# Running Preliminary Malware removal instructions

By Leraelew
Apr 18, 2008
and I am currently running the Trend Micro House Call 6.5
So far it has found:
JS_CLICKER.RE
It says there is still about 30 minutes left on the scan so while its doing that I guess I'll download the AVG AntiSpyware and I already have SS&D and AdAware SE, so I guess I'll see where it goes from there!

I posted a previous thread, earlier, about the System Integrity Scan Wizard pop-up I've been getting, so hopefully I'm on the right track!!??

Any help from any tech gurus would be greatly appreciated!
Cheers!

2. ### Blind DragonTS EvangelistPosts: 3,908

You are on the right track, everything sounds good except Adaware SE, it no longer gets updates, I would recommend uninstalling it through Add/Remove programs in the control panel, then navigate to and make sure C:\program files\Lavasoft folder has been removed, delete it if not.

*Note, for a lot of people it will not work in Safe Mode

• If you download the file to your desktop, simply click on the installer icon. If you download to another folder navigate to it through my computer and doubleclick on aaw2007.exe
• Follow the prompts to install the software and when it asks if you would like to do a "Standard" or "Advanced" Installation, select the Standard installation. Keep following the prompts and after the program has finished installing select Finish
• If the program is starting for the first time, it will prompt you to enter your registration information. As we are using the free version of Ad-Aware 2007, we simply press the Cancel button at the screen asking us to enter our license information. Ad-Aware 2007 Free will now open. If you already have this version please open it.
• Before running a scan, you should always make sure that Ad-Aware is up-to-date with the latest program files and malware definitions. This allows the software to recognize as much malware as it can when scanning your computer. To update Ad-Aware 2007 Free click on the Web Update section in the left pane. now click on the Update button
• If an update is found it will tell you and you should click on the Yes button and let it download the update.
• Now click on the Scan tab in the left pane, select Full Scan then click Scan in the bottom right corner
• When you are presented with your scan results, put a tick mark in the boxes to the left of the results, select the privacy objects tab and also put a tick in these boxes.
• After all objects are selected you can hit Remove

3. ### LeraelewTS RookieTopic Starter

Safe Mode

First of all, THANK YOU THANK YOU for replying!
The Trend Micro House Call is STILL finishing up, so after that I'll be updating to the newer version of AdAware, and I have already downloaded and installed AVG Antispyware, and Shielded to inactive and ran the updates for it. So I guess after ALL that I'll download the Ccleaner Program.
So thank you for letting me know i'm on the right track!
One question though, should my computer already be in safe mode??
To do that you just restart the comp and hit F8 before the Windows starts up right?

Thanks again!

4. ### Blind DragonTS EvangelistPosts: 3,908

Housecall from normal mode

You will probably have to run adaware in normal mode too, but you can attempt while in safe mode, a lot of people report that it won't work in safe mode.

AVG should be run in safe mode, CCleaner can be as well.

Good work, Sounds like your almost there!!!!

5. ### LeraelewTS RookieTopic Starter

Step 10 problem

Thanks!
I've run the Ccleaner and saved the log from it, so when I'm to the last step i"ll post that too.
I'm still getting pop-ups, but I'm not done with all the steps yet.
On step 10, It says to download and follow the instructions from the websites for Tool 1, Tool 2, and Tool 3.
When I click Tool 1, the page does not load.... not sure what to do about that. I believe the other two tools will load, I was wondering should i skip Tool 1 or is there a different place i can find it??
Thanks again, I really appreciate it. And I am quite impressed with the attention you all give everyone and in SUCH a timely manner!
Keep up the GOOD work!
CHEERS

edit: I ran tool 2 and 3 and neither one found anything....

6. ### LeraelewTS RookieTopic Starter

New Pop-up I'm not sure about????

Still cannot load Tool 1, but went ahead and proceeded with Panda Antirootkit Program. I ran it and there were no rootkits found.
Also, I am getting a new pop-up that I have NO IDEA what to do with,

The heading says Spyware Alert, it does not say what program detected

Then it says:
"Worm.Win32.NetBooster detected on your machine. This virus is distributed via the Internet through email and Active-X objects. The worm has its own SMTP engine which means it gathers emails from your local computer and redistributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process should be removed from your system.
Type: Virus
System Affected: Windows 2000, NT, ME, XP, VISTA
Securtiy Risk (0-5): 5
Recommendations: Click Yes to remove it from your PC immediately"

It has disabled the top right x to x out of it, so I just clicked NO, I hope that was right!!???

7. ### Blind DragonTS EvangelistPosts: 3,908

That is actually a part of the infection trying to trick you into purchasing their product. Obviously you should never accept it.

Try this link for Tool 1 as an alternative, if it still doesn't work then we may need to look at your host file. If you get the tool be sure to run option 2 from Safe mode

http://siri.geekstogo.com/SmitfraudFix.exe

Also, I recommend you use Internet Explorer as little as possible,
Here are 2 more secure browsers to choose from
1)Firefox -> http://www.mozilla.com/en-US/firefox/
2)Opera -> http://www.opera.com/

8. ### LeraelewTS RookieTopic Starter

It started to work and save to desktop then,
a mcAfee popped and deleted it saying it was a potentially unwanted program, and I couldn't load the program and it won't even let me access the link anymore....

oh and i have been using mozilla in safe mode

9. ### LeraelewTS RookieTopic Starter

current logs

ok i want to thank you for being so patient, and helping me.

I finally got the Tool 1 (Smitfraudfix.exe) to run, and I ran it in safe mode.
while doing this the Disk Clean Up popped up and asked if I wanted to clean up and i said yes.
The program finished and my desktop pictured changed to a blank blue.

I was going to post the log from it, but its too big (233KB) so should I find a way to post it, or just proceed with the Combofix.exe??

EDIT: couldn't run Combofix.exe, but I ran the other option... Deckard System Scanner and saved the logs from it.
Now I'm going to reboot to safemode, run my antivirus, SS&D, adaware, and the Avg Antispyware and then HJT, and I'll then post the logs. but it'll probably be a WHILE before I get all that done lol, so thanks again for helping me out, and Whenever its convenient for you I'd appreciate any feedback on the logs.
Thanks and Cheers!!

10. ### LeraelewTS RookieTopic Starter

Finished?

Ok so I've done all the steps.
As I said before I couldn't run the Combofix.exe so I used the Deckards System Scanner.
Also, when I was running AVG Anitspyware in safemode the comp just shut off on me half way through, and so I turned it on and ran it again, making sure to set it to Quarantine, and to save a log. for some reason though, it did produce a log???
So I typed up the files that it quarantined, and it also deleted some cookies I typed those up too (for some reason it wouldn't let me quarantine them??) After it finished the scan the comp just shut off again, so I left it alone for the rest of the night, and this morning I trying restarting it in safemode about 5 times, and it just wouldn't go into safemode, it would skip right to normal startup.
Also, just wanted to note again that the Panda Antirootkit, found nothing.

Ok so here is the DSS log, the AVG log, and the HJT log...

Also, here is a lil list of the 'symptoms'
pop-up - System Integrity Scan Wizard

(Red Circle with X in center - bottom right hand task bar) - Spyware Alert and sometimes IE explorer opens to a page on System Defender Security System.
There are two other popups but I can't remember what they say.....

11. ### kritiusTS GuruPosts: 2,084

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

• Run the SDFix.exe by double clicking on it.
• Allow it to install into the default location which is normally c:\SDFix
• Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode )
• When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Attach the Report.txt file to your next message.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
C:\VundoFix Backup
C:\WINDOWS\system32\inanqpwn.exe
C:\WINDOWS\rtqmekwg.exe
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\omlbpkaw.dll
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\lgmxvpatfbo.dll
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32bdn.com
C:\Documents and Settings\All Users\Application Data\xgrcvkle
C:\WINDOWS\system32\tarqrwpc.exe
C:\Program Files\MyWebSearchWB
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vkhuletb
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\LmXjmirXpc
C:\Documents and Settings\All Users\Application Data\xgrcvkle

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

• Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
• Click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you use Opera browser
• Click Opera at the top and choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below (if they are still present)
O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - C:\WINDOWS\lgmxvpatfbo.dll
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - C:\WINDOWS\qtvglped.dll
O4 - HKCU\..\Run: [vkhuletb] C:\WINDOWS\system32\inanqpwn.exe
O4 - HKLM\..\Policies\Explorer\Run: [LmXjmirXpc] C:\Documents and Settings\All Users\Application Data\xgrcvkle\fotyjqfu.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O21 - SSODL: omlbpkaw - {E74C138F-A762-4950-BDD8-F9E2ACFE1BE4} - C:\WINDOWS\omlbpkaw.dll
O21 - SSODL: pmsoarbf - {C6546761-9AAE-4842-BDB0-D4C3551D5418} - C:\WINDOWS\pmsoarbf.dll

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

12. ### LeraelewTS RookieTopic Starter

I ran all the programs you suggested and reran HJT, here is the paste from OTMoveit. I'm trying to paste the SDFix log and the HJT log, but for some reason it won't let me even hit the attachment button, so i'll have to get back to you on that one.

Thanks for helping me out!

C:\WINDOWS\system32ssvchost.com moved successfully.
C:\WINDOWS\system32hxiwlgpm.dat moved successfully.
C:\WINDOWS\system32bdn.com moved successfully.
C:\Documents and Settings\All Users\Application Data\xgrcvkle moved successfully.
C:\WINDOWS\system32\tarqrwpc.exe moved successfully.
C:\Program Files\MyWebSearchWB\bar\Settings moved successfully.
C:\Program Files\MyWebSearchWB\bar\History moved successfully.
C:\Program Files\MyWebSearchWB\bar\Cache moved successfully.
C:\Program Files\MyWebSearchWB\bar\1.bin moved successfully.
C:\Program Files\MyWebSearchWB\bar moved successfully.
C:\Program Files\MyWebSearchWB moved successfully.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} >
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vkhuletb >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vkhuletb deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\LmXjmirXpc >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04192008_193948

13. ### LeraelewTS RookieTopic Starter

Attachments messed up?

in the Reply to Thread box, when typing my reply I can't hit any of the buttons like on fonts or smileys or the ATTACHMENT button. The manage attachments button is missing on the bottom too??? It just says Valid file extensions and gives a lil list of extensions.

I have no idea whats going on??

14. ### LeraelewTS RookieTopic Starter

Log attachments

I ran CCleaner and now I can use attachments. ODD.

15. ### kritiusTS GuruPosts: 2,084

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete files and folders,
Boot into safe mode by restarting the computer and tapping F8 as soon as it starts, show all hidden files and folders and delete the following file,

C:\WINDOWS\system32\inanqpwn.exe

Boot back into normal mode and run HijackThis again.

How is the computer running now?

16. ### LeraelewTS RookieTopic Starter

ok i ran, HJT but couldn't find the things you said to check, so I rebooted in safe mode to delet the file C:\WINDOWS\system 32\inanqpwn.exe, and i couldn't find that either?? Sooo I ran HJT again, and here is the log (just in case ya need it)

So far the comp seems to be running ok, but i've only had it running for a lil bit...
Thanks for the help and I'll make another post in a few hours to confirm that everything is running ok.

Thanks again
CHHERS

17. ### kritiusTS GuruPosts: 2,084

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
o Extended (If available, otherwise use standard)
o Scan Options:
o Scan Archives
o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)

• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)

• Include the report in your next post.

Topic Status:
Not open for further replies.