PC-Antispyware - Please Help

[jojoness]

Hello guys! Tuesday night I unfortunately got PC-Antispyware on my computer. I have tried Nortons 360, Ad-Aware, Smitfraudfix, and countless others. I have followed the preliminary removal instructions provided on the forum, and was unable to execute Step 13. I was then unable to execute Ad-Aware, I'm not too sure what happened there. I'm attaching the HJT log to this message.

Symptoms include pop up ads, fake tool bar notices of spyware being on my computer, and a very slow loading browser. As far as the Panda Antirootkit scan, it came up with nothing.

I hope you guys can help me! Thanks in advance.

 

[Blind Dragon]

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Did you already run combofix, if so attach log

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[jojoness]

I've ran Combofix and Malwarebytes. I'm attaching the logs.

I would also like to add that another symptom is certain words in text on the internet is being underlined and linked, and when I put my cursor over it there is a pop up advertisement for Vibrant. How do I rid of that?

 

[Blind Dragon]

Do you have a firewall with Symantec installed?


Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Driver::
-------\Legacy_NPF
-------\NPF

File::
C:\WINDOWS\system32\pxgumdou.dll
C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
C:\Documents and Settings\JoJo's 'puter\Desktopfwebd.exe
C:\Documents and Settings\JoJo's 'puter\Desktopfkwp2.0.exe
C:\Documents and Settings\JoJo's 'puter\Desktopfkwp1.5.exe
C:\Documents and Settings\JoJo's 'puter\Desktopfilemanagerclient.exe
C:\Documents and Settings\JoJo's 'puter\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\JoJo's 'puter\DesktopEditorFKWP1.5.exe
C:\WINDOWS\SYSTEM32\vtUnlKDW.dll.vir
C:\WINDOWS\system32\efcBtutu.dll
C:\WINDOWS\system32\hgGvWmJD.dll
C:\WINDOWS\system32\vqbyxghg.exe
C:\WINDOWS\system32\ojuxmxcx.exe
C:\WINDOWS\System32\sfg_53c1.dll
C:\WINDOWS\SYSTEM32\uvriotda.ini
C:\WINDOWS\SYSTEM32\ayervwot.ini
C:\WINDOWS\SYSTEM32\jpicpl32.cpl
C:\WINDOWS\SYSTEM32\lmzedypc.exe
C:\Documents and Settings\JoJo's 'puter\DesktopFWebdEditor.exe
C:\Documents and Settings\All Users\Application Data\lufkzyba\jqtgpqjq.exe
C:\WINDOWS\system32\rqqvkcqb.dll

Folder::
C:\Documents and Settings\All Users\Application Data\lufkzyba
C:\Program Files\Google\Google Desktop Search

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33CAE343-8B7B-4913-9AE5-09A86124631E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{513157B2-3B37-4842-A510-D72507B0CC92}]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"=-
"qvpeecye"=-
"hpwdlyaj"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"F2avE88wyg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2415e228]
C:\WINDOWS\system32\pxgumdou.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2726d1b4]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[jojoness]

Yes, my Nortons 360 has a firewall enabled.

Fixed the Java as you said.

Attached fresh HJT and new Combofix.

 

[Blind Dragon]

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Folder::
C:\Documents and Settings\All Users\Application Data\lufkzyba

File::
C:\WINDOWS\system32\cnubkpef.exe
C:\WINDOWS\system32\gvcxuden.exe
C:\Documents and Settings\All Users\Application Data\lufkzyba\jqtgpqjq.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kweubfru"=-
"azqaksoc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"F2avE88wyg"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[jojoness]

Attached is a fresh HJT and Combofix.

 

[Blind Dragon]

Getting better!

I didn't see an active firewall, let me know if you have one what it is. It doesn't appear that you do.

If not...
You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm



Delete a Service

• Click Start | Run and type regedit in the Open: line. Click OK.
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
• Scroll down the left pane, locate Symantec Network Drivers Service (SNDSrvc), right click it and select Delete.
  The file is missing so no point leaving the registry entry
• Reboot the system (into safe mode instructions below)

You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {33CAE343-8B7B-4913-9AE5-09A86124631E} - C:\WINDOWS\system32\efcBtutu.dll (file missing)
O2 - BHO: (no name) - {513157B2-3B37-4842-A510-D72507B0CC92} - C:\WINDOWS\system32\hgGvWmJD.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [F2avE88wyg] C:\Documents and Settings\All Users\Application Data\lufkzyba\jqtgpqjq.exe

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files:

Folder:
C:\C:\Documents and Settings\All Users\Application Data\lufkzyba <-This folder only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log


Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply



Next Reply =
1 New Hijackthis log
2 Kaspersky log

 

[jojoness]

So far I have downloaded and enabled Comodo as my firewall and deleted the particular service, but I am oddly having a difficult time trying to boot into Safe Mode. Whenever I press F8 at the start of my reboot, instead of the list of Safe Modes to go into, my computer says "Keyboard Failure", proceeds to reboot in Normal Mode, and immediately the keyboard and mouse are frozen. I've tried about 4 times to get into Safe Mode and I just can't. Something else is wrong, will you be able to figure it out?

 

[Blind Dragon]

hmm, first thing boot the computer, unplug the keyboard for 15 seconds or so, then plug it back in, see if a baloon pops up saying new device in the task tray

What was the last thing you did before keyboard stopped working?

Does this only happen when you attempt to boot into Safe Mode?

Can you enter BIOS or Setup before windows attempts to load. Usually F1, F2, or Del key will enter

 

[jojoness]

After unplugging after boot up, there was no balloon that say new device.

I don't do anything out of the oridinary before restarting. I restart, allow the computer to shut down, when it comes back up i press F8, and the black screen says "Keyboard Failure", proceeds to load up in normal mode and both keyboard and mouse don't work, even when I unplug and replug it to see if it gets recognized.

Yes, I can enter BIOS and Setup, and the keyboard works perfectly fine, and the boot up is completely normal from there. Its just the Safe Mode option. Could it be any of the programs that I am running? The only ones that boot up automatically in the task tray are: Comodo Firewall Pro, AVG Anti-Spyware and Nortons 360. Programs I have downloaded for the sake of trying to get rid of the initial problem are:

Norton 360
Ad-Aware 2007
Smitfraudfix
Highjackthis
Spybot - S&D
VundoFix
AVG Anti-spyware
PAVARK
VirtumundoBeGone
CCleaner
Combofix
Malwarebytes Anti-Malware
Comodo Firewall Pro

Can any of these be disabled or uninstalled that aren't necessary right now? (Besides Combofix, HJT, Nortons) ?

I've read something about booting in Safe Mode in other terms, I think by going into msconfig and checking an option for Safe Mode boot? I won't do it of course, unless you asked me to.

 

[kritius]

Do Not Do That

 

[jojoness]

Ok, I won't.

Now, I just tried going into Safe Mode again, but now it seems that when I press F8 in the beginning, the computer just completely ignores my request, goes to a black screen, no message this time, and proceeds to boot up in Normal Mode. And the keyboard and mouse works fine. I took some video of it if you wanted to watch it, but it just won't even ask if I want Safe Mode, not even a "Keyboard Failure" message pops up.

 

[kritius]

What keyboard are you using?

 

[jojoness]

Uh, its a Dell keyboard that came with my PC. Don't really know how to tell what specific model it is.

Model: SK 8110 (says on the back of it)

 

[kritius]

Not wireless?

 

[jojoness]

No, plugs into my tower.

 

[kritius]

Hmmm, ill look into it.

 

[jojoness]

Thanks. Will try and reboot one more time. I can still upload that video if you'd like to see it for yourself.

edit: Rebooted again, nothing changed, still no message when pressing F8. Boots up normally from there.


optional: i uploaded the video i took of the start up if anyone is curious. used youtube, hope you don't mind. its about 2 1/2 minutes long.

http://youtube.com/watch?v=sA0uDTHku9k

 

[kritius]

Ok, dont start tapping F8 until the computer boots up again, when it does keep tapping F8, you where pressing it as it was closing down and then holding it while booting up.

 

[jojoness]

ok, got it to work! Took a few tries because it kept giving me keyboard failure messages, but i finally got through ok. am working on getting the rest of the logs done to put up in the next post. thank you muchly kritius!

 

[kritius]

No problem.

By the way it was extremely helpful to have someone think of putting a video of what they where doing so we could see the problem first hand, good job.

 

[jojoness]

hey, anything to help you guys understand the problem better!

kaspersky is still running a scan, will be a while before i can post the logs.

Attached is fresh HJT and Kaspersky logs.

I'd like to add that I could not find this folder:

C:\Documents and Settings\All Users\Application Data\lufkzyba

Maybe it was already deleted?

And after I ran the Safe Mode instructions, I have 2 transparent files on my desktop labeled: hpprscan.GID and desktop (which in properties says its this type of file: Configuration Settings) I know these are the hidden files being revealed, should I go back and hide them again?

I thought I'd post a screen cap of the underlined advertising I mentioned earlier:

blind dragon, i hope you didn't forget about me :[

 

[Blind Dragon]

Looks Good. The things Kaspersky found will be removed during Clean up which we can do now. How is the computer running, everyone sees those popups from the underlined words, that is how the forums make money to help pay for themselves.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[jojoness]

When I tried to uninstall Combofix, I get this message:

Error: Some files could not be created. You need to have Administrative privileges to run Combofix.

is that...normal?