Tenacious spyware - quicker to rebuild?

Discussion in 'Malware Help (A Specialist Will Reply)' started by krebbin, Aug 6, 2006.

  1. krebbin

    krebbin Private E-2

    Hi MG's

    First Jenson Button has just won his first F1 race - yay!

    Now this "friends" PC
    Registry is riddled with naughty web references, Winantispyware won't go away, nor Casino - all this after diligently following your Removal instructions.
    I attach relevant files, but am thinking a reformat and restore would be quicker, as this has taken 3 days of work:mad:

    Regards, Krebbin.
     

    Attached Files:

    krebbin, Aug 6, 2006
    #1
  2. krebbin

    krebbin Private E-2

    Panda file attached
    Seem to have lost bitdefender log:confused:
    x
     

    Attached Files:

    krebbin, Aug 6, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below is for?
    O4 - HKLM\..\Run: [MESB] C:\WINDOWS\System32\MESB.exe



    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -


    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\xobglu16.dll
    C:\WINDOWS\xobglu32.dll
    c:\windows\system32\ojxbghi.exe
    c:\windows\system32\ojxbghi_nav.dat
    C:\WINDOWS\system32\ojxbghi.da
    C:\WINDOWS\system32\ojxbghi_nav.dat
    C:\WINDOWS\system32\ojxbghi_navps.dat
    C:/WINDOWS/System32/EGDACCESS_1058.dll
    C:/WINDOWS/System32/EGDACCESS_1065.dll
    C:/WINDOWS/System32/EGDACCESS_1066.dll
    C:/WINDOWS/System32/EGDACCESS_1068.dll

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locat the below folder and delete it if found:
    c:\program files\MailSkinner



    Now attach a new HJT log and tell me how the steps went.

    Also attach download the new version of ShowNew (from the same link) and attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 6, 2006
    #3
  4. krebbin

    krebbin Private E-2

    Hi, and many thanks for your input:)

    the news:

    Followed all instructions, only glitch was I didn't get the killbox message "PendingFilenameOperations"

    The PC has loaded my browser cleanly, for the first time in days:) :)

    As requested I attach 2 new logs,

    Regards, Krebbin
     

    Attached Files:

    krebbin, Aug 7, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You weren't supposed to! It happens sometime though when malware interferes with the procedure. All I was saying there is that if you get the message, click OK (to close it) and continue. And then just let me know whether you got that message because it may be important info for later as to why Killbox may not have deleted something.

    What program is the below file from in your C drive root folder:

    spywar~1.txt 3 Aug 2006 4086 "spyware remover.txt"

    Just a note too that is important. While we are working on removing your malware, you must not install or run any other programs unless we request them. Do not run any other scans either (even if the program is already installed).

    Some of the malware that was in the previous fix is still present. The below is still in your HJT log:

    O4 - HKLM\..\Run: [ojxbghi] c:\windows\system32\ojxbghi.exe ojxbghi

    And the below files are still in your newfiles.txt log:

    C:\WINDOWS\system32\
    ojxbghi.dat 7 Aug 2006 5303 "ojxbghi.dat"
    ojxbgh~1.dat 29 Jul 2006 209776 "ojxbghi_nav.dat"
    ojxbgh~2.dat 7 Aug 2006 1101 "ojxbghi_navps.dat"

    This means the fix did not work or something reloaded the files again. Do you see these files if you look for them with Windows Explorer. Look for:
    C:\WINDOWS\system32\ojxbghi.exe
    C:\WINDOWS\system32\ojxbghi.dat
    C:\WINDOWS\system32\ojxbghi_nav.dat
    C:\WINDOWS\system32\ojxbghi_navps.dat

    Also the below weird names showed up in your Temp folder:

    "C:\Documents and Settings\VICTORIA\Local Settings\Temp\"
    me_lca~1 7 Aug 2006 0 "me_LCaqXD1QHcsDhPM"
    me_mry~1 7 Aug 2006 0 "me_MRYVjc2JHGusE8A"
    me_qyf~1 7 Aug 2006 0 "me_qyFLd8pgwVtSFIk"
    me_siu~1 7 Aug 2006 0 "me_SiuVUrcZk2nD1gn"

    They seem very suspect!

    Look in Add/Remove programs for the below and uninstall them if found:
    Notifier
    Viewpoint Media Player

    Tell me what you find and if you could uninstall them.


    Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [ojxbghi] c:\windows\system32\ojxbghi.exe ojxbghi

    After clicking Fix, exit HJT.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ojxbghi.exe
    C:\WINDOWS\system32\ojxbghi.dat
    C:\WINDOWS\system32\ojxbghi_nav.dat
    C:\WINDOWS\system32\ojxbghi_navps.dat


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK if you get any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.


    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 8, 2006
    #5
  6. krebbin

    krebbin Private E-2

    Hi Chas,

    First MY BAD - I ran spybot after the last clean up - it reckoned magic control was still active, sorry man:-(

    Next I found Viewpoint and removed it.
    The spyware text file was from a vundofix from days ago!

    I found
    C:\WINDOWS\system32\ojxbghi.dat
    C:\WINDOWS\system32\ojxbghi_nav.dat
    C:\WINDOWS\system32\ojxbghi_navps.dat
    BUT not the exe file.

    I also got PendingFileRenameOperations message this time, but I did have a problem pasting into Killbox at first.

    Here's tha latest logs,

    Thanks again mate:)
     

    Attached Files:

    krebbin, Aug 8, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Now your logs are clean!

    Is Spybot still finding MagicControlAgent? It normally cannot fix this even though it says it does. We normally have to use special procedures to remove it.
     
    chaslang, Aug 8, 2006
    #7
  8. krebbin

    krebbin Private E-2

    Hi Chas

    Sorry for the delay in a response.

    PC is runnibg sweetly, no problems or infections to report:)

    I'm really impressed by your service and dedication to ridding us mortals of this sort of scum.

    All power to you and your team, Kreb.
     
    krebbin, Aug 12, 2006
    #8
  9. krebbin

    krebbin Private E-2

    :eek: :eek:
     
    Last edited: Aug 12, 2006
    krebbin, Aug 12, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Aug 12, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds