Cretemonster

Members
 View Profile  See their activity

  • Content Count

    12

  • Joined

  • Last visited

 Content Type 

Posts posted by Cretemonster

  1. Help With Malware ?

    in Malware Removal

    Posted

    Expired is NO GOOD for nuttin!

    First thing will be to disable Symantec through Msconfigs StartUp and Services tabs!

    All the Norton or Symantec entries should be terminated!

    Now,for some good free Antivirus Software

    AVG

    http://www.grisoft.com/doc/40/lng/us/tpl/tpl01

    Antivir

    http://www.free-av.com/

    avast! 4 Home Edition

    http://www.avast.com/eng/avast_4_home.html

    BitDefender Free Edition v7

    http://www.bitdefender.com/bd/site/products.php?p_id=24

    a-squared Free

    http://www.emsisoft.com/en/software/free/

    ClamAV

    http://www.clamwin.com/

    Free Firewall Software

    Kerio Personal Firewall

    http://www.kerio.com/kpf_download.html

    Sygate Personal Firewall:

    http://smb.sygate.com/products/spf_standard.htm

    ZoneAlarm

    http://www.zonelabs.com/store/content/comp...reeDownload.jsp

    Once one of each is installed and Updated and running the way you want it!

    Uninstall Norton\Symantec from Add\Remove Programs in Safe Mode!

    Hopefully everything will be disabled in Safe Mode!

    http://www.cit.cornell.edu/helpdesk/win/na...installnav.html

    Maybe that link will Help!

    After all that I think you are set!

    Renable System Restore

    Reconfigure Windows to Hide Files

    Reconfigure Msconfig the way you like the PC to Startup!

    That pretty much gets it!

    Any Questions?

  2. Help With Malware ?

    in Malware Removal

    Posted

    Looking Good!!!

    Hows it running?

    At this point I would start getting rid of all the stuff that has been used to clean up the PC!

    Only Keep what you really want!

    All the scanning programs,aside from HijackThis,can go!

    Are all the Symantec products working and can you update them and use the scan OK?

    Is there a Firewall with the Symantec product?

    Be sure that SpywareBlaster got installed and that System Restore is disabled!

    Post back and ask all the questions you want and let me know about the questions I asked!

  3. Help With Malware ?

    in Malware Removal

    Posted

    Good Deal!!

    Did all those files go peacefully?

    Now,this file you are searching for,it may look just like the legit file-> USERINIT.EXE

    Trick is to look at the Date and Size of the file

    Good File-> C:\WINDOWS\SYSTEM32\USERINIT.EXE

    Created 08/29/2002 04:00 AM

    Size 22,016bytes or 21.5 KB

    Bad File-> C:\WINDOWS\SYSTEM32\??erinit.exe (The ? can be anything)

    Created 01/11/2005 07:15 AM

    Size 401,408 bytes or 392 KB

    Thats the file you want to delete!

    You will notice,when you place the Pointer over the bad file,all that will be displayed is the Date Created and The Size!

    You may need to be in Safe Mode and Have windows showing hidden files to locate this file!

    Post back and Let me know if you find it!

  4. Help With Malware ?

    in Malware Removal

    Posted

    Howdy Hector,

    Good job getting rid of Qoologic!! :thumbsup:

    There is definatly some trash left to take out!

    Download the following!

    The attached Zip folder with a reg file I fixed up for you!(Unzip and Extract All)

    LQfix

    Unzip it and save it to your desktop, don't use it yet!

    CCleaner:

    http://www.filehippo.com/download_ccleaner.html

    This is to help keep those Temporary Files Cleaned Up!

    CleanUp! 4.0:

    http://downloads.stevengould.org/cleanup/CleanUp40.exe

    Restart in Safe Mode!

    From LQfix Folder-> Doubleclick LQfix.bat that you saved on your desktop before.

    A doswindow will open and close again, this is normal.

    Use Killbox and Delete all of the following files\folders

    C:\UCmore

    C:\install.cab

    C:\WINDOWS\bundles

    C:\WINDOWS\Helper101.dll

    C:\WINDOWS\INF\biQ.inf

    C:\WINDOWS\INF\polmx2.inf

    C:\WINDOWS\jzey.exe

    C:\WINDOWS\prelimhanse.exe

    C:\WINDOWS\SSK3_B5.exe

    C:\WINDOWS\StubInst.exe

    C:\WINDOWS\alchem.ini

    C:\WINDOWS\msxct1.ini

    C:\WINDOWS\NDNuninstall4_80.exe

    C:\WINDOWS\smdat32a.sys

    C:\WINDOWS\ucmoreiex.exe

    C:\WINDOWS\weirdontheweb_topc.exe

    C:\WINDOWS\SYSTEM32\eliteciy32.exe

    C:\WINDOWS\SYSTEM32\elitegfv32.exe

    C:\WINDOWS\SYSTEM32\elitekyc32.exe

    C:\WINDOWS\SYSTEM32\elitevmx32.exe

    C:\WINDOWS\SYSTEM32\elitevpv32.exe

    C:\WINDOWS\SYSTEM32\ezPopStub.exe

    C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG

    C:\WINDOWS\SYSTEM32\Party Poker.ico

    C:\WINDOWS\SYSTEM32\rtneg.dll

    C:\WINDOWS\SYSTEM32\saieau.dat

    C:\WINDOWS\SYSTEM32\stlb2.xml

    C:\WINDOWS\SYSTEM32\tsuninst.exe

    C:\WINDOWS\SYSTEM32\winupdt.008

    C:\WINDOWS\SYSTEM32\26kcfjfi.dll

    C:\WINDOWS\SYSTEM32\ACCTRES4.exe

    C:\WINDOWS\SYSTEM32\BDErastM.exe

    C:\WINDOWS\SYSTEM32\broadcastpc.exe

    C:\WINDOWS\SYSTEM32\cdral548.exe

    C:\WINDOWS\SYSTEM32\CIADMIN3.exe

    C:\WINDOWS\SYSTEM32\ikjmdywf.dll

    C:\WINDOWS\SYSTEM32\inetFuel.exe

    C:\WINDOWS\SYSTEM32\msfdje.gif

    C:\WINDOWS\SYSTEM32\rezbw.dll

    C:\WINDOWS\SYSTEM32\Uninstaller.exe

    C:\WINDOWS\SYSTEM32\nsvsvc

    C:\WINDOWS\SYSTEM32\SahImages

    C:\WINDOWS\SYSTEM32\Cache\180SAInstaller.exe

    C:\WINDOWS\SYSTEM32\Cache\em_d.exe

    C:\WINDOWS\SYSTEM32\Cache\ezstub.exe

    C:\WINDOWS\SYSTEM32\Cache\gogotoolssilawo18pi.exe

    C:\WINDOWS\SYSTEM32\Cache\ic_d.exe

    C:\WINDOWS\SYSTEM32\Cache\installer_MARKETING17.exe

    C:\WINDOWS\SYSTEM32\Cache\MTE0MzA6ODoxMg.exe

    C:\WINDOWS\SYSTEM32\Cache\MTE1NjE6ODoxMg.exe

    C:\WINDOWS\SYSTEM32\Cache\MTE1NTA6ODoxMg.exe

    C:\WINDOWS\SYSTEM32\Cache\runsearch.exe

    C:\WINDOWS\SYSTEM32\Cache\setup1015.exe

    C:\WINDOWS\SYSTEM32\Cache\SSK_B5 Seedcorn 2.EXE

    C:\WINDOWS\SYSTEM32\Cache\trafficgen-fran.exe

    C:\WINDOWS\SYSTEM32\Cache\trgen-fran-default.exe

    C:\WINDOWS\SYSTEM32\Cache\trgen_fran-162813.exe

    C:\WINDOWS\SYSTEM32\Cache\VCM QOOL_3.exe

    C:\WINDOWS\SYSTEM32\Cache\videoinst.exe

    C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe

    C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf

    C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.6.inf

    C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\Sskcwrd.dll

    C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\tvmcwrd.dll

    C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\Lycos

    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer C:\Documents and Settings\All Users\Application Data\IEService

    C:\Documents and Settings\All Users\Application Data\msw

    C:\Documents and Settings\Mayra McInroe\Application Data\eetu.exe

    C:\PROGRAM FILES\Bpt

    C:\PROGRAM FILES\SEARCH3 TOOLBAR

    C:\PROGRAM FILES\sf

    Place a tick by any of these selections available

    "Standard File Kill"

    "End Explorer Shell while Killing File"

    "Unregister .dll before Deleting"

    "Deltree(Include Subdirectories)"

    Double Click the Reg File you downloaded and allow it to merge into the registry!

    Now run CCleaner-> Just Click the "Run Cleaner" tab and let it do its thing!

    Now run CleanUp!-> Click the Cleanup tab and let it remove all the files it finds-> Click Close-> Click "Yes" to logoff and Restart back in Normal Mode!

    Restart back in Normal Mode!

    Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

    dir C:\WINDOWS\SYSTEM32\??erinit.exe  /a h > files.txt
    notepad files.txt

    Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here along with a new HiJackThis log.

    Hopefully you have installed Spyware Blaster and the Hosts file I suggested!

    Now go to the Windows Update Site and Be sure Windows is fully updated!

    Please let me know if the Antivirus and Firewall you have are still valid and updated?

    If we need to replace those,we can do that for free!

    You have to get this Machine Secured or you are destined to get reinfected!

    Post back and let me know how it goes!

    ClrHec.zip

  5. Help With Malware ?

    in Malware Removal

    Posted

    Be sure System Restore is Disabled!

    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

    Last lets get a hefty Reg Cleaner and move out all dead registry entries!

    RegSupreme Pro 1.1.0.32

    http://majorgeeks.com/RegSupreme_Pro_d4256.html

    Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe!

    Wait until Safe Mode to run it!

    Take special note,Any registry cleaner such as this,is not intended for daily,weekly or even monthly use!

    It should only be run every 4 months or so!

    Copy&Paste all those into Killbox and Select "Delete on Reboot"-> Click the Red Circle to Delete!

    C:\WINDOWS\System32\jjaaoo.exe

    C:\WINDOWS\System32\ddjjllw.dll

    C:\WINDOWS\System32\bbrrooq.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnpp.exe

    C:\WINDOWS\llmmj.dll

    C:\WINDOWS\System32\ppbbv.dat

    C:\WINDOWS\System32\jjoob.dll

    Reboot in Safe Mode

    Run them through Killbox again to be sure they are gone

    Open HijackThis and put a check next to this

    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjaaoo.exe reg_run

    Make sure All Windows and Browsers are Closed and Click "Fix Checked!

    Now run the Registry Cleaner!

    May as well Uninstall Ewido is the 14 day trial has expired!

    Restart Normal and Have the PC Scanned here

    Panda Active Scan

    Save the Report from Panda and post it along with a fresh HijackThis log!

    When you post back,we can go through the list of programs no longer needed!

    Thank You for being so patient with us!

  6. Help With Malware ?

    in Malware Removal

    Posted

    OK Hector you get the credit for motivating me to find out what the deal is with this new Qoologic Infection and thats exactly what I have done!

    Download Process Explorer from here

    http://www.sysinternals.com/Files/ProcessExplorerNt.zip

    Right Click the Zip file and Select "Extract All"

    Open Process Explorer by double clicking "procexp.exe"

    Once opened,locate this process

    jjaaoo.exe

    Double Click that process and Select Strings-> Place a Tick in Memory-> Give a second to load and Click Save-> Save that to the Desktop!

    Post those results!

    After this is over,we need to get all the programs removed that will no longer be of use toyou anymore!

  7. Help With Malware ?

    in Malware Removal

    Posted

    Well this has me scratching my head!

    So whats the Verdict on the .cpl file,is it gone or not?

    Make a Post with all 3 logs again

    In Safe Mode,run WinPFind

    Restart Normal,Run the VB Script and produce a HijackThis Startup List Log!

    Post all 3 logs!

    What is the Status of System Restore? Enabled or Disabled!

    Are you getting any kind of PopUps or Redirects?

  8. Help With Malware ?

    in Malware Removal

    Posted

    Good Job Hector,you did Killbox C:\WINDOWS\SYSTEM32\conres.cpl???

    There are a few more to kill as well,Delete on Reboot,into Safe Mode!

    Run the files through Killbox again!

    C:\WINDOWS\system32\ddjjllw.dll

    C:\WINDOWS\system32\jjoob.dll

    C:\WINDOWS\System32\jjaaoo.exe

    C:\WINDOWS\system32\yrjreqhj.exe

    Remove the 04 again with HijackThis

    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjaaoo.exe reg_run

    After the files are gone,run the Hoster again just as you did before!

    Until we know for sure you are clean please install these for added protection!

    Winhelp2002 Hosts File

    http://www.mvps.org/winhelp2002/hosts.htm

    Made easy

    http://www.mvps.org/winhelp2002/hosts2.htm

    SpywareBlaster:

    http://www.javacoolsoftware.com/spywareblaster.html

    Update Immediatly!

    Post back and lets have a look!

    We arent the only ones having trouble with this particular file!

    Let me know what became of C:\WINDOWS\SYSTEM32\conres.cpl??

  11. Help With Malware ?

    in Malware Removal

    Posted · Edited by Cretemonster

    Holy Smokes!!!!!!!! :blink::o:o:o:o:o:o:o:o:blink:

    First get this file scanned at the 2 sites below

    C:\WINDOWS\SYSTEM32\conres.cpl

    http://virusscan.jotti.org/

    http://www.virustotal.com/flash/index_en.html

    If scans all clear-> Remove it from the Deletion list!

    You know what to do if it Scans Nasty!

    Next,Download the Attachment to your desktop and Unzip it!

    Download the Hoster from here:

    http://www.funkytoad.com/download/hoster.zip

    Press "Restore Original Hosts" and press "OK"!!

    Exit Program!!

    Copy&Paste the list of files below into Killbox and use the Instructions that follow!

    C:\WINDOWS\SYSTEM32\conres.cpl<<<<<< Get that File Scanned First,before Deleting!

    C:\WINDOWS\system32\drivers\ETC\hosts

    C:\WINDOWS\system32\drivers\ETC\hosts.20040904-165330.backup

    C:\WINDOWS\system32\yuhxqdtf.exe

    C:\WINDOWS\System32\jjoob.dll

    C:\WINDOWS\System32\datadx.dll

    C:\WINDOWS\system32\vmggewdm.exe

    C:\WINDOWS\system32\vb07dv9p.ini

    C:\WINDOWS\system32\rt87rov2.ini

    C:\WINDOWS\system32\saie_kyf.dat

    C:\WINDOWS\system32\second.awp

    C:\WINDOWS\system32\sew.exe

    C:\WINDOWS\system32\uafvwzax.exe

    C:\WINDOWS\system32\dpvhromb.exe

    C:\WINDOWS\system32\dthmrusx.exe

    C:\WINDOWS\system32\first.awp

    C:\WINDOWS\system32\fpmat78.dll

    C:\WINDOWS\system32\fudeptps.exe

    C:\WINDOWS\system32\Fzjxeek1.xml

    C:\WINDOWS\system32\gah95on6.ini

    C:\WINDOWS\system32\in10b6s.dll

    C:\WINDOWS\system32\jfqosi.exe

    C:\WINDOWS\system32\jjoob.dll

    C:\WINDOWS\system32\jpdfyhtl.exe

    C:\WINDOWS\system32\msdjgk.dll

    C:\WINDOWS\system32\msiaih.dll

    C:\WINDOWS\system32\msnimk.gif

    C:\WINDOWS\system32\ooslpmre.exe

    C:\WINDOWS\system32\ddjjllw.dll

    C:\WINDOWS\system32\barekdug.exe

    C:\WINDOWS\system32\betterinternet1.exe

    C:\WINDOWS\system32\bH.dll

    C:\WINDOWS\system32\biQ.exe

    C:\WINDOWS\system32\bln02nqv.ini

    C:\WINDOWS\system32\bluestd.exe

    C:\WINDOWS\system32\70tovmto.ini

    C:\WINDOWS\system32\9tan13d8.ini

    C:\WINDOWS\system32\abiscxpw.exe

    C:\WINDOWS\system32\AUNPS.dll

    C:\WINDOWS\system32\autoupgrader.exe

    C:\WINDOWS\tct101.dll

    C:\WINDOWS\rt87rov2.exe

    C:\WINDOWS\del.tmp

    C:\WINDOWS\abiuninst.htm

    C:\WINDOWS\aniqueo.exe

    C:\WINDOWS\choice.exe

    As each is pasted into Killbox,place a tick by these Selection when available!

    "Delete on Reboot"

    "Unregister .dll before Deleting"

    Click the Red Circle with the White X in the Middle to Delete!

    Click "Yes" to Confirm

    Click "No" to Reboot

    Once at the last file

    Click "Yes" to Confirm

    Click "Yes" to Reboot

    If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

    Reboot into Safe Mode and Run those files through Killbox again,this time place a tick by any of these selections available!

    "Standard File Kill"

    "End Explorer Shell while Killing File"

    "Unregister .dll before Deleting"

    Locate the Reg File I had you download to the Desktop!

    Double Click to execute and Allow it to Merge into the Registry!

    Open and Run the Hoster again,just as you did before!

    Restart Normal and Post a fresh HijackThis log!

    Rem.zip

  12. Help With Malware ?

    in Malware Removal

    Posted · Edited by Cretemonster

    Hey Jeff and Hector!

    Dont mean to butt in but this Qoo Crap is Ticking me off!

    Hector if you will,please Download WinPFind:

    http://www.bleepingcomputer.com/files/winpfind.php

    Right Click the Zip Folder and Select "Extract All"

    Don't use it yet!

    Restart in Safe Mode

    Doubleclick WinPFind.exe and Click "Start Scan"

    It will scan the entire System, so please be patient!

    Once the Scan is Complete-> Locate WinPFind.txt in the WinPFind Folder and place those in the Next Post!

    Produce another HijackThis StartUp log and Use the TrackQoo VB Script as well

    Save the report from both of those!

    You can find the lasy version of TrackQoo from here

    http://webpages.charter.net/cretemonster/Track%20qoo%201.zip

    Once downloaded-> Just Double Click the Vb file and wait for the Report!

    Post all 3 of logs and lets find out where these pesky bug is hiding at!