktemp

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Microsoft Windows Update

    If that does not work, use the short name: Windows Update

    Now repeat the Delete NT Service steps for: sdktemp

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. ( you may not find these process after doing the above steps & also since your log was from safe mode):
    C:\windows\system32\wfctqda.exe
    C:\WINDOWS\system32\msnchecker.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Win Prosess0r] wfctqda.exe
    O4 - HKLM\..\Run: [MSN Checker] msnchecker.exe
    O4 - HKLM\..\RunServices: [Win Prosess0r] wfctqda.exe
    O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe
    O4 - HKCU\..\Run: [MSN Checker] msnchecker.exe
    O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe
    O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\axdcfasb.exe (file missing)
    O23 - Service: Microsoft Windows Update (Windows Update) - Unknown owner - C:\WINDOWS\winupdate32.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\axdcfasb.exe
    C:\WINDOWS\winupdate32.exe
    C:\windows\system32\wfctqda.exe
    C:\WINDOWS\system32\msnchecker.exe
    C:\WINDOWS\system32\eraseme_31273.exe
    C:\WINDOWS\system32\TFTP2116

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 8, 2006
    #2
  3. quaudiophiliac

    quaudiophiliac Private E-2

    Thanks for the instructions and sorry for posting the HJT log from safe mode...

    After deleting the NT service for Windows Update and sdktemp I did not find the files concerning those services in the next steps. I did fix the first 6 lines you mentioned that appeared after the HJT scan session.

    The files you mentioned I should get rid of in safe mode using Explorer were not there, but I did see those files in the Prefetch folder (except the last one, tftp2116). I deleted all the files in the Prefetch folder and ran Ccleaner.

    I rebooted in normal mode and made a new HJT log. That one is attached to this message. Things seem to be working normally.

    Hope you can tell me if my problems are solved or that another thing needs to be done... Oh, and I was still wondering:

    I have installed Sygate Personal Firewall, but now I get messages now and then that Generic Host Process for Win32 services, NT Kernel & System and NDIS User Mode I/O Driver are blocked. Do I have to allow these or not and how can I do that??

    And the little question that has got nothing to do with the malware but is quite annoying, when using my mouse to scroll, the scrolling is not smooth at all, do you know how to fix this?

    Thanks again for the help!!
     

    Attached Files:

    quaudiophiliac, Jan 8, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can normally just block Generic Host Process from accessing the internet as it does not normally need access. And tell it to always do the same. If it keeps asking anyway, uninstall Sygate and use a better firewall like ZoneAlarm. It will configure more things automatically too. In addition Sygate is no longer in business since Symantec bought them out.

    You have a bigger issue to take care of than your mouse problems (not sure what that is ....are you sure it is not the hardware itself. The do need cleaning periodically.) The big problem you have is that your OS and IE versions are way out of date. Since your current log is actually clean, you need to do the below. The first step in the link is to go to Windows update & get your updates.

    It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 8, 2006
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds