Posts by PhilliePhan

Still same thing. I gave full control to myself and Administrator but still nothing.

What error message do you get when you try to delete this?

-- I am not sure any of the easy tools I have will work w/ Vista 64

Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type or Copy&Paste {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} and Click OK.

-- You’ll need to save the log that pops up in Wordpad and then submit it for me.

I'll be back Monday night.

PP :)

Hmz... when I try to delete {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} it gives me an error access denied.

You probably need to change permissions.

RightClick it and select Permissions and make sure the box for Full Control is checked for your user group (probably Administrators) then delete it.

PP :)

Ya it removes them, tells me then to restart to have it completely removed. After restart I do a scan and it's there again...

I am pretty sure REGEDIT4 is supported in Vista 64, but you might want to open regedit and manually remove the key. That way you know for sure it is gone.
Then, if it comes back, you know for sure something is restoring it....

But only hack the registry if you are familiar or comfortable doing that. Could really bork a machine.

I'll be back Sunday night, if you guys are still having trouble with this.

Cheers :)
PP

Can you explain to poster how this should be done? I am NEVER comfortable with registry fixes...as you well know!

Just save the text below in NOTEPAD:

REGEDIT4
[-HKEY_CLASSES_ROOT\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}]

-- Save it to the Desktop as type "all files" and name it Fixit.reg
-- DoubleClick on Fixit.reg and allow it to merge into the registry.

That ought to do it. If it returns, something is re-creating it.

PP :)

Dang! Did it remove them?

Just pull that key out manually, Judy.

PP:)

You know, going back through this thread, reading the logs, not finding anything...one thing I did notice is that nobody replying on this thread, unless I missed it, had you attempt one logical thing; Put your cursor on the taskbar, Right Click, choose Toolbars and see if that Search bar is in there and if it is, is there a check mark there? If there is then remove the check mark.

Or, you could probably disable this in Vista settings.

:icon_cheesygrin:

Ok Thank You

Happy to help . . . . But I don't have any good news for you:
I do not see anything in those logs.

Are you sure this wasn't installed with another program? Perhaps the recent install of Quicktime on 9/3?

It could be a legit toolbar that was re-directed, but I'd expect to see evidence of that in the logs.

You could try a System Restore to a point before you noticed this.
Or, you could probably disable this in Vista settings.

And, there is always the possibility I might have missed it in the logs, though I doubt it.

Sorry we couldn't be more help.

PP :)

Here you go.

Well . . .Combofix did not run as it should have - looks like the CFScript was not save to desktop properly.

No worries!

We'll do it this way:

1) You'll need to enable the viewing of hidden files and then navigate to the following files and DELETE them:
c:\windows\system32\pavogare.exe
c:\windows\DUMP7743.tmp
c:\windows\system32\REN1EE.tmp
c:\windows\system32\REN1ED.tmp

2) Once that is done, do this:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if you run into any problems. If not, I think you're good to go.....

Cheers :)
PP

Happy to help :)

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log along with a fresh MBA-M scanlog (didn't get to see that one...) and we'll see if we can wrap this up.

P :)

Thanks once again for helping me with this.

Happy to help :)

Let's do this next:

1) DELETE your current Win32kDiag and download a fresh copy to the Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
-- Click START > RUN and then Copy&Paste all of the following text in Red into the command field:
"%userprofile%\desktop\win32kdiag.exe" -f –r
-- Please post that log for me

2) Download and run MBA-M as per the linky below and have it Remove what it finds. It should get some of what Combofix missed.
http://www.daniweb.com/forums/thread134865.html

3) Reboot.

4) DELETE your current copy of Combofix.
Download a fresh Combofix and run it as you did before and post that log for me as well.

Cheers :)
PP

Thanks a lot. This this is really starting to ......

I'm sorry - I should have written that more clearly.
I need you to copy and paste the main DDS.txt for me. That's the one I really want to see.
If you didn't save that log, just run DDS again.

As for the toolbar, I have a feeling that it might be one of those "quasi-legit" items that comes bundled in the installation package with another program you might have installed.
I know you said it "just appeared," but maybe she didn't notice it before? Do you remember installing any new software around the time the nuisance bar appeared?

Let's see what we find in the DDS.txt - Just copy and paste that one.

I'll be back tonight.

PP :)

Thanks for looking at this, here is the log you asked for:

Great!

Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

-- That should produce a log, as well. Please post it for me.

LASTLY:

If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a …

So looks like I'm stuck with this search bar for another while.

We really need a more thorough look at what is going on before we can say that :)
HijackThis is often insufficient when it comes to today's malware - Let's try this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).
Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy, I, or one of the other volunteers will have a look as time permits.

Cheers :)
PP

I really don't know what to do and would appreciate anyone who can help me fix my friends computer.
Thanks in advance.

I'd like to try this first:

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

Don't forget to delete the malware in addition to fixing with HJT.

I'm not sure any of the scanners will remove those, so you probably need to rip them out manually.

PP :)

At this point we just need to recover lots of data files before we re-format

At this point, without seeing exactly what is infecting you, It is difficult to comment with any accuracy - It sounds like you might have more than one infection.

Also, due to the rootkits involved with the infection you noted, putting those hard drives in another computer for data recovery is a bad idea - you could end up with another compromised machine.

-- Can you get me a HijackThis log?
-- Try running MBA-M in Safe Mode and see if it completes
-- If not, run it until it has found a bunch of baddies - abort the scan manually and then see if you are able to have it clean what it has found and run it again.

-- When MBA-M craps out, what file is it "hanging" on?

PP:)

Hi Jon,

That looks better - are things running as they should?

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This should remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if you run into trouble with this, as you are not running combofix from the proper location.

PP :)

Hi Jon,

That didn't work real well - Let's try it one more time. You have to do this exactly as written or we'll run into problems:

-- You need to DELETE your current copy of Combofix

-- Down load a fresh combofix to your DESKTOP

-- Download that CFScript from Post #13 to your Desktop as well

-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

Post me the fresh log - I just want to remove that last remnants of that baddie......

PP :)

Hello, I am new to Daniweb - apologies if I am wrong to say this, had something similar posted myself a few days ago and it turned out to be my keyboard.

No - You're fine to post that. After all, they linked to your thread, so probably a good idea to post that...

I was going to post something similar, but figured Judy had it covered.

This is most likely malware with the misdirection to strange url and then the multiple IE opening....

PP :)

You have been super awesome.:icon_cheesygrin:

Well . . . . That's what everybody keeps telling me . . . I hope it doesn't go to my head! LOL!

Cheers :)
PP

Great! :)

Things look good - a few rootkit remnants were removed and the log looks OK to me. Was going to suggest a run of Root Repeal for good measure, but the Panda scan was clean so I think we can forgo that unless you are in the mood for more scanning . . . LOL!

A few things:

-- You can DELETE:
C:\ILLA
C:\KILLBAD
C:\suckmydick
C:\PKBOO

ALSO:
Please navigate to the files in bold below and upload them here for analysis and let me know what you find ---> http://virusscan.jotti.org

c:\documents and settings\All Users\Application Data\icyw.dat
c:\windows\iun6002.exe

Lastly:

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Now, I know you're blaming your husband, LOL! (heard that a million times + oh, it's my son home from school for spring break + all the others), so be sure to warn him of the dangers of P2P/Torrents and the like. Maybe threaten to …

I thought I had. Sorry. It's all yours.:)

Running MBA-M after combofix WILL clean malware - it is not a bad step.
The thing is, it will also alter the contents of any subsequent CFScript as I'll have to cross-check the two logs - I just don't want to have to look at two logs at once and try to figure what has been removed and what still needs to be . . .

Congrats on being a "featured poster, btw....!"

PP :)

crunchie is right - Once combofix has been run, only the volunteer who requested it be run should post until the matter has been resolved! Everybody else is just getting in the way. (no offense intended to anybody - just speaking the truth)

Please don't run any other tools until you hear from HIM. The fixes with combofix will be very specific to YOUR computer. Running other cleaners can cause difficulties with the fixes he will post for you. So if others suggest some other cleaner, please IGNORE them.

I wish you had listened to your own advice in this post, Judy, LOL!
http://www.daniweb.com/forums/post964794-24.html

I guess, when one is a FEATURED POSTER, one can get away with this . . . . . ;)

@ Sisaly - This is my fault, but I should have mentioned that I would need a Fresh combofix log after the MBA-M scan.

Delete your current combofix and download a fresh copy, run it and post me the log. We are pretty much done, but I want to clean up any "hangers on."

PP :)

Here's the MalwareBytes log.

LOL! You let that thing run for over an hour and then you didn't have it remove the baddies? ;) After all they put you through . . . .

Run it again and when the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.

I will check back Wednesday evening EST - there are still a bunch of fixes we need to do manually with combofix. I'll post them for you tomorrow.

-- Hey. . . . Don't rip any more hair out over that "Remove Selected" fail........:cool:

PP

not sure I know exactly what you meant but here is the new log

Hi Jon,

You need to download that attached CFScript.txt to your Desktop and then drag the CFScript.txt icon over the combofix.exe icon which will then start Combofix.

Like this

PP :)

Running now.....

All right . . . Now we are cooking with gas . . . or something like that.

I am calling it a night - My eyes are killing me + have some actual paying work to do.

Post the combofix log for me and I'll have a look at it first chance I get.

Cheers :)
PP

Hi Jon,

Download the attached CFScript.txt to your Desktop.
-- Drag the CFScript.txt into ComboFix.exe to start ComboFix again.

Post me that log and tell me how things are working....

PP :)

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/index.php?showtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

Copy and paste the everything in red including "files to move."

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Try again and see if that works and then do the rest.

PP :)

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

The stuff that is hard to kill is more fun for us Forum volunteers :)

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have …

Thanks a million - so much appreciated

Happy to try to help!

I'll keep my fingers crossed.

PP :)

You could try the hardware Forum here at Daniweb:

http://www.daniweb.com/forums/forum7.html

A lot of smart people - they might have some better ideas than what I can come up with.
Be sure to tell them that we ruled out malware.

Cheers :)
PP

Hi all and thanks for the info. I never mentioned that this pc is a laptop - how can i change the keyboard

At this point, you might be better off taking it to a shop and having them do it - at least you can point them in the right direction.....

With regard to the ctrl + n, nothing happens, but none of my shortcuts are working e.g. ctrl a to select all nor ctrl alt delete.

This would indicate to me that we are on the right track with our diagnosis.

Just for good measure though i reformatted again the other day. Same thing (getting anything up to 150 pages at a time.

So - Must indeed be a hardware issue.

Can you do a walk through the keyboard thing for me. Appreciate all your help and assitance, K

Happy to try to help, but I am not comfortable doing that as there are a lot of ways to damage your machine. I would recommend a repair shop as the safest and most effective way to solve the problem.

If you are keen to try it yourself, there are tons of tutorials on the web. For instance:
http://www.refurbished-laptop-guide.com/how-to-replace-laptop-keyboard.html

Best luck to you!
Sorry I could not be more help.

PP :)

Thanks for ALL your help and advice! Gonna work on this FRIDAY and will let you know what happens!

OK :)

All you need to do at this point is get me that Win32kDiag log and we'll go from there.

PP:)

Good luck, greetings from Germany
Morganfield

Thanks, but that is not an option just yet - poster cannot get MBA-M to run.

Hopefull, after Sisaly gets me the Win32kDiag log, we can change that.

PP:)

Okay . . . . I've managed to get somewhat up to speed, LOL!

Turns out that this particular baddie is extremely nasty, and I don't mean the obvious stuff. It has all sorts of rootkit components involved and is a real pain to clean.

Our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.

See if you can get this tool to run:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to. If it doesn't run, try renaming it to Win32kDiag.com

-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

See if you are able to get this to run.

Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

now that i think about it I think maybe that cespy might be the covenant eyes filter i use. i just viewed it as an internet filter and not "a commercial Key-logger or spyware" anyway, it showed up again.

That's what it is . . . . And that's why it's back. I saw the CE entry in HJT, but it didn't register. But, it's definitely in the Spyware family.
Didn't think nmnsp.dll was a component, though.

Nothing else really jumps out at me from your HJT log - you might try running ComboFix as per the linky below and posting the log for us.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I'll try to check back on Tuesday, as time permits.

PP :)

A little light humor is always nice when dealing with malware... ;)

-- I've had literally hundreds of people use that tool over the years.

not sure what those files are.

should they be removed?

Lots of times parents like to spy on their kids . . . .

Please Download LSPFix and extract it from the ZIP.

-Please run LSPFix.

-Check the Box labeled "I know what I'm doing" and then click on the nmnsp.dll file (in the “Keep” section) to select it.

-Then, Select the >> button to move nmnsp.dll into the Remove section.

-Please do the same for cespy.dll.

-Now, click the Finish Button. When the Repair Summary box appears, click OK.

-Now, just click the Finish Button. When the Repair Summary box appears, click OK.

Do a fresh scan with HJT and post the log.

PP:)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll

Do you know if there is a commercial Key-logger or spyware on this machine?

I have tried to run hijack this, sd fix, as well as Malwarebytes' Anti-Malware 1.40, but all to no avail.

What happens when you try to run the tools?

PP :)

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

I tried system restore, nada.
I double clicked the .bat.

OK - The problem with the KILLBAD was PhilliePhan Error!
Not a big error, though and the registry should have been fixed....

Try this one:

KILLBAD.zip

This one should pop up with the right log. Let's see what it says.

PP :)

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Hi Dave -

I am a bit stretched thin, so I find that I am missing things - I didn't even see where you said Firefox doesn't re-direct.....

-- Did you reboot after running MBA-M?

The item in the quote is part of a very nasty infection - I am not sure if MBA-M will get it.
Something like this compromises any online banking and credit card info - you might want to check your banking info and change any passwords (from a clean compy, of course).

-- If you are able, please try to run SDFix from the linky below and post the log:
http://www.bleepingcomputer.com/forums/topic131299.html

I'll try to check back as time permits. Hopefully some of the other volunteers will be back soon - I'm stretched a bit thin between real work and Forums.

PP :)

Good god! This sucker is evil I tell you.

Something is not right - if notepad opened with a blank log. I'll have to have another look at the darn thing. I very easily could have made a mistake - doing ten things at once here.... :)

-- Did it run when you DoubleClicked the .bat file or did you use command.com for command prompt?
-- Are you comfortable digging around the registry? We need to change this:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

To This:
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

Basically, we want to remove only the part in bold:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

The thing is, I don't think regedit will run for you. The tool I wrote should have done this automatically - I need to re-check it.

It seems you've killed all the processes, so fixing the registry value ought to work, if we can do it....

Hang in there:)

-- Hey, did we try System Restore? That might be an option:
Open a command prompt with command.com

Type %systemroot%\system32\restore\rstrui.exe ENTER

See what happens.

I've got to cut out for a bit to get something to eat - Will try to check back tonight.

PP :)

Hi Dave,

Sorry - I got tied up....

I'd like to have a more thorough look at what is going on.
Please follow the directions in the linky below to run ComboFix and post the log for us.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I will try to check back as time permits.

PP :)

If you are still having trouble, navigate to your C:\Program Files\MamwareBytes Folder.

Then, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

Best Luck :)
PP

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,

So sorry to be the bearer of bad news, but you have a nasty backdoor trojan with rootkit components.
This thing is far worse than Windows Police Pro - If you do any sort of online banking, there is a good chance your info has been compromised. Definitely check your banks, credit cards, etc. and change any passwords.

In cases such as this, I generally recommend a re-format because, even if we are able to clean the machine, you'll never be able to trust it......

PP :)

Phillie, I can't rename mbam. See my last post.

KILLBAD won't run even when typed in as you posted. It lists many lines of Cannot find specified file...no log report. :(

Sorry - it didn't register.

Did you download the new KILLBAD I linked in my last post? It is a different tool - just used the same name.

You'll need to delete the old one first.

-- What happens when you navigate to the new C:\KILLBAD folder and DoubleClick on KILLBAD.bat?

PP :)