11 replies to this topic

[tashi]

Hello and sorry for the delay.

Please post in this topic following the instructions for doing so.

http://forums.tomcoy...showtopic=31622

[pskelley]

Hello Cadet Simon H, Let me welcome you to TomCoyote forum and Classroom. I have to say you are at the door of where you can learn about this process here: http://forums.tomcoy...showtopic=32034 I could give you a link like this: http://www.spywarein...ogtutorial.html
but nothing will replace the process of following the training proceedures available here in Classroom. If I can answer any questions I will be glad to do so, or if you have questions after reviewing the information at that link, contact one of our great teachers for help.

Now that this is out of the way I get to tell you that you have a very infected computer and that clean up will not be easy or fast. If you wish to start the process, the first thing that must go is the LOP tool bar that was downloaded as a sponsor program along with C:\Program Files\Messenger Plus! 3\MsgPlus.exe
The first step will be to use this information: http://chooseknowled...senger-Plus.htm follow the instructions to get rid of LOP. Here is what CastleCops has to say about it. http://castlecops.co...plist-2034.html

To pave the way for the next step and to be sure you did not install this program on purpose, you also have: http://www.symantec....ockchecker.html Let me know you had nothing to do with the installation.

Once the LOP toolbar has been removed, post a new HJT log in this same thread with the information about block checker, and I will post the next step of the cleanup processs as soon as possible after that.

Thanks...pskelley
TomCoyote forum
Expert Member

[pskelley]

OK Simon, You should no longer have the LOP toolbar, we will see how it goes when we remove them from the HJT log. I need to ask that you read all instructions carefully and respond to all requests for information.

Let me know you had nothing to do with the installation.

I will proceed assuming you had nothing to do with the Adware.BlockChecker installation.

You may want to read about this worm to find out how it got onboard and what damage you may have to repair on your system:
http://www.symantec....mugly.a@mm.html

Before we start, you are running HJT from here: D:\Software\HiJackThis\HijackThis.exe If D:\ is not a drive please move HJT to your C:\ where it can safely store logs and backups.

1) Thanks to Atribune and anyone who helped with this removal tool. Please follow these directions, but save the HJT log for the end of these instructions.

Please download Blockrem © Atribune from HERE

• Unzip it to its own folder on your desktop.
• Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu.
  From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter.
• Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.
• Once it is running please follow the onscreen instructions.
• Reboot in normal mode and post a new HijackThis log.

2) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

3) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

4) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.apleairsr...McBd6D/Vgh.html
O2 - BHO: (no name) - {48822653-AF6E-8072-9A56-0719F1F20730} - C:\DOCUME~1\Susanne\APPLIC~1\UPLOAD~1\ford move.exe
O2 - BHO: (no name) - {69AA6F50-B566-78BA-8326-11557CF07F6E} - C:\WINDOWS\System32\fpifpxz.dll (file missing)
O2 - BHO: (no name) - {82F2908E-514C-579B-195D-5CF07CCE6C97} - C:\WINDOWS\system32\yolkwpcp.dll (file missing)
O2 - BHO: (no name) - {9D6ABD4B-7A8F-270E-DC9E-0082CB6C2EB0} - C:\WINDOWS\system32\ioixcl.dll (file missing)
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll
O2 - BHO: (no name) - {EB457222-BBB2-B266-B9E9-924BB76B08E5} - C:\WINDOWS\system32\psy.dll (file missing)
O4 - HKLM\..\Run: [tyyinilmitgz] C:\WINDOWS\System32\ikvzjaf.exe
O4 - HKLM\..\Run: [bike option 1 16] C:\Documents and Settings\All Users\Application Data\mathroadbikeoption\metaenc.exe
O4 - HKLM\..\Run: [virtual] winit.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\RunServices: [virtual] winit.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab
O20 - Winlogon Notify: hobbatool - hobbatool.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

winit.exe >>> file (probably running from Temp or Prefetch. Use search companion to find out. This is Mugly and it must be located and deleted!!

C:\WINDOWS\System32\ikvzjaf.exe >>> file

C:\Documents and Settings\All Users\Application Data\mathroadbikeoption\ >>> folder (if there)

C:\Program Files\Block Checker\ >>> folder

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

7) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. Let me know how you are running now.

Thanks...pskelley
TomCoyote forum
Expert Member

[pskelley]

Hello Simon, one of the biggest problems with doing a remote repair like this is getting the member to follow the directions. This is of paramount importance and in order to follow the directions, one first needs to read them. This is why I bold some items and highlite others in red. But I can't do that with everything. You said this:

CCleaner is downloaded (waiting for your instruction to run).

Please return to the instructions I posted and in instruction #7, read the first two words, thanks.

I also wish to go back a little further and remind you I said this:

Now that this is out of the way I get to tell you that you have a very infected computer and that clean up will not be easy or fast.

We have a ways to go from a glance I had at the ewido scan report. Take care of the instructions you missed and I will post the next instructions as soon as the fog burns off here in Florida.

Phil

[pskelley]

Thanks for the instructions. I should let you know that I have a dilemma here

I would say your daughter is your problem but I do know messenger plus is not required and is only an add on that is used with MSN Instant Messenger that works without it. It also has nothing to do with MSNIM or Microsoft. I for one would never use it because of the fact it installs C2Media/LOP by default. I believe your daughter is pulling your chain?

I also need to say that the block checker software had to be agreed to by someone with access to this computer.

Spybot was downloaded and run before Ad-aware. Re-boot and run Ad-aware. Then run ewido (Took several times cause it freezes at certain locations when removing files, I manually removed some of the files to get to the end).

Ewido will have issues like this when the infection is as bad as this one was. Often I will run it several times and also in safe mode which you will be doing shortly. I will comment on the ewido scan report first.

ewido anti-malware - Scan report Created on: 2:09:39 AM, 1/1/2006
What a mess. The first items which for some reason you ignored? When you run this program next, unless you know the item is not bad, delete everything. If it will not delete something then quarantine it.

The first three items is the quarantine are of a Yahoo program you have installed. Go there and delete everything in that Yahoo quarantine folder.

You also ignored many cookies. First, go here: C:\RECYCLER\ and open the bin for each user and delete everything in it (not the bin) If you don't see it, you do not have files and folders enabled.

When time permits use these links to gain some control of the cookies in Firefox:
http://privacy.getne...fdisablecookies
http://www.mozilla.o..._priv_help.html
If you need this information also for Internet Explorer let me know.

After you complete the above instructions, use this information to start the computer in safe mode:
http://www.bleepingc...tutorial61.html

Once in safe mode, run ewido again, delete everything it finds, there was nothing in the earlier scan that was any good. You should have no Yahoo quarantine items or C:\Recycler items in this scan report.

Logfile of HijackThis v1.99.1 Scan saved at 2:35:34 AM, on 1/1/2006

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {1341D3F5-32B0-842A-CC6F-1CFF35279FFC} - C:\DOCUME~1\Susanne\APPLIC~1\UPLOAD~1\ford move.exe (file missing)
O4 - HKLM\..\Run: [Aim Chin Keep Part] C:\Documents and Settings\All Users\Application Data\Creative bore aim chin\DumbCreative.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Delete these folders if there:
C:\DOCUMENTS AND SETTINGS~1\Susanne\APPLIC~1\UPLOAD~1\ >>> folder

C:\Documents and Settings\All Users\Application Data\Creative bore aim chin\ >>> folder

Empty the recycle bin and reboot the computer.

Computer is faster now but I am still get ad bar at the bottom of screen and pop up when I open IE. Firefox seems clean now.

Since you left so much junk ignored in the first ewido scan, this does not surprise me. When I say you are clean then let me know if any issues are left I can't see.

Post a new HJT and the ewido scan results. This stuff never comes off as easy as it gets on. Let's try to stay after this so it gets resolved, it has been dragging our far too long.

Since it appears you have multiple users, I need a log from each user created while signed in to that account.

Thanks...Phil

Edited by pskelley, 01 January 2006 - 09:40 AM.

[pskelley]

Hello Simon, We seem to be making some progress? The HJT log looks much better, I wonder if you can validate this item for me:
O4 - HKLM\..\Run: [ScRunCdRomSetupExe] E:\USBDRV\..\setup.exe

I asked in my last post about the possibility of multiple users and never got a response, can I get a yeah or neigh on that please.

ewido anti-malware - Scan report Created on: 3:00:26 AM, 1/7/2006
Altnet is a troublesome one to get rid of. You can see here all the free promises to get rid of it:
http://www.google.co...q=remove Altnet We will try again to kill it, this time in safe mode. We may have to edit the registry to remove it all? Why don't you do a search for us and see what search companion come up with. Let me know if it located elsewhere on the computer, especially the pathway.

Your feedback:
1) answered above.
2) watch your spelling > C;\ this should be C:\ Once I corrected the spelling, google returns this information:
http://www.google.co...ws applications
This looks like it may be a missing or corrupt file, let's try running System File Checker which is the first suggestion in the link below. If that does not work try the others.
http://www.cyber-rob...autoexecNT2.htm
3) I use the suggestions of some of the most respected folks in malware removal, since the HJT log is clean, I will post that information for you now.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html
Once you have reviewed this information, if you have questions, I will do my best to answer them.
4) No, to be sure nothing is backed up in System Restore, use this information to get clean SR files once we are finished with the repair.
http://service1.syma...src=sec_doc_nam

I must know if I am dealing with multiple users, an infection can be in one users HJT log and not show in another. If there are multiple users, post a log when signed in to each user, mark the logs plainly. See what your search comes up with concerning Altnet, I would like you to run ewido once more, this time in safe mode:
http://www.bleepingc...tutorial61.html and post the scan results. See what you can do with the information I provided about the error message.

Thanks...Phil

Edited by pskelley, 07 January 2006 - 09:15 AM.

[pskelley]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php