Ultimate

McAfee keeps reporting that "Ultimate" is installed on this computer, and it keeps trying to access the internet. I have it disconnected and have only connected it to run the updates for spybot and avg antispyware.

The first AVG scan that I ran came back with several files infecting, but for some reason did not create a log file (yes I followed the instructions telling me to set it to select "Automatically generate report after every scan" and to un-select "Only if threats were found").

I also had to create a new administrator account on this computer, when I first started the user account that was being used no longer had access to Control Panel, and when I tried to type Control Panel in the Windows Explorer address bar it said I didn't have permission.

I'm trying to clean this up for a friend so I have no idea when this happened or what she was doing.

 

Hi adm1329,
Welcome to the Malware Forum!

Among other things, you have an advanced stage of the new Vundo variant which is bad for your computer. Please use your computer as little as possible and don't reboot unnecessarily until we can post you a set of instructions. You will probably have to uninstall and reinstall some of your programs, but let's see how things go first.

To begin, please go to C:\ and delete all the temporary files that have this structure: pos100.tmp or this posFF.tmp
Let me know when you've finished this.
abri

 

All of those temp files are deleted.

 

Hi adm1329,

Adding to my instructions in post 2, there are also a lot of the same kinds of temporary files in C:\Documents and Settings\tech support\My Documents. They have the same structure: pos223.tmp
Please delete them all as well.

Then I would like for you to do the following:

1) Okay now we need to use a new tool.

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Documents and Settings\Josh\Application Data\bwbvl .exe
C:\Documents and Settings\Josh\Application Data\gahkokmh .exe
C:\Documents and Settings\Josh\Application Data\rilplqab .exe
C:\Documents and Settings\Josh\Application Data\sfqzrpggihnf .exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Dell Support\DSAgnt .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\WINDOWS\SYSTEM32\hkcmd .exe
C:\WINDOWS\SYSTEM32\igfxpers .exe
C:\WINDOWS\SYSTEM32\igfxtray .exe
C:\WINDOWS\SYSTEM32\MRT .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb05 .exe

2) Now run CCleaner in the default setting with the Windows tab as the one on top.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log names Log.txt on your Desktop I may or may not ask for this log later.

3) When you've finished all the instructions in post 2 and post 3, please tell me how it went and I will give you some more instructions.

abri

 

Everything is going smooth so far. I just finished the RenV part, the new Log.txt file was saved by default to c:\Document and Settings\tech support instead of the desktop, is this ok?

 

Hi adm1329,

The user name where the problems originate on this computer is Josh and you need to work from that user rather than the user tech support so that that part of the computer can be cleaned.

Please run Combofix using that user name and attach the log here.

Thanks.
abri

 

Here's the new combofix log

 

Hi adm1329

1) What's in this folder? (don't open any files)

C:\WINDOWS\SYSTEM32\runtime


2) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
C:\Documents and Settings\Josh\Start Menu\Programs\Startup\PowerReg Scheduler                 .exe
 
File::
C:\Documents and Settings\Josh\Application Data\3de8688ea8dcaed8111acaba718c6c0a.dat
C:\Documents and Settings\Josh\Application Data\sfqzrpggihnf.exe
C:\Documents and Settings\Josh\Application Data\rilplqab.exe
C:\Documents and Settings\Josh\Application Data\gahkokmh.exe
C:\Documents and Settings\Josh\Application Data\bwbvl.exe
C:\kmd.exe
C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
C:\WINDOWS\SYSTEM32\urqqolk.dll
 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"=-
"Awola"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avp"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqolk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xgkklwed]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.



3) Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Owner\Local Settings\Temp

4) Now run Ccleaner in the default setting with the Windows tab as the one on top!


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log.


Let me know how things are running now?

abri

 

When I drag the file onto combofix it starts to run, but at some point either logs off or reboots the computer and there is no combofix.log created, I've tried it twice now. I do have a new file on the desktop "[4]-Submit_2008-02-09@22.55.zip"

Inside the zip file is a catchme.txt and urqqolk.dll

 

Hi adm1329,
See if this will work better?

1) What's in this folder? (don't open any files)

C:\WINDOWS\SYSTEM32\runtime


2) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
C:\Documents and Settings\Josh\Start Menu\Programs\Startup\PowerReg Scheduler                 .exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Owner\Local Settings\Temp

7) Now run Ccleaner in the default setting with the Windows tab as the one on top!


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log.


Let me know how things are running now?

abri

 

C:\WINDOWS\SYSTEM32\runtime is empty

Combofix did the same thing, I went ahead and proceeded anyway hoping that if I come back and run it after all this it would run.

I am also attaching the avenger log, there were several lines that failed.

I am currently trying to run combofix again, but I have to leave for church, so I'll post the results when I get back home.

 

Hi adm1329,

When you run Combofix (or if you already ran it) please either add the file in the following box to what you're going in step 2 of post 10, or if you already did Combofix in post 10, please simply copy the contents of the code box below and use the same instructions as you did in step 2 of post 10 to run it again. If you can't run it in either case, let me know.

Code:

RenV::
C:\Program Files\QuickTime\qttask             .exe

Please post either the Combofix log or any error messages you might be getting.

Also, I need to know if you got a success message when you ran the REGEDIT4 patch in step 4 of post 10.

Thanks.
abri

 

Ok after running it again it reboots the computer and when you log back in comes up with
"Windows cannot find 'C:\windows\system32\home:=\Combobatch.bat'."

After it finishes logging in, kmd.exe comes back up and sits there for a few moments and then flashes something and closes, but it's gone before I can read it.

The regedit 4 did succeed.

 

You ran Combofix successfully before you started this thread. Please go back to the instructions in Windows XP Cleaning Procedure and find the link for Combofix and download it as per the instructions. Install it over the old one so it will get rid of the old one. Be sure to install it to the desktop. I will post a further set of instructions to you after that.

Thanks.
abri

 

Ok I downloaded it again, and just ran combofix and it did run successfully. I went ahead and attached the log.

 

Hi adm1329,

Please go back to post 10, step 2 and do those instructions again, only this time use the contents of this box:

Code:

RenV::
----a-w           171,448 2008-01-16 22:28:57  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w         4,670,704 2008-02-07 21:24:55  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE

Attach the new ComboFix log this produces.
Thanks.
abri

 

It ran successfully this time.

 

Hi adm1329,

Things are almost cleared up. Please do the following and if your logs are clean after that, I'll post you our final cleanup instructions.

1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Does the following program need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

After you click fix, just close hijackthis.

4) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

While the computer is not popping up screens where it has attempted to connect to the internet any more, it is still extremely slow. I've seen systems running XP Pro SP2 with 256mb of RAM that run faster than this. It seems to respond then freeze for a few seconds.

I also noticed when removing the Viewpoint Media Player, that there is a strange black and white box in the middle of the add remove programs list. You don't notice it until you start scrolling down the list. After "Dell System Restore" the add remove list goes black, then scroll down and you'll see black on the sides with white in the middle, and further down black, white, black, white, black, and then black, white, black, and then black again. This area takes up about 90% of the add remove programs list. The next program I see in the list is Erunt, so I don't think it's keeping me from removing any programs, but it is really strange.

 

Hi adm1329,

It's possible that some of your files were damaged by the malware, but I would like for you to try the following:

1) Please right click on the following folder and tell me if it has to do with Java Runtime. If there's nothing about Sunbelt or Java Runtime open the folder and look at what's in it. Don't open any files. Java is normally in a folder called Sun and not in one called runtime, so I'm curious about it.

C:\WINDOWS\SYSTEM32\runtime

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZR

Does the following belong to your isp or to your computer manufacturer? If not, please fix it as well.

O14 - IERESET.INF: START_PAGE_URL=http://www.accessatc.net/

After you click fix, just close hijackthis.


4) Please run Avenger again as in post 18, only use the contents of this box:

5) After you finish the instructions for Avenger, please run CCleaner.

Now I would like for you to do the following:

6) Please do the following:

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter mywebsearch in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

7) When you finish the above, I would like for you to go to Alternate Scans and find the Free Online Scanning Tools. Under that you will find BitDefender online scan. Please run this using Internet Explorer. Active X will need to be enabled. This is a lengthy scan which will probably take one to two hours. There are instructions for this scan and for how to produce a log that is useful here: http://forums.majorgeeks.com/showthread.php?t=148841

8) After the above, you will have logs for both the regsrch and for BitDefender. Please attach them with your next post.

Thanks.
abri

 

Unfortunately the computer rebooted for some reason after running bitdefender last night, I left it running when I went to bed since it estimated 3 hours to complete. This morning the computer is running much better and when I ran bitdefender again it only took about 30 minutes.

the c:\windows\system32\runtime folder is empty

I changed the desktop since the image said something along the lines of "Your computer is infected with spyware", and after a reboot McAfee says that adware.zquest is trying to run.

 

Hi adm1329,
I'm glad to hear your computer is running better. It's not possible to know what BitDefender found and deleted the first time, but I expect some things that you've been fighting. The one restore point that is infected refers to a worm which is usually housed in Outlook Express or e-mail relatives but there's not indication that this is still showing up in your e-mail. For this particular infection, it will be gotten rid of when we get to the end of the instructions and flush your restore points, but we like to keep even infected restore points until we get done in case they are needed.

For your future information, if your e-mail gets infected by a worm, for instance in an attachment, if you can throw away the e-mail, empty the e-mail trash or deleted files folder, run CCleaner to empty the trash of your computer and then compress your e-mail folders, this also will also get rid of this kind of infection.

I had you run the regsrch before I asked you to run BitDefender, so it's possible that the MyWebSearch has already been deleted. Please rerun the regsrch and see if it comes up with the same entries. If so, I would like for you to go to the Alternate Scans and find the list called Free Offline Scans and run the scan called a-squared free edition.

Attach whichever results you get and let me know how your computer is doing.
Thanks.
abri

 

here are the logs, computer seems to be running fine.

 

Hi adm,
Was it possible to have a2 fix everything it finds as an option, because your log only says it detected the mywebsearch, not that it quarantined or deleted anything. If you can have a2 fix it, please do. I would prefer that over trying to fix your registry myself.
abri

 

Yes, a2 fixed everything.

 

Hi adm1329,

For my peace of mind, please run run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip. This will allow me to make sure everything is gone. After that I will post you our final clean up instructions which will include asking you to remove all the logs and tools we put on your computer and setting a clean restore point.

Thanks.
abri

 

here ya go.

 

Hi adm1329,
That looks pretty good. I would like for you to run CCleaner again in the default setting with the Windows tab as the one on top. For the future, it is a good idea to always do this when you finish using the internet and close your browsers.

After running CCleaner I would like for you to do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If you get a success message for the registry patch (regedit4), go ahead and do the below final cleanup instructions in the box.

Be sure to set a clean restore point according to the instructions in the link above, because one of your restore points is infected and this will get rid of that infection.
abri

 

Thanks for all your help. Everything seems to be running much better now.

 

That's great!
Best of luck to you and your computer!
abri