[Solved] followed the steps to clean computer - logs - Tech-101 Free Computer Support

Orignl09 · #1 (**permalink**) 01-14-2009, 12:59 AM

hello

recently my norton 360 stopped working - it doesn't open.

along with that, no program can access the internet to receive updates any more. however, i can still get on the internet through internet explorer.

i completed the steps given to clean up my computer, but the two problems haven't been fixed. would you please look over my logs and give me some direction?

thank you

Blind Dragon · #2 (**permalink**) 01-14-2009, 01:14 AM

Hi Orignl09,

Welcome to Tech-101

Looks like you are infected with a bot that connects to a remote IRC server and could be sharing your personal information. Depending what you use the computer for you may want to consider formatting and reinstalling windows clean.

We can most likely clean the infection but there is no guarantees that your information hasn't already been compromised.

=================================

Remove bad HijackThis entries

Run HijackThis[/*:m:1mo29o1o]
Click on the System Scan Only button[/*:m:1mo29o1o]
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {B7C42EB6-E07E-B4AC-2537-BCA9399B5BC1} - C:\WINNT\system32\meyyzaq.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Windows Services] smsc.exe
O4 - HKCU\..\RunServices: [Windows Services] smsc.exe
O20 - AppInit_DLLs: dexplore.dll rgoenh.dll rwpmxh.dll pxtlui.dll cmzeol.dll
O24 - Desktop Component 0: (no name) - http://www.lynyrdskynyrd.com/downloads/jb_ls800x600.jpg
O24 - Desktop Component 1: (no name) - http://www.geocities.com/quituo/marley1.jpg
O24 - Desktop Component 2: (no name) - http://www.phoenixr.com/wallpaper/wallp ... 00x300.jpg
O24 - Desktop Component 3: (no name) - http://www.jgeoff.com/scarface/wallpape ... NTLINK.jpg
O24 - Desktop Component 4: (no name) - http://www.jgeoff.com/scarface/wallpape ... NTLINK.jpg
O24 - Desktop Component 5: (no name) - http://www.1lovecards.com/ecard/Starter ... /rude7.jpg[/*:m:1mo29o1o]

Close all open windows and browsers/email, etc...[/*:m:1mo29o1o]
Click on the "Fix Checked" button[/*:m:1mo29o1o]
When completed, close the application.[/*:m:1mo29o1o]

=============================

OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.[/*:m:1mo29o1o]
Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")[/*:m:1mo29o1o]

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe

:Files
C:\WINNT\system32\meyyzaq.dll
C:\WINNT\system32\dexplore.dll
C:\WINNT\system32\rgoenh.dll
C:\WINNT\system32\rwpmxh.dll
C:\WINNT\system32\pxtlui.dll
C:\WINNT\system32\cmzeol.dll
C:\WINNT\system32\smsc.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[/*:m:1mo29o1o]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.[/*:m:1mo29o1o]
Click the red Moveit! button.[/*:m:1mo29o1o]
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.[/*:m:1mo29o1o]
Close OTMoveIt3[/*:m:1mo29o1o]

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

============================

Combofix

Download Combofix to your desktop. [/*:m:1mo29o1o]
Double click combofix.exe & follow the prompts. [/*:m:1mo29o1o]
A window will open with a warning. [/*:m:1mo29o1o]
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. [/*:m:1mo29o1o]

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

==========================

Attach Here:
1) OTMoveit Log
2) Combofix.txt
3) A fresh hijackthis ran after everything else

This thread is for the use of Orignl09 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

Bobbye · #3 (**permalink**) 01-14-2009, 10:49 PM

Blind Dragon will continue reviewing your long, but I want to mention this: you need to get the Cookies under control. The following will help with that:

Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

And a NOTE: you have malware in the System Restore points. The cleaning program do not remove malware from these protected files and we'll have you remove the old points when the system is clean. In the meantime, Don't use System Restore.

Orignl09 · #4 (**permalink**) 01-16-2009, 12:20 AM

Hey Blind Dragon

thanks for the welcome

I followed all the instructions and succesfully ran all the scans.

thank you for spending time on this.

thanks for the tip bobbye, I followed your instructions to fix that as well.

until next time
thanks for all the help

Blind Dragon · #5 (**permalink**) 01-16-2009, 12:45 AM

Good work ;) After these steps we can start repairing some of the damage that's been done.

You still have a number of infections. Stick with it.

First: You have Avira Antivirus and Norton installed - you need to eliminate one of them. 2 active antivirus programs can cause problems.

Then whichever one you keep needs to be disabled for now so that it doesn't interfere.

Also, if combofix asks to install the recovery console click yes

===============================

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Quote:

File::
c:\winnt\system32\ktvdlxht.ini
c:\winnt\system32\qnfowcti.ini
c:\winnt\system32\ffkuz.dll
c:\winnt\system32\kkacsmtr.ini

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

=====================================

FindAWF

Click here to download FindAWF.exe and save it to your desktop.

Double-click on the FindAWF.exe file to run it.[/*:m:2mj5dox4]
It will open a command prompt and ask you to Press any key to continue.[/*:m:2mj5dox4]
Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.[/*:m:2mj5dox4]
It may take a few minutes to complete so be patient.[/*:m:2mj5dox4]
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.[/*:m:2mj5dox4]
Attach AWF.txt file in your next reply.[/*:m:2mj5dox4]

Attach:
1) Combofix log
2) AWF log

This thread is for the use of Orignl09 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

Orignl09 · #6 (**permalink**) 01-16-2009, 01:45 AM

BD

thanks for the speedy reply

I have a problem
I uninstalled Avira
Norton is not allowing me to open it to disable it. When I try to uninstall Norton, the program becomes unresponsive.

p.s. thanks for bringing me to your website.

thanks for the help

Blind Dragon · #7 (**permalink**) 01-16-2009, 09:50 AM

I'm glad you joined ;)

You can try the Norton Removal Tool
http://service1.symantec.com/Support/ts ... 3108162039

===================

Then proceed with section CFScript - and like I said if it ask to install the recovery console click yes

Attach:
1) Combofix.txt
2) AWF.txt

This thread is for the use of Orignl09 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

Orignl09 · #8 (**permalink**) 01-17-2009, 06:42 PM

BD

Thanks for the Norton tip

Everything went smoothly
Could you possibly tell me a little bit of what I'm doing for some of this stuff too.

Blind Dragon · #9 (**permalink**) 01-17-2009, 06:53 PM

Quote:

Originally Posted by Orignl09

Could you possibly tell me a little bit of what I'm doing for some of this stuff too.

Sure, what's happened is the infection moved some of your legit files into bak folders. Then it replaced those files with fakes - they are infected. So what we are doing - is first deleting the fakes, then moving the legit files back where they belong, then deleting the back folders.

This should make some of your computers functions normal again.

=================================================

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Quote:

"C:\WINNT\bak\GWMDMpi.exe"
"C:\WINNT\bak\UpdReg.EXE"
"C:\Program Files\AIM\bak\aim.exe"
"C:\Program Files\DIGStream\bak\digstream.exe"
"C:\Program Files\ESPNRunTime\bak\DIGServices.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINNT\system32\bak\ctfmon.exe"
"C:\WINNT\system32\bak\ezSP_Px.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"

Double-click on the FindAWF.exe file to run it.[/*:m:3emlqmqt]
It will open a command prompt and ask you to "Press any key to continue".[/*:m:3emlqmqt]
Press 2 then Enter[/*:m:3emlqmqt]
Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.[/*:m:3emlqmqt]
Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.[/*:m:3emlqmqt]
The program will proceed to move the legit files and will perform another scan for bak folders.[/*:m:3emlqmqt]
It may take a few minutes to complete, so please be patient.[/*:m:3emlqmqt]
When it is complete, it will open a text file in Notepad called AWF.txt.[/*:m:3emlqmqt]
Please attach AWF.txt file in your next reply[/*:m:3emlqmqt]

This thread is for the use of Orignl09 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

Bobbye · #10 (**permalink**) 01-18-2009, 10:28 AM

You're welcome for Cookie tip. I find it cuts out a lot of 'trash'!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[closed] Ran PRELIMINARY Steps, here's my logs...	ryanNEEDShelp	Virus and Malware Removal	3	08-21-2009 06:48 AM
[Solved] My Logs!!! help.	Caleb C	Virus and Malware Removal	9	01-13-2009 04:13 PM
[Solved] DDS LOGS	-SITH-LORD-	Virus and Malware Removal	19	01-13-2009 03:58 PM
[Solved]My DDS logs	aspzy8	Virus and Malware Removal	2	01-13-2009 03:46 PM
[Solved] My Logs	browser26	Virus and Malware Removal	16	01-10-2009 03:39 PM