Virus Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by California Geezer, Apr 11, 2006.

  1. California Geezer

    California Geezer Private E-2

    I am having problems of a viral nature. I would appreciate any help that you can provide.

    I am new to the Internet, and my computer became infected in minutes. It is now so badly infected that I cannot gain Internet access (I am using a computer at work for this message).

    I have been able to take some of the steps in chaslang's "Read and Run Me First" (which is an excellent tutorial).

    Microsoft Malicious Software Removal Tool cleaned everything that it found except Backdoor:Win32/Sdbot!3B05.

    Ad Aware cleaned everything that it found except Look2Me.

    Spybot Search and destroy cleaned everything that it found except Look2Me, with a different file reference than Ad Aware.

    I ran both the Kill2Me tool and Symantec Look2Me removal tool, and both said that Look2Me was not present.

    McAfee Stinger found and deleted 2 Sdbot worms.

    Avast! Virus Cleaner Tool found nothing.

    Since I cannot log on the Internet, I could not install Microsoft Windows Defender and could not run Bitdefender or Panda ActiveScan.

    When I try to access the Intenet, IE opens, and the box in the lower left corner indicates "Finding site: msn.com" and then changes to "Finding site: localsrv.net" and then continually restarts. The progress bar in the lower right only moves a fraction, and then constantly restarts.

    I was able to get a firewall installed, and it indicates a number of unknown (at least unknown to me) programs that try to access the Internet, try to access trusted areas, or try to act as a server. Also, whenever I open a program, such as Word or Excel, I receive a message that states "[name of program] is trying to set 'pxouks' to run each time your computer is started." Persistant bugger, that.

    I have run Hijack This. Attached is the log.

    I would greatly appreciate any help that someone can provide. I have to use a computer at work for this message, and I can only check infrequently for any reply. Please foregive me if I do not respond immediately to any reply. My time is limited, but I have definitely not lost interest.

    California Geezer
     

    Attached Files:

    California Geezer, Apr 11, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Okay it will be difficult without internet access but I assume you can download tools to another PC and some how (burning a CD or using a flash drive etc) you can get them to the infected PC. It is going to take a few stages to fix this since you have a load of different problems. Two of the main ones are Look 2 Me and Qoologic but there are a bunch more.

    First please follow step 7 of the READ ME and get HijackThis installed into the proper folder. You are running it exactly where we indicate not to run it. Then move on to the below.

    Please download Look2Me-Destroyer.exe to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX



    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\hqbhk.exe
    F2 - REG:system.ini: UserInit=userinit.exe,rlilvah.exe
    O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINNT\system32\w9seq.dll
    O4 - HKLM\..\Run: [SmartTesting] C:\WINNT\SYSTEM32\warct.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard6.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad6.exe
    O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
    O4 - HKLM\..\Run: [sys02269634673-1] C:\WINNT\sys02269634673-1.exe
    O4 - HKLM\..\Run: [q8lg] "C:\WINNT\system32\slk8x2peu.exe"
    O4 - HKLM\..\Run: [azhkymvA] C:\WINNT\azhkymvA.exe
    O4 - HKLM\..\Run: [errorhandler] C:\WINNT\errorhandler.exe
    O4 - HKLM\..\Run: [win32103-126963467] C:\WINNT\win32103-126963467.exe
    O4 - HKLM\..\Run: [Cigyhopnet] revenga.exe
    O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\qgkdlu.exe reg_run
    O4 - HKLM\..\RunServices: [Cigyhopnet] revenga.exe
    O4 - HKCU\..\Run: [Cigyhopnet] revenga.exe
    O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINNT\system32\w9seq.dll
    O20 - AppInit_DLLs: Runner.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\windows\keyboard6.exe
    C:\windows\mousepad6.exe
    C:\WINNT\SYSC00.exe
    C:\WINNT\sys02269634673-1.exe
    C:\WINNT\azhkymvA.exe
    C:\WINNT\errorhandler.exe
    C:\WINNT\win32103-126963467.exe
    C:\WINNT\system32\qgkdlu.exe
    C:\WINNT\system32\hqbhk.exe
    C:\WINNT\system32\revenga.exe
    C:\WINNT\system32\rlilvah.exe
    C:\WINNT\system32\Runner.dll
    C:\WINNT\system32\slk8x2peu.exe
    C:\WINNT\system32\w9seq.dll
    C:\WINNT\SYSTEM32\warct.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode!
    Do you have internet access now? If so, the first thing you MUST DO is goto the below link and install AVG free antivirus from step 2. Make sure you update it too.

    How to Protect yourself from malware!

    If you do have internet access, try to run step 6 of the READ & RUN ME now and attach the two requested logs.



    Now attach a new HJT log. Then we will move on to our next steps.
     
    chaslang, Apr 11, 2006
    #2
  3. California Geezer

    California Geezer Private E-2

    Thank you for your prompt response and you detailed instructions. They were very easy for me to follows.

    (Please first read my parenthetical addition at the end of this message.)

    Pursuant to your instructions, I have performed the following:

    1. Moved Hijack This to C:\Program Files.

    2. Downloaded and ran Look2Me-Destroyer. The log is attached. I did not receive a runtime error '339' message.

    3. Ran Hijack This and had it fix the designated items.

    4. In safe mode, used Windows Explorer to remove the designated items. Please note that I could not find the following:

    C:\WINNT\azhkymvA.exe
    C:\WINNT\system32\qgkdlu.exe
    C:\WINNT\system32\hqbhk.exe
    C:\WINNT\system32\rlilvah.exe
    C:\WINNT\system32\warct.exe

    5. Ran Ccleaner (note, I am using Windows 2000 Professional).

    6. Reset web settings.

    7. Rebooted into normal mode, and I had Internet access (SUCCESS!)

    8. Installed Avast! anti virus. I could download but not install AVG or AntiVir. With each of them, I received a message that installation failed because access to a file was denied.

    9. Ran Bitdefender. The log is attached.

    10. Ran Panda Active Scan. The log is attached.

    11. Ran Hijack This. The log is attached. I note that several of the item that were fixed in step 3, above, have returned.

    Thank you very much for your time and effort to help me. I appreciate it.

    (This is embarassing. I had downloaded the four scan logs to a disk in order to attach to this message. After writing the above message, I find that I cannot upload the scan logs. I suspect that my floppy disk may be corrupted. I will obtain a replacement, but it will not be until tomorrow. I apologize for the inconvenience.)
     
    California Geezer, Apr 12, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I will have to wait until I see all of the logs before I can give you any other info.

    Do you still have internet access now? If so, you should be able to just come here and upload them from the problem PC.
     
    chaslang, Apr 12, 2006
    #4
  5. California Geezer

    California Geezer Private E-2

    Chas Lang

    Here are the four log scans. The previous Panda Activescan log file was corrupt and would not open, so I ran the scan again. I appreciate that this is out of order. If it makes a difference, please let me know and I will undertake the entire sequence again.

    Once again, thank you for your help.
     

    Attached Files:

    California Geezer, Apr 13, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have both Norton/Symantec and Avast antivirus running. You must uninstall one of them. Do this now before continuing! You first HJT log did not show any Norton stuff installed. Why/when did you install it?

    I also still see the many of the items I asked you to fixed in message # 2 in your HJT log. Are you sure you had HJT fix those items? Are you sure you had viewing of hidden and system files enabled? Did you actually delete all the files mentioned (other than the ones you could not find)? Run ALL of message number 2 again and attach a new HJT log. If this does not work, we may need to fix the Qoologic infection you have first.

    In preparation for the Qoologic infection, run the below steps no matter what happens in the above:

    Download FindQool by LonnyRJones
    • Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
    • Open the folder and run Qlocate.bat
    • attach the contents of the txt.log which will open when the scan is finished.
     
    Last edited: Apr 14, 2006
    chaslang, Apr 13, 2006
    #6
  7. California Geezer

    California Geezer Private E-2

    Chas Lang

    Thank you for having the patience for putting up with my mis-steps. The Norton was a legacy when I acquired my computer (I received my old computer from the office when the company updated). Norton had not been used for several years, and I thought that it was not operational. I was wrong. I got the uninstall password from the IT folks and uninstalled Norton.

    I followed your prior message and performed the following:

    1. Ran Look2Me-Destroyer. The scan log is attached.

    2. Ran Hijack This. All of the files indicated in your prior message were present, except the following was not present:

    020 - AppInit_DLLs: Runner.dll

    I exited all browser sessions and clicked on fix.

    I ran Hijack This again just to see what happened. It had removed everything except for the following:

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\hqbnk.exe
    F2 - REG:system.ini: UserInit=userinit.exe,rlilvah.exe

    I tried fix again, and it did not remove these two.

    3. I rebooted into safe mode. Although I have previously enabled viewing hidden and system files, I found that I had to renable this is safe mode. I looked for all of the files indicated, and the only one I found was:

    C:\WINNT\azhkymvA.exe

    I removed it.

    4. In Internet Explorer, deleted cookies and deleted files.

    5. Ran Bitdefender. The scan log is attached.

    6. Ran Panda Activescan. The scan log is attached.

    7. Ran Hijack This. The scan log is attached.

    8. Downloaded FindQool, extracted the files to the C drive.

    9. Ran FindQool. The scan log is attached to the next message.

    Thank you very much for your continued efforts to help me, despite my mistakes. Your help is appreciated.
     

    Attached Files:

    California Geezer, Apr 14, 2006
    #7
  8. California Geezer

    California Geezer Private E-2

    Attached is the scan log from FindQool.
     

    Attached Files:

    California Geezer, Apr 14, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINNT\system32\qgkdlu.exe
    C:\WINNT\system32\hqbhk.exe
    C:\WINNT\system32\wokdcds.dll
    C:\WINNT\system32\rlilvah.exe
    C:\WINNT\SYSTEM32\RLILVAH.EXE
    C:\WINNT\SYSTEM32\WOKDCDS.DLL
    C:\WINNT\SYSTEM32\QGKDLU.EXE
    C:\WINNT\SYSTEM32\HQBHK.EXE
    C:\WINNT\OCRKC.DLL
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iower.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\hqbhk.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,rlilvah.exe
    O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\n62u0gf9e62.dll (file missing)

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\winrar.exe
    C:\Program Files\Internet Explorer\ie6.exe
    C:\WINNT\876057.exe
    C:\WINNT\azhkymvA.exe
    C:\WINNT\help_dcc.dll
    C:\WINNT\NDNuninstall7_22.exe
    C:\WINNT\system32\feurer.exe
    C:\WINNT\system32\qrdsregl.exe
    C:\WINNT\system32\veygw.dat
    C:\WINNT\TlBNUA\n51hoE.vbs
    C:\WINNT\ZIFI002.exe
    C:\WINNT\system32\qgkdlu.exe
    C:\WINNT\system32\hqbhk.exe
    C:\WINNT\system32\wokdcds.dll
    C:\WINNT\system32\rlilvah.exe
    C:\WINNT\SYSTEM32\RLILVAH.EXE
    C:\WINNT\SYSTEM32\WOKDCDS.DLL
    C:\WINNT\SYSTEM32\QGKDLU.EXE
    C:\WINNT\SYSTEM32\HQBHK.EXE
    C:\WINNT\OCRKC.DLL
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iower.exe

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
    chaslang, Apr 14, 2006
    #9
  10. California Geezer

    California Geezer Private E-2

    Chas Lang

    Thank you for your continued help. You are truly a godsend to people like me who do not know how to handle this sort of problem.

    I followed your instructions and did the following:

    1. Downloaded Pocket KillBox.

    2. Pasted the quoted text into a notepad, saved it as indicated, and allowed it to merge into the registry.

    3. Ran Pocket KillBox and deleted temp files.

    4. Ran Pocket KillBox and had it delete the listed files.

    I note that Pocket Killbox moved a number of these to a file C:\!KillBox. Should I delete these?

    5. Rebooted into safe mode, opened Hijack This, went to the process manager. Neither of the two listed items was present.

    6. Ran Hijack This. The following file was not present:

    R3 - Default URLSearchHook is missing

    The other three were present, and I had Hijack This fix them. Reran the scan to ensure that they were deleted.

    7. Ran Windows Explorer and removed the files that I found. I did not find the following:

    C:\WINNT\azhymvA.exe
    It did not find any of the files that Pocket KillBox deleted in step 4.

    8. Rebooted into normal mode. Ran Hijack This and, lo and behold, the file that was missing in step 6 was now present. I had it deleted.

    9. Attached are new logs from Hijack This and FindQool.

    The computer seems to be running a lot better. Internet Explorer is taking a lot less time to open and find the home page. The firewall reports fewer unknown items trying to access the Internet (and that was before I ran the steps listed in this message). I admit to a little bit (OK - a lot) of paranoia and have not used the computer much since it became infected, and have not done anything on the Internet except as instructed. I want to make sure that the problems are fixed before I put my toe back into the water.

    Thank you again for all of your help.

    Charles aka California Geezer
     

    Attached Files:

    California Geezer, Apr 15, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! You can delete those files that Killbox just made backups of.

    Also run HijackThis and fix the below lines:
    O4 - HKLM\..\Run: [pxouks] C:\WINNT\system32\qgkdlu.exe reg_run
    O4 - HKCU\..\Run: [muvvm] C:\WINNT\system32\qgkdlu.exe reg_run

    Then exit HJT and reboot your PC into safe mode and make sure that the below file does not exist. If it does, then delete it:
    C:\WINNT\system32\qgkdlu.exe

    Now reboot in normal mode and attach hopefully a final HJT log.
     
    chaslang, Apr 16, 2006
    #11
  12. California Geezer

    California Geezer Private E-2

    Chas Lang

    Pursuant to your instructions, I performed the following:

    1. Ran Hijack This and deleted the two lines indicated.

    2. Rebooted into safe mode. The indicated file did not exist.

    3. Rebooted into normal mode. Ran Hijack This. The log is attached.

    Thank you so very much for all of your help. I really appreciate it.
     

    Attached Files:

    California Geezer, Apr 16, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 17, 2006
    #13
  14. California Geezer

    California Geezer Private E-2

    Chas Lang:

    I have Window 2000 Professional, so I do not need to deal with System Restore, right?

    Thank you for all of your help.
     
    California Geezer, Apr 17, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's correct! That's a boiler plate message that I should have edited for your case. ;) Just too busy to think straight! :eek:
     
    chaslang, Apr 18, 2006
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds