Virus or Internet Explorer?

Hi and Welcome to Majorgeeks!


With some of the issues you are having, and with a popup stating you need to download a fix, those tend in all cases to be malware related, so the blow is the best start to cleaning up your PC, once completed you will have some logs which you need to attach and out malware experts will in due course get to review these and issue you further clean up steps.



Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Welcome to Major Geeks!

I see a few differnent infections - Virtumonde, PurityScan, Deluxe Comm, and more. Let's get started.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

I just noticed that you did not allow AVG Antispyware to fix what it found when you ran it. Please run it again and save a new log. Please tell it to Quarantine or Delete all of the problems it finds.

Then attach the new log from AVG Antispyware.

 

Yes! Please do an attach the log! Then continue on with the below.

Your version of Windows is way out of date and is a major security risk. After we remove all malware, you must get updated or you stand a very high risk for re-infection.
You also seem to have ignored step 3 of the READ ME. You have both AntiVir and Norton installed. You MUST uninstall one of these now before continuing.. I would suggest that you uninstall Norton since it is 6 years out of date.

Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Did you knowingly install DeskAlerts? I see that a folder for it just appeared on April 5th. But it is not in Add/Remove programs.

---------------------------------------

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the rsvp32_2.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move rsvp32_2.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

--------------------------------------

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of esenftp.dll once and then click the kill button. After you have killed all of the esenftp.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of esenftp.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of esenftp.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: 0 - {16DFA6BB-0B5D-4E7E-98B3-A9E8BAE79466} - C:\Program Files\Internet Explorer\qudanuw.dll (file missing)
O2 - BHO: (no name) - {6001c569-76dd-4360-b7fc-104b03b0219e} - C:\WINDOWS\system32\esenftp.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O20 - Winlogon Notify: esenftp - C:\WINDOWS\SYSTEM32\esenftp.dll
O21 - SSODL: hbeUYKE - {07D00A0E-AD7A-A0A4-EAF0-5B7C4D7E07D9} - C:\WINDOWS\System32\pzrkd.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\NetworkService\Local Settings\Temp\DxcUpdater3.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\DxcUpdater3.exe
C:\WINDOWS\funnies.exe
C:\WINDOWS\winsock64.dll
C:\WINDOWS\UmFuZGFsbCAgQm9vdGg\oAIRt3IPvFE0kA6Sx30.vbs
C:\WINDOWS\Downloaded Program Files\RdxIE.dll
C:\WINDOWS\SYSTEM32\DRIVERS\core.sys
C:\WINDOWS\SYSTEM32\esenftp.dll
C:\WINDOWS\SYSTEM32\start32.exe
C:\WINDOWS\SYSTEM32\unsvchosts.exe
C:\WINDOWS\SYSTEM32\pdp.exe.exe
C:\WINDOWS\SYSTEM32\rsvp32_2.dll
C:\WINDOWS\SYSTEM32\zup.exe.exe
C:\WINDOWS\SYSTEM32\windev-peers.ini
C:\WINDOWS\SYSTEM32\tmp1.tmp.dll
C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{37D00A0D-02B9-1033-1113-001116190001}
C:\Program Files\Common Files\{07D00A0D-02BA-1033-1113-001116190001}
C:\Program Files\Common Files\{07D00A0D-02B9-1033-1113-001116190001}
C:\Program Files\Common Files\qkmo

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

We will probably have some more work to do. The cmdService, Network Monitor, and WinCom registry keys will probably not get fix. If that is the case, some special steps will be required to remove them.

 

Delete the C:\ProgramFiles\Navnt if you can.


Now please download and install Registrar Lite
Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do
that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry
  key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone
  below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to
"all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and
hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to
everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click
Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The
click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the
whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!

 

Good job! And you're welcome.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!