Would appreciate help and analysis

psucavvy · Jan 29, 2008

Hello,
I'm new to the forums and am having sudden problems with malware. I read the stickies, and have run every program in order accordingly. However, AVG did not produce a report after the run (of 2.5 hours). I am attaching the other logs, I look forward to the assistance and appreciate the time anyone takes in helping me correct this situation.

I am including the Combofix.txt below because it was unable to attach due to file size.

ComboFix 08-01-23.2 - Owner 2008-01-23 22:59:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.114 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

Lev · Jan 29, 2008

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. You will find if you follow the instruction to the letter your Combofix log will not include all the temp files, hence making it small enough to attach, as requested.

Read & RUN ME FIRST Before Asking for Support

psucavvy · Jan 29, 2008

Hi Lev,
Thanks for the reply. The link you posted is the directions I followed... not sure why it did not come up as needed.

psucavvy · Jan 29, 2008

I will try to run the succession fully again, but will be unable to do so until Friday evening. Is there anything decipherable in the meantime?

chaslang · Jan 31, 2008

The problem is that you did not run ComboFix and attach the requested log. ComboFix would have fixed several thousand of your problems files. Please run ComboFix as requested in the READ ME. Please attach this log immediately because, I'm going to have you run ComboFix again below in a special procedure which will create a second log. I want to get the first log before you overwrite it with the second procedure.

Also do you have the log from AVG Antispyware.

Now ninstall the below software:
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Now Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtutt.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {21BC0AD6-A9BB-468D-AAA8-C1EEE1F44546} - (no file)
O2 - BHO: (no name) - {4527D40A-2FF1-43DC-A82C-2CF3301B5E3A} - C:\Program Files\Online Services\ryzycy4444.dll (file missing)
O2 - BHO: (no name) - {848ECDB9-2087-4E9E-8866-AAD36E051C46} - C:\Program Files\Online Services\ryzycy83122.dll (file missing)
O2 - BHO: {b466b6f5-8505-ebf9-4a04-59db5ff90da9} - {9ad09ff5-bd95-40a4-9fbe-50585f6b664b} - C:\WINDOWS\system32\lalshrcd.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mexrozsh.dll
O2 - BHO: (no name) - {BE768AA1-3DB4-4698-BDE7-1F54BDF85054} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {C6CA7E8E-5541-4588-90C6-CACB408B6331} - (no file)
O2 - BHO: (no name) - {cc28c41d-cbb1-49d2-91e5-e0c2ab1acf59} - (no file)
O2 - BHO: (no name) - {CF443BE5-A118-4D69-8370-10DF63AA2346} - C:\Program Files\Online Services\ryzycy555077.dll (file missing)
O2 - BHO: (no name) - {F6F7DD22-A022-4C56-9386-D1B866FA16FA} - (no file)
O2 - BHO: (no name) - {FA497713-F5AD-43E1-BAC2-262BBBF1D8F7} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - Winlogon Notify: mexrozsh - C:\WINDOWS\SYSTEM32\mexrozsh.dll
O20 - Winlogon Notify: opnlkjg - opnlkjg.dll (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
RenV::
----a-w            53,248 2008-01-08 00:15:22  C:\hp\bin\AUTOTKIT .EXE
----a-w            39,792 2008-01-08 00:15:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            65,536 2008-01-08 00:15:37  C:\Program Files\Ahead\ODD Toolkit\DVDTray .exe
----a-w            67,112 2008-01-11 00:29:22  C:\Program Files\AIM\aim .exe
----a-w            50,528 2008-01-28 22:32:25  C:\Program Files\AIM6\aim6 .exe
----a-w           110,592 2008-01-08 00:15:22  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w            57,344 2008-01-08 00:15:32  C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol .exe
----a-w         1,694,208 2008-01-08 00:15:53  C:\Program Files\Messenger\msmsgs .exe
----a-w           135,168 2008-01-08 00:15:35  C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w           282,624 2008-01-08 02:39:23  C:\Program Files\QuickTime\qttask      .exe
----a-w           282,624 2008-01-08 02:39:24  C:\Program Files\QuickTime\qttask     .exe
----a-w           282,624 2008-01-08 02:39:24  C:\Program Files\QuickTime\qttask    .exe
----a-w           282,624 2008-01-08 02:39:25  C:\Program Files\QuickTime\qttask   .exe
----a-w           282,624 2008-01-08 02:39:25  C:\Program Files\QuickTime\qttask  .exe
----a-w           282,624 2008-01-08 02:39:25  C:\Program Files\QuickTime\qttask .exe
----a-w         1,460,560 2008-01-24 02:35:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           204,288 2008-01-08 00:15:56  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w            90,112 2008-01-08 00:15:34  C:\WINDOWS\UpdReg .EXE
----a-w           212,992 2008-01-08 00:15:23  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            15,360 2008-01-23 23:44:31  C:\WINDOWS\system32\ctfmon .exe
----a-w           114,688 2008-01-08 00:15:21  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-08 00:15:36  C:\WINDOWS\system32\NeroCheck .exe
 
File::
C:\Documents and Settings\Owner\Local Settings\Temp\3rporjk4.exe
C:\Documents and Settings\Owner\Local Settings\Temp\4awgt1oy.exe
C:\Documents and Settings\Owner\Local Settings\Temp\83r1wntx.exe
C:\Documents and Settings\Owner\Local Settings\Temp\9w8clwsp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\dcp4pe3h.exe
C:\Documents and Settings\Owner\Local Settings\Temp\dfimqu1h.exe
C:\Documents and Settings\Owner\Local Settings\Temp\GLC864.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\iv90shao.exe
C:\Documents and Settings\Owner\Local Settings\Temp\ojne6v15.exe
C:\Documents and Settings\Owner\Local Settings\Temp\ptfci80a.exe
C:\Documents and Settings\Owner\Local Settings\Temp\r09eh9tu.exe
C:\WINDOWS\system32\etcqognl.dll
C:\WINDOWS\system32\lalshrcd.dll
C:\WINDOWS\system32\mexrozsh.dll
C:\WINDOWS\system32\mexrozsh.dllbox
C:\WINDOWS\system32\ufxdxcna.dll
C:\WINDOWS\system32\ffijwegh.ini
C:\WINDOWS\system32\jeeguivd.ini
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\lngoqcte.ini
C:\WINDOWS\system32\qeuegmpl.ini
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\yrceciqx.ini
C:\WINDOWS\system32\vtutt.exe
C:\WINDOWS\system32\lpcywinp.exe
 
Folder::
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo02
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\mr9
 
Registry::
{HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mexrozsh]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnlkjg]
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}"=-
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Owner\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

psucavvy · Feb 1, 2008

Hi chaslang, and thanks for the help. First off, here is the combofix log as you requested, before running any of your suggestions...

psucavvy · Feb 1, 2008

Okay, attached is the 2nd run of combofix.txt, as well as MGlogs.zip. I'm going to run AVG again to generate the report, as I didn't get one last time around. So far, no pop-ups, and the two icons on the desktop lost their pictures and I was able to delete them...

psucavvy · Feb 1, 2008

Just finished running AVG for a second time, I have all the settings on that were in the Read Me First, and still I get no reports generated. It still found a few infections, not nearly as many as the first go-around. I'll await your analysis and suggestions!

chaslang · Feb 2, 2008

Okay uninstall AVG Antispyware now and also uninstall LiveUpdate 1.90 (Symantec Corporation) since you no longer have Symantec software installed.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

After clicking Fix, exit HJT.
The two Symantec lines my be gone already after uninstalling LiveUpdate.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}"=-

Click to expand...

Now reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

psucavvy · Feb 6, 2008

Sorry for the delay chaslang... attached is the requested log, however I'm not quite sure what you mean by the Avenger log? Everything still running much better than before...

chaslang · Feb 7, 2008

psucavvy said: ↑

however I'm not quite sure what you mean by the Avenger log?
Click to expand...

Sorry! That is something I forgot to delete from my message since I did not have you run Avenger.

Your logs are clean but I don't know why the below is in your HijackThis log now.

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

Did you run ComboFix again on your own? It was not part of my last instructions. Run analyse.exe and fix the above O4 line.

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN

Now type combofix /u in the runbox and click OK.

Note: The space between the X and the /U, it must be there.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

psucavvy · Feb 8, 2008

Thanks very much for all your help, I sincerely appreciate it!

chaslang · Feb 10, 2008

You're welcome. Surf safely!

Log in or Sign up

Would appreciate help and analysis

psucavvy Private E-2

Attached Files:

MGlogs.zip

VundoFix.txt

Lev MajorGeek

psucavvy Private E-2

psucavvy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

psucavvy Private E-2

Attached Files:

ComboFix.txt

psucavvy Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

psucavvy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

psucavvy Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

psucavvy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member