Very Challenging Worm

Have you tried renaming hijackthis.exe to myhjt.com? If not please do so and try running HijackThis in normal boot mode. Does that work? If so, attach a log.

 

See if you can get the below to work.

Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• Also, from now on if you have to kill any processes and you cannot kill them with Task Manager, use Process Explorer instead. Sometimes ProcessExplorer can kill things that Task Manager cannot. And Task Manager will not always show all running processes.

 

See if you can run the below!


Please download GetRunKey125b.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey125b.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.

This scan will only take a few second to run. It will take longer for you to attach than it does to run.

Also empty your C:\Documents and Settings\Christopher\.housecall\Quarantine folder and all temp folders. Can you run Ccleaner from the READ & RUN ME? If not, cleanup all cookies and TIF (Temporary Internet Folders) using IE.

You need to run the below steps too if possible.

Now download smitRem.exe written by noahdfear and save the file to your Desktop.
Double click on the smitRem.exe file to extract it to it's own folder on the desktop. (this should be the default selection)
Now you will need to print or save these instructions locally (to a text file on you Desktop) for later reference. This is necessary because you must not have any browers open and must not be connected to the internet while following the below steps.
After saving the instructions, reboot into Safe mode
Once you have booted in Safe Mode and your Desktop appears, make sure you close any other windows and only run what is specified. You can open notepad to view the instructions you saved but do not open anything else accept what is specified.
Now open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed.
Now open Control Panel and click Display -> Desktop -> Customize Desktop -> Web -> and uncheck any of the below if present:

• Security Info
• Warning Message
• Security Desktop
• Warning Homepage

Now use Windows Explorer to locate and delete any of the below if found:

• c:\wp.exe
• c:\bsw.exe
• C:\WINDOWS\ZLOADER3.EXE
• C:\Program Files\Security iGuard <--- the whole folder
• C:\Program Files\SpySheriff <--- the whole folder
• C:\Program Files\SpyAxe <--- the whole folder
• C:\winstall.exe
• C:\Program Files\AntivirusGold <--- the whole folder
• C:\WINDOWS\System32\winnook.exe
• C:\WINDOWS\System32\hookdump.exe
• C:\Program Files\AdwareDelete <--- the whole folder
• C:\Program Files\Daily Weather Forecast <--- the whole folder
• C:\WINDOWS\system32\netwrap.dll
• C:\WINDOWS\system32\wiatwain.dll
• C:\WINDOWS\system32\replmap.dll
• C:\WINDOWS\system32\yaemu.exe
• C:\WINDOWS\system32\qwdwyihhpb <--- the whole folder
• C:\WINDOWS\system32\drivers\etc\hosts.20050828-215107.backup
• C:\WINDOWS\system32\drivers\etc\hosts.20050829-083924.backup
• C:\WINDOWS\system32\drivers\etc\hosts.msn
• C:\Documents and Settings\Christopher\Local Settings\Temp\list141.exe <--- delete all files in this Temp folder
• C:\Documents and Settings\Christopher\Local Settings\Temp\396.exe
• C:\Program Files\Daily Weather Forecast <--- the whole folder
• C:\PROGRAM FILES\TimeSink <--- the whole folder
• C:\Program Files\internet\GetRight\TSUninstaller.exe

Additional step to delete MediaGatewayX.dll:
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s MediaGatewayX.dll
del MediaGatewayX.dll
exit


Now reboot in normal mode and run Panda ActiveScan Save the log from Panda.
Now please attach the smitfiles.txt and PandaActiveScanlog to your next reply. And also tell us how things are working.

 

You did not attach the runkeys.txt file.

Did you run smitrem in safe mode?

 

Okay runkeys is showing a load of bad stuff!

I have a coupe questions first:
1) Is this something you installed and trust: C:\games\Utopia\Angel\Angel.exe

2) Navigate to the below folder and tell me the names of all files you see in it:

C:\Documents and Settings\Christopher\Local Settings\Application Data\

3) Tell me what files you see in the below folder:

C:\WINDOWS\ShellNew

Since you are having problems seeing hidden files, try downloading and using the below tool which is better I finding and deleting stuff than Windows Explorer anyway. Let me know if it runs okay.

ExplorerXP

You should goto Add/Remove progams and uninstall the below undesireable program:
Messenger Plus! 3

I will start to work some fixes after getting info from the above. Make sure you try out ExplorerXP and use it to look for files in the folders mentioned. We will also be using it to delete files later. (That is assuming it runs okay). Double check to make sure you can run ExplorerXP in safe mode with no problems too.

 

Messenger Plus 3 is supported by third party vendors (which are malware). If you are not very careful when installing and updating you can get all kinds of infections (including LOP) from this software. Software like this is not trust worthy. The final decision is yours since it is your PC but we highly recommend against using software like this. If you do, it is at your own risk.

Do you see the below files using ExplorerXP:

C:\WINDOWS\system32\ioctrl.dll
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll

If so, see if you can delete them

 

Print or save the below instructions locally to a text that you can refer to later while offline. At a particular point I will be requesting that you shutdown ALL BROWSERS and other applications and that you physically unplug your cable to the internet while performing cleaning steps. READ THRU ALL STEPS first before starting to make sure you understand everything. Ask questions before starting.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) BUT DO NOT do anything with this file yet.

Okay now that you have this file on your PC, exit ALL browsers and other applications and then unplug your cable to the internet. You MUST do this before continuing. Do not plug the cable back in until I request it.

Now double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now unplug the power cable to your PC. Yes you read this correctly. Some of this malware is respawning itself when your PC tries to shutdown gracefully. We are attempting to stop it from respawning.

Now wait a couple minutes and plug your cable in and boot back up. BUT BOOT INTO SAFE MODE.

Now run ExplorerXP and look for the below files and folders and delete them. Keep track of what you find and delete and let me know.
C:\winstall.exe
C:\WINDOWS\ShellNew\RakyatKelaparan.exe <--- if this really is a folder, delete the whole folder
C:\WINDOWS\system32\syslog32.exe
C:\WINDOWS\system32\yaemu.exe
C:\WINDOWS\system32\ntsysman.exe
C:\\WINDOWS\System32\qwdwyihhpb <--- the whole folder
C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe
C:\Documents and Settings\Christopher\Local Settings\Application Data\smss.exe
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\csrss.lnk
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\Empty.pif
C:\Program Files\Recreation\Serials3k <--- the whole folder
C:\Program Files\Daily Weather Forecast <--- the whole folder

Now while in safe mode see if you can run HijackThis and save a safe mode log.

Now plug your cable to the internet back in.

Now reboot into normal mode and see if you can run HjackThis. Save another log.


Come back here and tell me the results of all steps and attach the two HijackThis logs (if it ran).

 

Some of these I have never need to deal with before and some I have seen before. You have a few infections.

See if any of the file names I listed in message numbers 12 & 13 can be found and deleted (do it in safe mode).

See if the below tool can be installed and run:

Registrar Lite

If so, see if you can use it to import that registry patch I gave to you in message # 13. If not, we can try a couple other things.

Note we are nearing the point of having to do a format. If we cannot run any of the tools required to fix anything, there jsut is not too much we can do. The other alternative would be to try and boot to safe mode with command prompt and see if we can at least delete some files. Also it may be possible to use the Recovery Console if you have a bootable Windows XP CD.

 

I'm working on another possible fix using Brute Force Uninstaller but this will take awhile to work out. In the meantime, get me a new runkeys.txt log from GetRunKey125b.bat.

 

It did not run properly. Delete all the old files you had from it and start again. Make sure both files from the ZIP files are extracted into the same folder. The try getting a new runkeys.log. Those registy key locations cannot be all empty which is what the log is showing.

Also note that C:\WINDOWS\system32\ioctrl.dll is still being found. Did you forget to do the below from message # 12?

 

Download Brute Force Uninstaller and unzip it to its own folder (like c:\BFU)

Download the attached MiscTroj.zip file save it to the same folder you put the Brute Force Installer into. Then extract the MiscTroj.bfu file from the ZIP into that folder too.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the Scriptfile to execute: box copy and paste c:\bfu\MiscTroj.bfu
The click the Execute button to run the script.

Wait for the Completed script execution box to popup and then press OK.
Click the Exit button to terminate the BFU program.

Afterwards attach a new HJT log so we can finished fixing what remains.

 

I need to know the exact word for word message.

But delete all copies of the GetRunKey125b.zip file and the files you extracted previously. Also delete the runkeys.txt log. Then download the file again and extract it to your root folder of drive C ( that's C:\ ) Then try running it again and attach the log if it works. If not, give exact messages received.

 

Also try this (hope it can be run):

1. Click Start, click Run, type gpedit.msc in the Open box, and then click OK.
2. Expand User Configuration, Administrative Templates, and System, and then double click on Prevent access to registry editing tools..
3. Click to select Not Configured (but remember what it was set to already

When you come back tell me if this worked okay. Also after doing this (if it worked), try some of the registry patches we were attempting and running getrunkey125b.bat again.

 

As I said in my last message, delete all current copies and files from it and download and extract again. The run the .bat file.

Also if it does not work open a command prompt window and navigate to the C:\ folder (where I suggest to put getrunkey125b.bat and grep.exe this time) and then run getrunkey125.bat from the command prompt. Copy the text that appears in that command prompt window back here. It may give me a better idea where it is failing.

Do you still have Administrator priviledges on this PC?
Can you create a new user account?

 

Create a new user account and see if it works any better when you login to it.

 

Also try booting in Safe Mode with Command Prompt (it is a choice in the boot menus). And when it boots up you will have command prompt window opened. In the window type.

cd \ <--- this will get you to the root folder
getrunkey125b <--- this should run the batch file
regedit <--- if this works, regedit will open

If regedit does run, you could try importing that fixme.reg patch we saved a while back.

If this does not work, I think you should either try using System Restore (but it will probably be blocked) to restore to a date before the infection.
If that does not work, it is time to fdisk, format, and reinstall your OS.

 

One more thing to try!


Download Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.