Unfixed malware despite following instructions

barcalazy · Apr 17, 2006

Hi there

I've followed the excellent Major Geeks instructions for scanning/removing malware (see attached logs) as best i can. All scans have shown (and in most cases fixed) malware. The spontaneous pop-ups have stopped but Panda Activescan detected 3 spyware problems which it did not fix, and i keep getting alerts (from WinPatrol) that suspicious-looking programmes are trying to get onto my start-up list. Concerned that i've knocked the head off (as it were) but left the roots! More details below in case of use:

- System info: Compaq Armada E500 (old i know!) Intel Pentium III at 600MHz; 512 Megabytes RAM; Windows 2000 SP4 rev. 5.0.2195

- Completed all the preliminary housekeeping (deleted what looked suspicious and it let me delete)

- One attempt to run all the spyware tools in safe mode was thwarted since due to the poor screen resolution i couldn't click the Fix button on Counterspy (stoopid i know). It found only one piece of spyware (Virtual Bouncer). I then re-ran Counterspy in normal boot mode and removed this. I then went back into safe mode and re-ran all the scans from the top (CCleaner onwards), including CWShredder and Kill2Me.

- Then completed online scan with BitDefender in safe mode with networking, but couldn't load Panda Activescan, so rebooted in normal mode, downloaded and installed latest Java, and then ran Panda Activescan. It deleted 4 viruses and detected 3 spyware but did not fix them. (slightly concerned that the page i tried to run Panda from in safe mode - found by a googl search - looked nothing like the page that majorgeeks.com directed me to in normal boot mode, although both were www.pandasoftware.com addresses)

- Finally turned msconfig to boot in Normal mode, rebooted, ran hijackThis and turned msconfig back to where it was before. Then wrote this post!

Any help much appreciated. Thanks to all at majorgeeks.com, the step-by-step guide was very helpful and i feel like i've learnt a lot from the process. Tried to work through the HijackThis sticky post but soon realised one more expert than me would be able to sort the wheat from the chaff much more efficiently!

B

barcalazy · Apr 17, 2006

anyone?

i'd really appreciate any help.

chaslang · Apr 19, 2006

Welcome to Majorgeeks!

Please go back and follow step 7 of the READ ME properly. You installed HijackThis to the below folder which is exactly where we specify not to run it from.
C:\Documents and Settings\Administrator\Desktop\Hi Jack This\HijackThis.exe

Install it correctly before continuing.

Bitdefender found and supposedly deleted a load of infected files in the below folder:
C:\Documents and Settings\Shared\_\

Where are you downloading all this stuff from? Are you using P2P programs and servers to download stuff? Are there more files there?

Are the below IP addresses and URL valid (that is do you recognize them)?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sci-ware.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BEA3175-3760-484C-BCB9-C6B6CF79FB96}: NameServer = 10.1.1.2,195.92.195.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3352CC-6EB8-4DC4-93F9-87A8C11B62F3}: NameServer = 195.92.195.92,195.92.195.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sci-ware.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sci-ware.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sci-ware.com

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the nutafun4.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move nutafun4.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: (no name) - {1E831EDF-215C-B544-40B7-004D5CF9B8EB} - (no file)
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O9 - Extra button: Mail This Page! - {A453794C-C643-4295-98A5-597CFC8D72EC} - C:\Program Files\Mail This Page\MailThisPage.exe (file missing)
O9 - Extra 'Tools' menuitem: Mail This Page! - {A453794C-C643-4295-98A5-597CFC8D72EC} - C:\Program Files\Mail This Page\MailThisPage.exe (file missing)
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\f40oled31h0.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\winupdates <--- the whole folder
C:\Program Files\Adobe Illustrator\YSB_toolBar.exe
C:\Documents and Settings\Shared\adpro.zip
C:\Setup.exe
C:\WINNT\SYSTEM32\rar.exe
C:\WINNT\SYSTEM32\oaiqjqax.dll
C:\WINNT\SYSTEM32\INNERADINSTALL.LOG
c:\winnt\system32\innervbinstall.log
c:\winnt\system32\swrt01.dll
C:\WINNT\U1dM\oYxg.vbs
C:\iexplore.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

barcalazy · Apr 19, 2006

Thanks so much chaslang

Now correctly installed HJT (sorry about that).

Yes, problems started after downloading programmes from Limewire. That folder [C:\Documents and Settings\Shared\_\] is now empty.

I do recognise the sci-ware.com URLs, but don't need them (ie. they relate to work that is long since finished). Should i fix them?

I ran LSP as instructed and removed nutafun4.dll, then checked the lines you told me to in HJT and fixed with all browsers closed.

Rebooted in safe mode as instructed, and deleted the files you told me to. Most deleted fine. A few of them didn't seem to be there (despite double checking that hidden files were visible and several searches of local harddrives) - they were:

C:\Setup.exe
C:\WINNT\SYSTEM32\rar.exe
c:\winnt\system32\innervbinstall.log
c:\winnt\system32\swrt01.dll
C:\iexplore.exe

I have run some of the Spyware Tools downloaded during the READ FIRST thread since posting my original post - could this have removed them?

Reset web settings as instructed (kept home page as google if that's okay!) and reran HJT.

I'm running Windows 2000 so i guess the System Restore procedure doesn't apply?

My system is running a bit slower than normal, but no pop-ups thank god.

Thanks again - let me know what i am to do next!

chaslang · Apr 19, 2006

barcalazy said:

I do recognise the sci-ware.com URLs, but don't need them (ie. they relate to work that is long since finished). Should i fix them?
Click to expand...

Yes fix those lines.

barcalazy said:

I have run some of the Spyware Tools downloaded during the READ FIRST thread since posting my original post - could this have removed them?
Click to expand...

It's possible.

barcalazy said:

I'm running Windows 2000 so i guess the System Restore procedure doesn't apply?
Click to expand...

That's correct!

Your log is clean. If you are not having any other malware problems, you should work thru the below link:

How to Protect yourself from malware!

barcalazy · Apr 19, 2006

Thanks chaslang, really appreciate your advice and help.

Fixed those lines, downloaded AVG and Sygate (got rid of malfunctioning Norton).

Thanks again, much indebted!

chaslang · Apr 19, 2006

You're welcome. Surf safely!

Log in or Sign up

Unfixed malware despite following instructions

barcalazy Private E-2

Attached Files:

Activescan.txt

bdscan.txt

spyware counterspy.txt

hijackthis.log

barcalazy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

barcalazy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

barcalazy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member