Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sad Johnny's Problem


  • Please log in to reply
3 replies to this topic

#1 sadjohnny

sadjohnny

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 07 August 2008 - 01:30 PM

Hello everyone,

I am a moron and brought this on myself. I include the 'how I got there' information in hopes of finding 'how to get out of there.'

To get practice with Dreamweaver, I tried to download it from Limewire. This mistake was immediately apparent, as I got tons of unwanted spyware activity.

I took advice from this site: hxxp://www.spywareremove.com/removeZlob.html. Things got worse. I've Spybotted and Windows Defendered the hell out of my computer. Problems persist.

SmitfraudFix won't run on my computer. I keep getting a 0xc0000005 error or something like that. I don't even know what to do to know what I should do. I'm up the proverbial creek and any help would be appreciated.

Edited by quietman7, 07 August 2008 - 02:22 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:15 AM

Posted 07 August 2008 - 02:23 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sadjohnny

sadjohnny
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 09 August 2008 - 01:09 AM

Hello QuietMan,

Thanks for the advice. I actually tried the following advice before I saw your tip:

------------------------------------------------------------------------------------------------------
Thanks ITshop360! I hadn't noticed that taskmanager has a menu at the top!

I spent some fitful hours eradicating this nasty virus - also the worst that I have seen. Avast didn't seem to catch it, sadly. It likely came from a questionable download of all2mp3.exe using utorrent. (I've seen other references to this issue with this download too - after I contracted the virus of course).

It has the effect of interfering with internet usage, so it gets very difficult to find a fix using that particular computer. It also incessantly pops up full-screen web sites, often for ads to do with your google search, or just porn when its bored. I ran various registry cleaners and virus scanners, and nothing caught it. I did a system restore, and it worked once, but on the mext reboot the problem re-surfaced! Ouch!!

So here's what it does and HOW TO GET RID OF IT:

It adds a RUNDLL32.exe startup command to load a (8 gibberish lettered name).dll such as jkknSycS.dll. I am guessing, but it doesn't appear as a process in task manager, so it must hook itself to other tasks to cause its interference, and to get a hook into the internet. By this means, it can also mess up inituser.exe as well as any program that wants to use rundll32.exe (such as a firewall - note that it turns off your firewall, so it may also open back doors into your PC - I recommend that once you finish reading this message, that you print the instructions below, and then physically DISCONNECT YOUR PC FROM THE INTERNET UNTIL YOU ERADICATE THE VIRUS!

It also makes another randomly-named copy of itself and re-installs a startup command to run the new copy on the next bootup. This has the curious effect of working after EVERY delete of the offending startup line using HiJackThis.exe (By the way, it appears as a -O4 type command 'RUNDLL32 'gibberish'.dll). So every time that you delete the line and then re-scan with hijackthis, and it just re-appears with a fresh name!

To remove it:

1. Before you start, check 2 places - Use Startup|Run to run MSCONFIG.EXE - in the startup tab, you ought to see the 'RUNDLL32 (8 gibberish lettered name).dll in the list. Make a note of the .dll name. Close MSCONFIG. Then open Windows Explorer and take a look in C:\Windows\System32. Sort by date modified, newest at the top. You will see a couple of 'StBcWXYZ-like'.ini and ini2 files - about 500KB in size, with a somewhat random-looking name with the datestamp of the moment when you got infected. Also, you will see several (8 gibberish lettered name).dll files with lengths between 60KB and 250KB. They will also have a similar creation date - note that some will be newer (these are the copies that I mentioned above). Erase all that you can - note that some of the .DLLs will refuse to be erased (since they are in use or otherwise protected).

2. Now, WRITE DOWN THE EXACT NAMES OF ALL OF THESE FILES!. Note that there are a few recent files made by Windows - they are wpa.dbl, fntcache and config.nt - Oh, BTW, I'm using Windows XP SP2.

3. Restart your computer using a floppy or CD that boots you into DOS!!!!! If you don't have one, use Windows Explorer (or some other computer) to make a bootable floppy or CD.

4. In DOS, navigate to C:\windows\system32 and erase the offending files. If you don't know how, use DIR /? and ERASE /? for help. I think one of them is marked as a system/read-only file, so you may have to use the DIR /A options to get at it.

5. Once you're sure that they have ALL been deleted, restart your PC from C:

6. It should startup ok, give you a taskbar, and complain that it couldn't run the .DLL that held the virus.

7. NOW - reopen MSCONFIG.EXE and uncheck the line that tries to load the (now-missing) virus file.

8. Re-boot and go have a drink of success!!

AND PROMISE TO BE MORE CAREFUL NEXT TIME!

I'm documenting this before I forget, and who knows, I may be looking for this solution some years from now myself :-( !


---------------------------------------------------------------

The problem is that once I'm in MS-DOS, it won't let me switch to C:, nevermind C:/windows/system32. What should I do?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:15 AM

Posted 09 August 2008 - 07:00 AM

Sometimes another piece of malware which has not been detected protects other files (which have been detected) so they cannot be permanently deleted. Others are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. This infection will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users