Wareout remnants?

Discussion in 'Malware Help (A Specialist Will Reply)' started by TastyJ, Aug 23, 2006.

  1. TastyJ

    TastyJ Private E-2

    Hi,
    I'm having a lot of trouble with my computer at the moment. There's a lot of slow down and my RAM management program shows only 400 mb of ram available when I have a Gig installed. When I go into the start up configuration menu there are a number of programs which seem to be associated with an earlier Wareout attack I had. I think these are the cause of the slowdown.

    I've tried to follow the steps listed in the "read me and run me first" sticky but have had some problems. I couldn't update Windows Defender although I managed to run it. I couldn't install Counterspy and neither Panda nor Bitdefender would work.

    Here are my logs

    Can you help?
     

    Attached Files:

    TastyJ, Aug 23, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Are your copies of Ewido and SuperAntispyware (I'll call it SAS from now on) paid or free copies?
    Have you run full scans with Ewido and SAS? If so, please attach logs from them.
    If they are free versions, after attaching any logs, please uninstall them.
    Also uninstall Windows Defender.

    The reason I'm saying to uninstall them is that you are running a full security suite from Panda which requires massive system resources and you do not need or want these other tools to be running. It will cause conflicts, waste system resources, and will slow your PC down.

    Also while uninstalling things, uninstall the below old version of Sun Java:
    Java 2 Runtime Environment Standard Edition v1.3.1_03

    Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

    http://downloads.subratam.org/Fixwareout.exe

    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
    • Run Fixwareout.
    • Click Next,
    • then Install,
    • make sure Run fixit is checked
    • and click Finish.
    • The fix will begin; follow the prompts.
    • You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    When you run fixwareout, just follow the prompts, you will need to restart when prompted.

    After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.
    • Go into Control Panel -->Network Connections.
    • Right click on your connection
    • and click Properties.
    • On the Properties page, highlight Internet Protocol(TCP/IP)
    • Click Properties. This will bring up another page.
    • Select Obtain DNS Server Automatically.
    • Click the ok button. The page will close.
    • Press ok on the page in front of you.
    • Restart the computer.
    • Reconnect to the Internet using Internet Explorer.
    • Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt
    Now attach a new HijackThis log and a new log from ShowNew so we can finish your cleanup.
     
    Last edited: Aug 23, 2006
    chaslang, Aug 23, 2006
    #2
  3. TastyJ

    TastyJ Private E-2

    Right ok,
    Here are the reports from ewido and SAS. Both were free versions and so are now uninstalled. Have also uninstalled Defender and Java 2 runtime enviroment v 1.3.1_03.

    The Ewido program reported an error when trying to remove "Adware: Generic" SAS removed everything it found.

    Also uninstalled Panda. This was only the free evaluation version. I had downloaded it to use instead of the online scanner which I couldn't get to work. I was previously using AVG free but had to uninstall this to install Panda. Can you recommend a good anti-virus program to use in its stead?

    Thanks
     

    Attached Files:

    TastyJ, Aug 25, 2006
    #3
  4. TastyJ

    TastyJ Private E-2

    Here are the other reports you asked for:

    Thanks for your help!
     

    Attached Files:

    TastyJ, Aug 25, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That's bad! Had I known this I would not have had you uninstall Windows Defender. You need to have a realtime antispyware blocker. Reinstall it. Also AVG is just fine to use. You should reinstall it too (unless you did not like it). You can get it and updates from here:

    AVG Free Edition

    AVG Anti-Virus Updates



    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [jninm.exe] C:\WINDOWS\system32\jninm.exe
    O4 - HKLM\..\Run: [ftbar] MSTCPDLL.exe
    O4 - HKLM\..\Run: [dmogh.exe] C:\WINDOWS\system32\dmogh.exe
    O4 - HKLM\..\Run: [Dest068] newbreed.exe
    O4 - HKCU\..\Run: [SAPSTR] install2.exe
    O4 - HKCU\..\Run: [PrcIdle] ms-its.exe
    O4 - HKCU\..\Run: [gabber] Kargo.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{345B06CB-BFBB-497C-98C0-12F504CE19BC}: NameServer = 85.255.114.35,85.255.112.13
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74D00E00-C9A6-493E-BBD4-216F2743CA01}: NameServer = 85.255.114.35,85.255.112.13
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13



    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\mickey32.dll
    C:\WINDOWS\system32\{B80BCA13-D007-4842-999A-E5659ADE1057}.exe
    C:\WINDOWS\system32\{F1A02216-18AE-4624-840F-2E32A0B90AD8}.exe
    C:\WINDOWS\system32\{A1A4210A-04D7-4798-98CC-A2DDADC62799}.exe
    C:\WINDOWS\system32\{EA6039BF-426C-4EC8-BAF8-9EFA0832B6D3}.exe
    C:\WINDOWS\system32\diras.exe
    C:\WINDOWS\system32\jninm.exe
    C:\WINDOWS\system32\MSTCPDLL.exe
    C:\WINDOWS\system32\dmogh.exe
    C:\WINDOWS\system32\newbreed.exe
    C:\WINDOWS\system32\install2.exe
    C:\WINDOWS\system32\ms-its.exe
    C:\WINDOWS\system32\Kargo.exe


    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp\
    C:\Documents and Settings\James\Local Settings\Temp\



    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 25, 2006
    #5
  6. TastyJ

    TastyJ Private E-2

    OK, Sorry for delay.

    Everything seems to be running ok. Maybe a bit better than before, not sure. Followed all the steps. Only as couple of problems.

    couldn't find this line in the HJT log:

    "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost"

    and there were only two files present in C:\Documents and Settings\James\Local Settings\Temp\ and these couldn't be deleted.

    They were a folder "RarSFX1" and "Perflib_Perfdata_aac.dat".

    I've reinstalled AVG and SAS.

    Here are my logs

    Thanks
     

    Attached Files:

    TastyJ, Sep 4, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to uninstall SAS and install Windows Defender unless you purchased SAS. The free version does not provide any realtime protection.


    Your logs are clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Sep 5, 2006
    #7
  8. TastyJ

    TastyJ Private E-2

    OK, will do.

    Thanks for all your help
     
    TastyJ, Sep 6, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Sep 6, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds