Background changed, can't use task manager

[Swiss407]

I cannot get into task manager. My background has changed. I have pop ups coming up every second. Please help!

 

[Swiss407]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:09 PM, on 6/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM03Mon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
C:\Program Files\MSTpscre\Tpscrex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\windows\system32\jmwnw64p.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\rcntnkdm.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\17PHolmes1749.exe
C:\WINDOWS\444.0
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

[Swiss407]

I can't post the rest of the log because it says my post count has to be 5 or higher to post links and it has links in it.

 

[Blind Dragon]

attach the entire log using the paperclip icon above your reply

 

[Swiss407]

The paper clip is for links. all I see is a paper clip with a little earth behind it.

 

[Swiss407]

Sorry I found it. Also here's the uninstall list. I've seen it asked for in other threads.

 

[Blind Dragon]

A lot of different infections on there, instead of deleting manually we are going to run some tools and let them do the work for us, then we can manually clean up the left overs. I see CoolWebSearch and some trojans which could be smitfruad and possibly vundo

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---------------------------------------------------------------------


Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

--------------------------------------------------------

Once back in normal mode run a fresh scan with Hijackthis then attach it here with the MBAM log

 

[Swiss407]

I've got the malware one running now. The CWShredder said "Unable to check for updates" when I tried to update it.

 

[Blind Dragon]

After MBAM is done, go ahead and boot into safe mode and run CWShredder anyways

The last release was NOV 2005 so you have most recent update

 

[Swiss407]

Here are the logs from all the stuff. Task manager is back so we're making some progress. Thanks for your continued help. This is a great site.

 

[Blind Dragon]

I don't need another uninstall list. With Hijackthis select scan now and save a log

 

[Swiss407]

Sorry. I did save it I just forgot to attach it.

 

[Blind Dragon]

These are very powerful tools that I am suggesting please don't do anything with them other than instructed

Download and Install SDFix

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

-------------------------------------------------------------------

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[Swiss407]

The 2nd time it restarts after running SDFix do I do safe mode again or let it boot up normally? And I can't seem to download combofix is the site down? I don't have any problems going to any other sites.

 

[Blind Dragon]

yes it is, let me post a new link http://subs.geekstogo.com/ComboFix.exe

Restart normally.

 

[Swiss407]

Here they are.

 

[Blind Dragon]

Did you open these ports?
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

---------------------------------------------------------------------

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
  O4 - HKLM\..\Run: [HTV Agent] C:\Program Files\HTV\HTV.exe
  O4 - HKLM\..\Run: [{B6-67-74-45-DW}] C:\windows\system32\jmwnw64p.exe DWramFF

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

-----------------------------------------------------------------------------------

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\g34.exe
C:\WINDOWS\h8907435.exe
C:\windows\system32\jmwnw64p.exe
C:\WINDOWS\portsv.exe

Folder::
C:\WINDOWS\system32\1397
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\NMP
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\105772
C:\WINDOWS\444.0
C:\WINDOWS\444.470
C:\Program Files\HTV

Driver::
MSSECURITY1.209.4
NPF

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{B6-67-74-45-DW}"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlayRPC]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[Swiss407]

The background came back for a little while during the time combofix was running but now it's totally black again. Task Manager works and my CPU usage is running at 2% instead of 90% like it was.

 

[Blind Dragon]

The last logs looked so much better even before the last steps

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

-------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Swiss407]

Ok, it's running now. I have this PC-cillin internet security anti-virus program that came from Dell. It's supposed to be good till 2010 but it hasn't been able to update itself in 6 months so I'm guessing that's why all this stuff happened in the first place. It still can't update itself though so I was wondering if there was some other program you recommend I use for after we get all this cleaned up to prevent it from happening again.

 

[Blind Dragon]

Lets see what kaspersky finds, then we can see if it updates. If not I will make recommendations for some free products that will provide great security

 

[Swiss407]

Ok it finally finished

 

[Blind Dragon]

That looks pretty good, by the way did your background come back after uninstalling combofix?

That looks pretty much clean, just a few loose ends.

1)Clear your trend micro quarantine, if you don't know how then you can just delete everything in this folder but not the folder itself. -> C:\Program Files\Trend Micro\Internet Security 14\Quarantine

2)Get rid of any backups of the infected registry, so delete the contents of the following folder but not the folder itself. You may want to backup after you are clean
C:\Program Files\Max Registry Cleaner\Backup

3)OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]C:\WINDOWS\444.470[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Swiss407]

Nope the background is still all black even after uninstalling combo fix. I don't see that directory for the log file. It said it was moved successfully though.

 

[Blind Dragon]

can you navigate to here C:\_OTMoveIt\MovedFiles

Then attach - 06072008_170508.log <-the last numbers will be different