Tech Support Forum - View Single Post - adware

tetonbob · 02-27-2007, 01:59 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

If possible, use a clean machine, and removable media such as USB thumb drive or CDR to transport tools to and reports from the infected machine.

---------------------------------------------------------------------------------------------

Download Pocket Killbox to your desktop. We'll use this shortly.

I have attached a file to this post - stevefix.zip Download this file to your desktop. We'll use this shortly.

Disconnect from the internet if you're still connected.

---------------------------------------------------------------------------------------------

Ad-Aware's AdWatch

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.
Unless they are turned off they could interfere with the fix by HijackThis.

---------------------------------------------------------------------------------------------

stevefix.zip

Double click on the zip folder you downloaded to your desktop, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Launch KillBox.exe & select the following options:

delete on Reboot

All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\appmgmt
C:\WINDOWS\system32\qomkijk.dll
C:\WINDOWS\system32\nybdnxsi.dll
C:\WINDOWS\system32\pqcreysq.dll
C:\WINDOWS\system32\ukjdpmmq.dll
C:\WINDOWS\system32\dkamlvtg.dll
C:\WINDOWS\system32\btyquldm.dll
C:\WINDOWS\system32\minglxkv.dll
C:\WINDOWS\system32\qtintf.dll
C:\WINDOWS\system32\vdktxdlr.dll
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\oiurnexi.dll
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\exec1.exe
C:\WINDOWS\system32\winjews16.exe
C:\WINDOWS\system32\vebbamba.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* KillBox will alert you the files will be deleted on next reboot, click Yes
* When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

---------------------------------------------------------------------------------------------

Run VundoFix once again. Post it's log in your next reply.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {38605018-0D69-4458-842B-9185938459B4} - (no file)
O2 - BHO: (no name) - {4C9A6BF9-BCC2-461B-9C11-AA0F3983866A} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {7E0D0D24-256A-4C5E-A96B-FAA826870311} - C:\WINDOWS\system32\vturs.dll
O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\WINDOWS\system32\qomkijk.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\mhtqxhhb.dll (file missing)
O4 - HKLM\..\Run: [Windows Systems16] C:\WINDOWS\system32\winjews16.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\vebbamba.dll",setvm
O4 - HKLM\..\RunServices: [Windows Systems16] C:\WINDOWS\system32\winjews16.exe
O20 - AppInit_DLLs: wxvault.dll
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll

Close HijackThis now.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10

These are outdated, and security risks simply by having them still installed.

Leave Update 11, it is the latest update for Version 5.0

---------------------------------------------------------------------------------------------

I can't find enough information for this file -> C:\Windows\System32\wxvault.dll
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

---------------------------------------------------------------------------------------------

Reestablish an internet connection. (better yet, use your notebook, and a thumbdrive)

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Disconnect again from the internet.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

Post a new HJT log along with the DrWeb report, and the VundoFix report.

02-27-2007, 01:59 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,234 OS: 2000 Pro; XP Pro; XP Home	Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. If possible, use a clean machine, and removable media such as USB thumb drive or CDR to transport tools to and reports from the infected machine. --------------------------------------------------------------------------------------------- Download Pocket Killbox to your desktop. We'll use this shortly. I have attached a file to this post - stevefix.zip Download this file to your desktop. We'll use this shortly. Disconnect from the internet if you're still connected. --------------------------------------------------------------------------------------------- Ad-Aware's AdWatch Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable AdWatch: Open AdAware SE. Go to AdWatch User Interface. Go to Tools and Preferences. At the bottom of the screen you will see 2 options Active and Automatic. Active: This will turn Ad-Watch On\Off without closing it Automatic: Suspicious activity will be blocked automatically Uncheck both options. You can enable these after resolving your problem. Unless they are turned off they could interfere with the fix by HijackThis. --------------------------------------------------------------------------------------------- stevefix.zip Double click on the zip folder you downloaded to your desktop, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\WINDOWS\system32\vturs.dll C:\WINDOWS\system32\ihkmp.ini2 C:\WINDOWS\system32\appmgmt C:\WINDOWS\system32\qomkijk.dll C:\WINDOWS\system32\nybdnxsi.dll C:\WINDOWS\system32\pqcreysq.dll C:\WINDOWS\system32\ukjdpmmq.dll C:\WINDOWS\system32\dkamlvtg.dll C:\WINDOWS\system32\btyquldm.dll C:\WINDOWS\system32\minglxkv.dll C:\WINDOWS\system32\qtintf.dll C:\WINDOWS\system32\vdktxdlr.dll C:\WINDOWS\system32\ihkmp.bak2 C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\oiurnexi.dll C:\WINDOWS\system32\mlnmp.bak1 C:\WINDOWS\system32\jkhhh.dll C:\WINDOWS\system32\ddcya.dll C:\WINDOWS\system32\exec1.exe C:\WINDOWS\system32\winjews16.exe C:\WINDOWS\system32\vebbamba.dll * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * KillBox will alert you the files will be deleted on next reboot, click Yes * When asked to Reboot, select Yes Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message. Also, if the computer does not restart automatically, please restart it manually. --------------------------------------------------------------------------------------------- Run VundoFix once again. Post it's log in your next reply. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O2 - BHO: (no name) - {38605018-0D69-4458-842B-9185938459B4} - (no file) O2 - BHO: (no name) - {4C9A6BF9-BCC2-461B-9C11-AA0F3983866A} - C:\WINDOWS\system32\pmkhi.dll (file missing) O2 - BHO: (no name) - {7E0D0D24-256A-4C5E-A96B-FAA826870311} - C:\WINDOWS\system32\vturs.dll O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\WINDOWS\system32\qomkijk.dll O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\mhtqxhhb.dll (file missing) O4 - HKLM\..\Run: [Windows Systems16] C:\WINDOWS\system32\winjews16.exe O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\vebbamba.dll",setvm O4 - HKLM\..\RunServices: [Windows Systems16] C:\WINDOWS\system32\winjews16.exe O20 - AppInit_DLLs: wxvault.dll O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll Close HijackThis now. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 J2SE Runtime Environment 5.0 Update 10 These are outdated, and security risks simply by having them still installed. Leave Update 11, it is the latest update for Version 5.0 --------------------------------------------------------------------------------------------- I can't find enough information for this file -> C:\Windows\System32\wxvault.dll Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. --------------------------------------------------------------------------------------------- Reestablish an internet connection. (better yet, use your notebook, and a thumbdrive) * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe Disconnect again from the internet. Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- Post a new HJT log along with the DrWeb report, and the VundoFix report. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 10-17-2007 at 08:47 PM.