Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)

[green tea]

I really thought I was done with Malware for a good while, but it's back

Evilfantasy, I tried following the Steps in the guideline but met some problems. I tried to uninstall my old Norton Antivirus 2003 program but it won't let me do it in safe mode. And sadly, I'm having trouble rebooting into normal mode tonight.

I was able to uninstall Internet Speed monitor through the Add/Remove part, and then I did use CCleaner. SAS and MBAM ran just fine, and the logs are attached below.

Couldn't uninstall Java 6 (update 3) in safe mode... (could I install the new version after we get rid of the bugs)??

I also tried running Hijackthis in safe mode but it keeps crashing. Don't know what to do about that...


[recovering space - attachment deleted by admin]

[evilfantasy]

Yes we will worry about updating Java and uninstalling old Norton until you get into normal mode.

Did you restart and then try running Hijackthis?

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

Now see if you can find this folder and file and delete it. (if there)

C:\Program Files\Bat\Bat.exe

----------

See if you can get SDFix to run.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post.

.

[green tea]

No, haven't done HJT yet.

I did a search for C:\Program Files\Bat\Bat.exe but didn't find anything. MBAM log shows that it was quarantined and deleted successfully. Could it still be hiding in one of the folders?

Ran SDFix, and was prompted to reboot. The computer was restarting but this blue screen shows up for a milisecond, and then the computer reboots again. After this, the advance screen would show up and this is how I get into safe mode.

I'm currently in safemode with networking since I was thinking I could post the log after everything's done. But the "FIXTOOL" didn't run again, and all the desktop icons automatically loaded.

Should I run SDFIX again? The report.txt in the SDFix folder just shows it was done with the "Checking process"

[green tea]

Edit: I just tried running HJT, and it worked.
 
Here is the log for today

[recovering space - attachment deleted by admin]

[Broni]

green tea...
You're running two threads, this one, and: http://www.computerhope.com/forum/index.php/topic,55467.msg347538.html#msg347538
Is it about same computer?

[green tea]

Hi Broni, it's the same computer/problem. But Evilfantasy closed that thread since it got off topic and told me to start a new one.

This is the main thread now. Please delete the other one if needed. Thanks

[Broni]

No problem, I just wanted to clarify

[evilfantasy]

Go to Start > Run and copy then past sc stop MsSecurity1.209.4 then click OK

Now again go to Start > Run and copy and paste sc delete MsSecurity1.209.4 then click OK

----------

Open Hijackthis and select Do a system scan only then place a check mark next to (if there)

- O4 - HKLM\..\Run: [ynupuhwb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll"
- O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\tedpyuln.dll",b
- O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe" -vt yazb
- O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

Now click Fix checked

----------

Download OTMoveIt2 by OldTimer

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code: [Select]
  C:\WINDOWS\winself.exe
C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
C:\WINDOWS\system32\tedpyuln.dll
C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
  
• Click the red Moveit! button.

• Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Post the OTMoveIt log and run a new Hijackthis scan and post that log.

If you are still stuck in safe mode then try to run SDFix again and get a log from that.

[green tea]

Ok, did ran the "sc delete MsSecurity1.209.4"

Ran HJT and selected the first 3 line items (HKLM and HKCU). But didn't see O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

Ran OTMoveIt but it keeps freezing whenever it's looking for the last file "ynupuhwb.dll" Under the Green result bar, it also shows some of the files as not found.

So as of now, I can't create a log for OTMoveIt. Here's the current HJT log if you need to see it.

[recovering space - attachment deleted by admin]

[evilfantasy]

You will need to go in and manually delete these files (in bold)

they may not all be there.

C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
C:\WINDOWS\system32\tedpyuln.dll
C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

Have you tried SDFix again?

[green tea]

Found and deleted
C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

Didn't find C:\WINDOWS\system32\tedpyuln.dll

Haven't ran SDFix since the first time, but I'll try it again now

[green tea]

Just rebooted after running SDFix but same situation as before. The desktop icons automatically loaded and no SDFix screen or Fixtools popped up after the reboot.

Also, everytime I reboot, the screen would turn blue after the Windows loading screen, and then the computer would restart at that point. I'm wondering if this is because I was pressing F3 a couple times earlier when it was rebooting...I was hitting F8 to get to safe mode, but accidentally hit F3 as well.

Does that affect the reboot?!!

[evilfantasy]

Try not hitting anything.

Have just left everything alone to see if it boots into normal mode?

[green tea]

It hasn't rebooted into normal mode at all since last night. Last time I was in regular mode, I ran SAS and then was prompted to reboot. I've been in safe mode eversince.
....................................... ............
And actually, I don't have to hit anything anyway. I've been going to safe mode since it doesn't reboot properly the first time and shuts down after the Windows loading screen, then reboots by itself. Because of that error, the advance screen shows up and then I select Safe Mode with Networking.

Hitting the F8 button doesn't help me either.. I tried doing that after the first beep sound, but it loads to the window screen.

So to sum up, I really have no way of knowing how it'll reboot or have control over that either...

[evilfantasy]

Go to C:\Program Files\SUPERAntiSpyware

Double click Bootsafe.exe and make sure Normal Restart is selected then click Reboot. See if it goes into normal mode