windows xp computer HElP please

Discussion in 'Malware Help (A Specialist Will Reply)' started by huney23451, Mar 22, 2006.

  1. huney23451

    huney23451 Private E-2

    I have worked on this computer for 5 days now and need help i have gone through the entire step by step process on your site that i recieved before for another computer and i am still getting pop ups taking over the computer. i have run the bitdefender and the panda activescan and the conterspy as well as adaware and spybot and ccleaner along with all the other steps and have the logs here as well as the copy of where the location of the panda files were located o could not copy and paste them so i typed them up and am attaching all the logs here if anyone can help me.

    T
     

    Attached Files:

    huney23451, Mar 22, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow the instructions for obtaining a Bitdefender log and as a result you have attached a log summary which is of no use to us. Those directions are very explicit on how the log must be obtained. It clearly tells you that it will be an HTML file with a .txt extension. You post a pure text log summary. Don't worry about it right now. I don't want you to waste time running another scan if you do not have the full log saved.

    First look in Add/Remove programs for anything related to MyWay or MyWaySearch etc and uninstall if found. Thanks to Dell you have this junk on your PC.

    You have a bunch of other nasties too. Some will more than likely require some special procedure to remove but let's try an easy way out (if it works). Run the below scanners and attach the Ewido log

    Running Ewido Anti-Malware

    Afterwards also attach a new HJT log so we can see what remains.
     
    chaslang, Mar 23, 2006
    #2
  3. huney23451

    huney23451 Private E-2

    ok i looked in add and remove there were no programs with myway or mywaysearch or anything similar. then i downloaded the ewido and ran it and here is the log file for it and also ran the hjt log again also.

    T

    PS still unsure how i messed up the bitdefender i saved it as a txt file not sure where i messed that up :(

    Ty again for helping this was driving me nuts cleaning it :eek:
     

    Attached Files:

    huney23451, Mar 23, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by downloading a tool we will need:

    - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [winsync] c:\windows\system32\kpkd4d.exe reg_run
    O4 - HKLM\..\Run: [vpeqwzta] c:\windows\system32\rreukzby.exe
    O4 - HKLM\..\Run: [testit.exe] c:\windows\system32\testit.exe
    O4 - HKLM\..\Run: [seli] c:\windows\exe82.exe
    O4 - HKLM\..\Run: [mediapluscash.exe] c:\windows\system32\mediapluscash.exe
    O4 - HKLM\..\Run: [igsya] c:\windows\system32\blfjtc\igsya.exe
    O4 - HKLM\..\Run: [gahwap] c:\windows\system32\lvblqai\gahwap.exe
    O4 - HKLM\..\Run: [9020] c:\windows\exe82.exe

    Now exit HijackThis after clicking Fix checked!

    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    c:\windows\system32\kpkd4d.exe
    c:\windows\system32\rreukzby.exe
    c:\windows\system32\testit.exe
    c:\windows\exe82.exe
    c:\windows\system32\mediapluscash.exe
    c:\windows\system32\blfjtc\igsya.exe
    c:\windows\system32\lvblqai\gahwap.exe
    c:\windows\exe82.exe

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot locate the below with Windows Explorer and delete them (hopefully many of these will already be gone. This is a double check with a few changes! )
    c:\windows\system32\kpkd4d.exe
    c:\windows\system32\rreukzby.exe
    c:\windows\system32\testit.exe
    c:\windows\exe82.exe
    c:\windows\system32\mediapluscash.exe
    c:\windows\system32\blfjtc <--- delete the whole folder
    c:\windows\system32\lvblqai <--- delete the whole folder
    c:\windows\exe82.exe

    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!

    One of the issues may come back with a new name. The item I'm referring to is the below line from your HJT log:
    O4 - HKLM\..\Run: [winsync] c:\windows\system32\kpkd4d.exe reg_run

    This one almost always requires some additional special tools to remove.
     
    chaslang, Mar 24, 2006
    #4
  5. huney23451

    huney23451 Private E-2

    i downloaded the killbox and ran it and the hjt step and the popups seem to have calmed down for the moment. when i restarted after the killbox step and looked for the files the only ones left where the two folder ones and i deleted them.

    :) so where do i go from here or is this computer clean now :)
     

    Attached Files:

    huney23451, Mar 24, 2006
    #5
  6. huney23451

    huney23451 Private E-2

    I ran spybot and adaware after i posted the last thing and it found the smithfraud-c which it was finding before this and it says it is in C:\program files\inetget2\ i asked it to fix it and purged it after i did that. Also not sure why but in adaware i have three times the amount of process modules running now as i did before i went thru the 7 steps in read and do this first thing and now i have like 4 programs loading on start that were not loading whats up with this and is there something i need to change to make it stop that. :)
     
    huney23451, Mar 24, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We may need to run another tool if you are still seeing Smitfraud problems. Are you? If so post the Spybot log.

    That cannot be true. We had HijackThis remove about 8 items of malware that were loading at startup.

    Exactly which programs are you referring to?

    One thing you may need to do was covered in step 3 of the READ & RUN ME. You appear to have AOL antivirus and McAfee running. You must use only one AV so you need to uninstall one of them. But since I do not use AOL I'm not sure exactly what the below really is:

    O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1142898414\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe

    Did they actually install an antivirus? What is AOL Antivirus Update Service? Sounds like it is for updating an AV but whose? Did they install one? Is it running? Is this actually the AV too? Or are they monitoring your McAfee AV? If the last question is answered yes, that's a waste of system resources.
     
    Last edited: Mar 25, 2006
    chaslang, Mar 25, 2006
    #7
  8. huney23451

    huney23451 Private E-2

    OK i looked at the spybot file and found logs and deleted the folder "inetget2" so not sure if it is gone for good but i did delete it.

    I think the extra process modules are all the new programs loading on start now because it is not showing any problems when i run the scan on adaware.
    I have some dell media center and some dell aio printer a920 thing now and quicktime and i stopped the other program in system tray it had a option to check to run on windows load so i choose it.
    The aol antivirus update thing is mcafee its loaded with aol 9.0 se now and there security center. Its all one bundle package now and with the people i am dealing with on this they need something simple i can show them to use to prevent this thing from getting infected like this again so i choose that for them.
    Before i even posted i had spent three days dealing with three ids with adminstrator rights and atleast another 20 programs that were loaded on this thing and it would not even reach the net before i deleted them all but i was stuck on the final few that were cloggin it and need your help and thank you for giving me the step by step processes
     

    Attached Files:

    huney23451, Mar 25, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay InetGet2 was on my list of things to remove and there may still be one more of them along with a few other things to do. Let's continue!

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to add into the registry.
    Now boot into safe mode to delete the below (you can try normal mode first but use safe mode as a fall bak if files will not delete):
    C:\PROGRAM FILES\COMMON FILES\system32.dll
    C:\PROGRAM FILES\COMMON FILES\InetGet2 <-- the whole folder
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl <-- the whole folder
    C:\Temp\MG.exe
    C:\WINDOWS\dmFsZXJpZQAA <-- the whole folder
    C:\WINDOWS\dmVyc2llIGwA <-- the whole folder
    C:\WINDOWS\ubber60.ini

    Now reboot and tell how things are working. If everything is good, it is time to move onto the below (and have the owners read this info too):

    How to Protect yourself from malware!
     
    chaslang, Mar 26, 2006
    #9
  10. huney23451

    huney23451 Private E-2

    K i did the fixme step and then rebooted and did the delete step two of the ones you asked to be deleted i did not find
    C:\PROGRAMS FILES\COMMON FILES\system32.dll
    and
    C:\TEMP\MG.exe

    other than that it seems to be ok but could not click the link u sent me about protecting against malware at the end:(
     
    huney23451, Mar 27, 2006
    #10
  11. huney23451

    huney23451 Private E-2

    I ran ccleaner after that and got this weird log i am posting it so you can see it and my spybot said blindman was corupt so i had to reinstall it and when i installed it gave me all kinds of errors when it installed from the site you have posted not sure if this is a biggie or not because it still seems to run and gave me no errors.
     

    Attached Files:

    • log.txt
      File size:
      1.7 KB
      Views:
      4
    huney23451, Mar 28, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The link I gave you was broken. Here is the correct one:
    How to Protect yourself from malware!


    I don't see anything strange in the Ccleaner log. I'm not sure what you problem was with Spybot but if it is working now, don't worry about it. The best way to reinstall programs though is, uninstall, reboot, cleanup left over files and folders manually, reinstall.
     
    chaslang, Mar 28, 2006
    #12
  13. huney23451

    huney23451 Private E-2

    Cookie:valerie@dogpile.com/(&H100001) 81 bytes
    Cookie:valerie@www.myaffiliateprogram.com/(&H100001) 115 bytes
    Cookie:valerie@tribalfusion.com/(&H100001) 538 bytes

    This is what i am referring to i did not go to these sites when i rebooted and they keep showing up and tribalfusion is one of the malware it deleted way back when i first started cleaning the computer. I did uninstall it and reboot and clean out the folders for spybot and still got the errors so not sure why it did it.

    So is it time to do the restore point now and are we done :)

    and i read your post about the malware i found it in the forum last night so i went ahead and read it :)
     
    huney23451, Mar 28, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those are just cookies. They are not problems or malware (even though some scanners like to call them problems, they are not). If you surf, you will get cookies and you do not have to go to the particular site mentioned. The cookies can come from other sites. For example. You will even get TribalFusion here on MGs! It is not a problem.
     
    chaslang, Mar 28, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds