Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)  (Read 35363 times)

0 Members and 1 Guest are viewing this topic.

green tea

    Topic Starter


    Intermediate

    Thanked: 1
    I really thought I was done with Malware for a good while, but it's back :'(

    Evilfantasy, I tried following the Steps in the guideline but met some problems. I tried to uninstall my old Norton Antivirus 2003 program but it won't let me do it in safe mode. And sadly, I'm having trouble rebooting into normal mode tonight.

    I was able to uninstall Internet Speed monitor through the Add/Remove part, and then I did use CCleaner. SAS and MBAM ran just fine, and the logs are attached below.

    Couldn't uninstall Java 6 (update 3) in safe mode... (could I install the new version after we get rid of the bugs)??

    I also tried running Hijackthis in safe mode but it keeps crashing. Don't know what to do about that...


    [recovering space - attachment deleted by admin]

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Yes we will worry about updating Java and uninstalling old Norton until you get into normal mode.

    Did you restart and then try running Hijackthis?

    Go to My Computer->Tools->Folder Options->View tab:
    • Under the Hidden files and folders heading:
    • Select Show hidden files and folders.
    • Uncheck Hide protected operating system files (recommended) option.
    • Also, make sure there is no checkmark beside Hide file extensions for known file types.
    • Click OK
    Now see if you can find this folder and file and delete it. (if there)

    C:\Program Files\Bat\Bat.exe

    ----------

    See if you can get SDFix to run.

    Download SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following:

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard).
    • Finally add the contents of the Report.txt in your next post.
    .


    green tea

      Topic Starter


      Intermediate

      Thanked: 1
      No, haven't done HJT yet.

      I did a search for C:\Program Files\Bat\Bat.exe but didn't find anything. MBAM log shows that it was quarantined and deleted successfully. Could it still be hiding in one of the folders?

      Ran SDFix, and was prompted to reboot. The computer was restarting but this blue screen shows up for a milisecond, and then the computer reboots again. After this, the advance screen would show up and this is how I get into safe mode.

      I'm currently in safemode with networking since I was thinking I could post the log after everything's done. But the "FIXTOOL" didn't run again, and all the desktop icons automatically loaded.

      Should I run SDFIX again? The report.txt in the SDFix folder just shows it was done with the "Checking process"

      green tea

        Topic Starter


        Intermediate

        Thanked: 1
        Edit: I just tried running HJT, and it worked.
         
        Here is the log for today

        [recovering space - attachment deleted by admin]

        Broni


          Mastermind
        • Kraków my love :)
        • Thanked: 614
          • Computer Help Forum
        • Computer: Specs
        • Experience: Experienced
        • OS: Windows 8
        green tea...
        You're running two threads, this one, and: http://www.computerhope.com/forum/index.php/topic,55467.msg347538.html#msg347538
        Is it about same computer?

        green tea

          Topic Starter


          Intermediate

          Thanked: 1
          Hi Broni, it's the same computer/problem. But Evilfantasy closed that thread since it got off topic and told me to start a new one.

          This is the main thread now. Please delete the other one if needed. Thanks

          Broni


            Mastermind
          • Kraków my love :)
          • Thanked: 614
            • Computer Help Forum
          • Computer: Specs
          • Experience: Experienced
          • OS: Windows 8
          No problem, I just wanted to clarify :)

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Go to Start > Run and copy then past sc stop MsSecurity1.209.4 then click OK

          Now again go to Start > Run and copy and paste sc delete MsSecurity1.209.4 then click OK

          ----------

          Open Hijackthis and select Do a system scan only then place a check mark next to (if there)

          - O4 - HKLM\..\Run: [ynupuhwb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll"
          - O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\tedpyuln.dll",b
          - O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe" -vt yazb
          - O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

          Now click Fix checked

          ----------

          Download OTMoveIt2 by OldTimer
          • Save it to your desktop.
          • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
          • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

            Code: [Select]
            C:\WINDOWS\winself.exe
            C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
            C:\WINDOWS\system32\tedpyuln.dll
            C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll
          • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
          • Click the red Moveit! button.
          • Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
          • Close OTMoveIt2
          Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

          ----------

          Post the OTMoveIt log and run a new Hijackthis scan and post that log.

          If you are still stuck in safe mode then try to run SDFix again and get a log from that.

          green tea

            Topic Starter


            Intermediate

            Thanked: 1
            Ok, did ran the "sc delete MsSecurity1.209.4"

            Ran HJT and selected the first 3 line items (HKLM and HKCU). But didn't see O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

            Ran OTMoveIt but it keeps freezing whenever it's looking for the last file "ynupuhwb.dll" Under the Green result bar, it also shows some of the files as not found.

            So as of now, I can't create a log for OTMoveIt. Here's the current HJT log if you need to see it.

            [recovering space - attachment deleted by admin]

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            You will need to go in and manually delete these files (in bold)

            they may not all be there.

            C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
            C:\WINDOWS\system32\tedpyuln.dll
            C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

            Have you tried SDFix again?

            green tea

              Topic Starter


              Intermediate

              Thanked: 1
              Found and deleted
              C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
              C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

              Didn't find C:\WINDOWS\system32\tedpyuln.dll

              Haven't ran SDFix since the first time, but I'll try it again now

              green tea

                Topic Starter


                Intermediate

                Thanked: 1
                Just rebooted after running SDFix but same situation as before. The desktop icons automatically loaded and no SDFix screen or Fixtools popped up after the reboot.

                Also, everytime I reboot, the screen would turn blue after the Windows loading screen, and then the computer would restart at that point. I'm wondering if this is because I was pressing F3 a couple times earlier when it was rebooting...I was hitting F8 to get to safe mode, but accidentally hit F3 as well.

                Does that affect the reboot?!! :-\

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                Try not hitting anything.

                Have just left everything alone to see if it boots into normal mode?

                green tea

                  Topic Starter


                  Intermediate

                  Thanked: 1
                  It hasn't rebooted into normal mode at all since last night. Last time I was in regular mode, I ran SAS and then was prompted to reboot. I've been in safe mode eversince.
                  ....................................... ............
                  And actually, I don't have to hit anything anyway. I've been going to safe mode since it doesn't reboot properly the first time and shuts down after the Windows loading screen, then reboots by itself. Because of that error, the advance screen shows up and then I select Safe Mode with Networking.

                  Hitting the F8 button doesn't help me either.. I tried doing that after the first beep sound, but it loads to the window screen.

                  So to sum up, I really have no way of knowing how it'll reboot or have control over that either...

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 489
                  • Experience: Familiar
                  • OS: Windows 10
                  Go to C:\Program Files\SUPERAntiSpyware

                  Double click Bootsafe.exe and make sure Normal Restart is selected then click Reboot. See if it goes into normal mode