URGENT- win32 trojan pouring spyware on comp, cant fix, getting serious

Discussion in 'Malware Help (A Specialist Will Reply)' started by MariSama, Sep 14, 2006.

  1. MariSama

    MariSama Private E-2

    Okay so recently I was infected with a trojan(maybe two)..this was the day before yesterday. I got new antivirus software, and cleaned the comp with that. Cleaned comp halfway with hitman pro, did multiple scans with both ad aware and Spybot untill things were clean. It gets worse and worse every time I restart...I get an error message that a dll file cant be found upon start up, though I dont really know what its for. I think it may be for some spy warke that i deleted most of before..anyway, I get pop ups every so often, the browser likes to freeze up on me, and my processor is overloaded by programs I cant see. I came here and began carrying out the "READ THIS FIRST" list to fix everything I could, except when I went into safe mode, I didnt even get a desktop! My safe mode is messed up! I cant even get anything to show up, its just a black screen with safe mode in each corner. I'm running XP on this laptop, not sure what verision I got it a year and 3 months ago. In safemode, I had to get to the task manager and run everything by hand. when I type in msconfig and hit run without looking it up, the comp acts like it doesnt know what i'm talking about. this is really scaring me, and its a relatively new laptop, this is the first issue thats arissin and i need urgent help. Please respond soon!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    It sounds like you have at a minimum a Virtumonde infection and it probably also has winlogonhook.

    The READ ME specifically tells you that if you cannot run in safe mode, run steps in normal boot mode. So please run all steps in normal boot mode and attach the 5 ( or 6 if you had to run CounterSpy) logs as requested in the READ ME.
     
  3. MariSama

    MariSama Private E-2

    Okay, I tried to download and install the Windows Malware removal but the setup didnt work, so instead I used CounterSpy, and it found alot of things that look rather nasty. I have attatched the log of that, but even though it found these things and removed them, the popups are still coming. Keep in mind, this scan was done first.

    I ran Spybot S&D. I found entries called Windows Security Center.FirewallDisabled (2 registry entries) that respawn when I delete them.

    I ran Windows Defender. Defender found nothing.

    I ran BitDefender. It said some viruses were repaired, but then it said at the end that I'm still infected. The log is attatched in a text file.

    I ran PandaScan...I think it found like...11 things, malware. Attatched is the log.

    I ran both GetRunKey and ShowNew batch files. The logs will be attatched in a following reply.

    So far, after all this, my computer seems to be doing better, but then again I havent restarted at all. I get the occasional popup, but its not a volitile as it had been.
     

    Attached Files:

  4. MariSama

    MariSama Private E-2

    here are the batch logs.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach the HijackThis log from step 7 of the READ ME.
     
  6. MariSama

    MariSama Private E-2

    I know, I was just doing that! Sorry, after all that scanning it slipped my mind.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by uninstalling the below as instructed in step 0 of the READ ME:
    MediaTickets by OIN
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player


    Now please tell me which of the below are paid versions and which are free trials:
    Spy Sweeper
    Spyware Doctor 4.0
    Sunbelt CounterSpy

    The above programs along with Windows Defender are all realtime blocking tools and you only should have one installed. Using all of these will slow your PC down tremendously and it will cause conflicts between them making each less effective and it will also make it difficult for us to fix your problems.

    What do you have installed from Symantec?
     
    Last edited: Sep 15, 2006
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Then uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_05

    Let's start the malware removal by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winepi32.dll once and then click the kill button. After you have killed all of the winepi32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnk.dll

    Next double click on explorer.exe and again click once on each instance of winepi32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    pmnnk.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {521A2272-2508-48DC-A6B3-BABF301692F9} - C:\WINDOWS\system32\pmnnk.dll
    O4 - HKLM\..\Run: [thb57c27] RUNDLL32.EXE w0c88502.dll,n 00457c23000000020c88502
    O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\MARYBE~1\APPLIC~1\SSTEM~1\notepad.exe" -vt yazb
    O4 - HKCU\..\Run: [Uzc] C:\Program Files\??mbols\wuauboot.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
    O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

    After clicking Fix, exit HJT.


    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\Documents and Settings\Mary Betowt\Application Data\SSTEM~1\notepad.exe
    C:\Program Files\Common Files\{4B4DE8B3-063C-1033-0415-051006200001}\Update.exe
    C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe
    C:\Program Files\??mbols\wuauboot.exe
    C:\asdf.txt
    C:\WINDOWS\system32\wtscc.exe
    C:\WINDOWS\system32\pmnnk.dll
    C:\WINDOWS\system32\WinNB58.dll
    C:\WINDOWS\system32\knnmp.tmp
    C:\WINDOWS\system32\knnmp.ini
    C:\WINDOWS\system32\knnmp.ini2
    C:\WINDOWS\system32\compstuih.dll
    C:\WINDOWS\system32\w0c88502.dll

    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

    After reboot locate the below folder and delete it if found:
    C:\Program Files\??mbols\
    C:\Program Files\Common Files\{4B4DE8B3-063C-1033-0415-051006200001}

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Mary Betowt\Local Settings\Temp

    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
  9. MariSama

    MariSama Private E-2

    I removed all the things you told me to uninstall, I also uninstalled all those programs plus the rest of nortan. Nortan came with my comp. I took it off in favor of the new WindowsOneCare thing i got for virus protection. None of them are paid versions, I kept CounterSpy.

    I will get onto the other instructions as soon as I can. i have work in the morning so I'll get some rest before I try again.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CounterSpy is only a free trial that will expire and will be of no use afterwards unless you buy it. Windows Defender is part of WindowsOneCare. Did you keep Windows Defender.

    Note: You still have stuff from Norton/Symantec installed.
     
  11. MariSama

    MariSama Private E-2

    Oh, well...they were all going to expire anyway, so I kept that one. I have WindowsOneCare, so yes, I kept windows defender since I have the paid version. and By the way, I uninstalled all nortan/symantec stuff after I posted my logs, so they should be all gone now.

    I am about to proceed with the steps you gave me, so expect a post with logs soon after.
     
  12. MariSama

    MariSama Private E-2

    Okay. I followed all the steps there and had little trouble with anything, except kill box started to restart before I typed in the last file. Luckily, I had enough time to squeeze it in and activate the red x button before the computer restarted. Here are my logs....

    My computer seems better already...I haven't had a popup as of yet, and my boot up is alot faster than it was. If I experience another pop up i'll post here and tell you. Thankyou! I hope there isn't much left to do to get me out of this mess.
     

    Attached Files:

  13. MariSama

    MariSama Private E-2

    Update: Last night when I was shutting off my system, I got an error message saying that a program was trying to close. I had the options of end task or cancel. I cliked end task as i usualy do, and the computer tried to shut off as normal. But instead of the normal shutdown screen, I got a blue screen of death: It said Fatal error [some random numbers] program was terminated blah blah. I got this once before when my screen was flooded with popups from the malware, but this was unnerving because I thought I had gotten most the stuff off. Whats wrong?

    Also, this morning when I booted up, once on the desktop I got an error message saying Winlogon.exe has experienced an error and must close or something, so I clicked the close button. At first I was worried because I know there was a malicious file associated with winlogon, but I deleted it, didnt I? Was wondering why I got this error. Still no pop ups as of now, which is the good news.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must uninstall CounterSpy. It is only a trial that expires and it will conflict with Windows Defender.

    What was the name of the application that was trying to close? Normally these are not malware problems. Do you always get this when shutting down? What about the winlogon.exe error message.....do you always get it.

    You still neeed to delete the below folder which has a creation date of Sept 12th. The ?? characters could appear to be any characters. They are really unprintable characters in the folder name and that is why they appear as question marks.
    C:\Program Files\??mbols

    Run HJT and fix the below line:
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    Now exit HJT

    You have some left over signs from a SmitFraud infection. Run the below steps!

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
  15. MariSama

    MariSama Private E-2

    I uninstalled CounterSpy.

    No, I dont remember what it said, the blue screen came up before I had a chance to really look at it. I saw it from a distance. But I shut down again, and didnt have that problem. Also, when the winlogon.exe error did not show up on this bootup, everything came up very nicely.

    I cant find that folder, theres no folder anywhere that has mbols in it...wait, it must be "symbols". I was wondering what that was! Okay, deleted that.

    deleted the string you instructed in Hijack This.

    Merged the registry edit into the registry.


    Before you replied to my post, I had another popup while I was using my broswer earlier, one that was exactly like the ones I was getting when I was swamped with the malware before. Just letting you know. Other than that, it's running beautifuly.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What was in the popup? Have you gotten anymore?

    Attach a new HJT log now.
     
  17. MariSama

    MariSama Private E-2

    nope, just that one, and it was an ad for some poker site, the same one I was getting with the infection, also a windows box that said somthing about visiting a casino, click okay to go. I X'd it out. otherwise its doing great. Here's the log.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  19. MariSama

    MariSama Private E-2

    Alright, thankyou so much! I'll be back if things flare up again, but for now, goodbye, and thanks a ton for the help.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds