After Malware, IE and FF won't run
 

Hello,
I recently had a malware problem. I believe I've removed it from my system, but the damage was done. When I try and run Firefox or Internet Explorer, I get the following message and they won't run:

Also, when my system first boots, I get an error message that says,

I've searched Google for that supposed DLL file and returned no results...I get the feeling whatever is trying to access it is a remnant of the malware.

Help would be greatly appreciated. Here's my HijackThis logfile:

Thank you in advance!

Re: After Malware, IE and FF won't run
 

This might help:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKLM\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKLM\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKLM\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKLM\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\xfvykaum.dll",b
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\yrbaximy.dll",s
O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKCU\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKCU\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKCU\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKCU\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL yfgsag.dll vfzqzv.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe

Delete all these files:
C:\Windows\system32\YURC8.exe and similar [the 8 seems to vary as a hexadecimal integer]
C:\Windows\system32\YUR8.exe and similar
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
C:\WINDOWS\system32\xfvykaum.dll
C:\WINDOWS\system32\yrbaximy.dll
C:\WINDOWS\system32\msinet.exe

Post a fresh hijackthis log also.

Re: After Malware, IE and FF won't run
 

Brilliant, thank you! Both problems seem to be fixed now. Here is the current HijackThis log:

A couple other things...

• I noticed while in my system32 folder that there are a lot of filenames that seem suspicious to me. If I took screenshots of the folder contents and posted them, could someone help me identify unwanted files?
  
• The malware changed a couple values that, for one, remove "folder options" from the tools menu in Windows Explorer, and second, disallow registry editing. There may be other changes that I haven't noticed yet... I found how to change both of these values (through the registry and/or Group Policy), but next time I try to open regedit or open Windows Explorer, the problems are back. Anyone know how to permanently fix these?

Re: After Malware, IE and FF won't run
 

System32 is larrrgge.. no-one will take the time to visually vet those files for you. If you are concerned about some [it is full of weird filenames, until you know what the file does...] I will give you a good online scan which has a whitelist.
Oh, please post that MBAM log.
Meantime, you have picked up a fresh infection, and some of the previous are still there. Let's try to deal with them...
==Disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Download fixwareout from http://downloads.subratam.org/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Only if your Internet connection is now not working perform this.... In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
==Start Combofix:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

FIX CHECKED ENTRIES....!!
==Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddwe.exe] C:\WINDOWS\system32\kddwe.exe
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\qpvqfmil.dll",s
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\cckgmail.dll",b
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{366FC8AC-01CE-4490-9C7B-E61DC7AA6EDA}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E69F33-EA8B-4EBA-9D48-87696E32DBDD}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O20 - AppInit_DLLs: ijzyev.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll

Delete these files:
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\system32\qpvqfmil.dll
C:\WINDOWS\system32\cckgmail.dll
C:\WINDOWS\system32\ijzyev.dll
C:\WINDOWS\system32\gjm86akm34.dll
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe

Okay, please run HT again and repost with the old MBAM, plus the fixwareout and combofix logs.
If at all possible please do not turn off your machine until we sort this infection.
Regedit should now be working for you.

Re: After Malware, IE and FF won't run
 

One more to fix:
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe (file missing)

Re: After Malware, IE and FF won't run
 

Yeah, soon after I posted that, the problems came back...Oy. The problems seem to be gone again now...

I disabled Teamtimer; thank you, I couldn't find how to do that.

MBAM: I tried using MBAM several times at the beginning, and every time I try to scan, my system crashes after a few seconds, so I can't get a log from that...I tried again now and it BSOD'd me again.

Fixwareout: Here's the Fixwareout log...and I did have a net connection problem afterward; doing as you said restored it.

Combofix: Whew, that was thorough. Log:

And here's the latest HT:

I deleted all the files you listed except one (gjm86akm34.dll); I can't get rid of it because "access is denied", I assume it's in use by something..

I would also appreciate that system32 online scan you mentioned. In my system32 folder after all this, I found a couple of little pornographic icons in there. I don't doubt there's more junk.

Thanks again for all this, you're a miracle worker!

Re: After Malware, IE and FF won't run
 

For the tough file, C:\WINDOWS\system32\gjm86akm34.dll :
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
I'll get back to you on the rest...

Re: After Malware, IE and FF won't run
 

Oh dear, your sys has been whacked. Next skirmish follows... and I would like to point out that I much dislike the namers of codec, game and linux files....
==Uninstall MBAM and delete the downloaded files, it has been compromised because it has not removed files I know it should.
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:
C:\WINDOWS\system32\kddwe.exe
-I just wish to get it recognised... now you may not find it there cos Fixwareout should have dealt with it, but it may still be here:
C:\WINDOWS\Temp\kddwe.ren
-post the report.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Help with Code Tags
(Toggle Plain Text)
Killall::

Files::
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064
2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys
2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\Temp\kddwe.ren

Folders::
2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kddwe.exe"=-
"384546ef"=-
"BM3b767573"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-
Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
...and a fresh hijackthis scan.
Phew.

Re: After Malware, IE and FF won't run
 

Small problem...I don't have a kddwe.exe or kddwe.ren file in my sys32 folder. Is that bad? :|

Folder Options and regedit keep disabling themselves again...ack...

Oh, and that unlocker is great.

Edit: I can't get MBAM to scan successfully without crashing the system, remember? I assume that's why those files are still there that it should get rid of.

Re: After Malware, IE and FF won't run
 

No, it is not bad. Just run the next part for me, please - I have re-submitted it because of a syntax error, so ignore the instruction in my previous post regarding this part.
And yep, MBAM broke, so delete all of it.

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::



File::

2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll

2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll

2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico

2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x

2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico

2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe

2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe

2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe

2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe

2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe

2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll

2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064

2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll

2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp

2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp

2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp

2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp

2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp

1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat

2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys

2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys

C:\WINDOWS\system32\kddwe.exe

C:\WINDOWS\Temp\kddwe.ren



Folder::

2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter



Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= -



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C:\\WINDOWS\\system32\\kddwe.exe"=-

"384546ef"=-

"BM3b767573"=-



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Jnskdfmf9eldfd"=-

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
...and a fresh hijackthis scan.
Phew.