Help - black door trojan?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eagle8787, Oct 22, 2007.

  1. eagle8787

    eagle8787 Private E-2

    Shortcuts on my desktop have been created for "Online Security Guide" and "Live Safety Center". In addition, I am getting numerous pop-ups warning me of a black door trojan [sic] that allows the user to perform "various malicious actions" on my computer.

    My computer is also running extremely slow. I followed all of the steps in the Malware Removal Guide, but for some reason I could not save a log from either CounterSpy or AVG (however I did follow all of the steps, including selecting "Create a log every time").

    I would appreciate any help you can give me.
     

    Attached Files:

  2. eagle8787

    eagle8787 Private E-2

    Here is the HijackThis! log and the runkeys log
     

    Attached Files:

  3. eagle8787

    eagle8787 Private E-2

    Sorry....I was able to get the CounterSpy log from the scan that I ran in Safe Mode.
     

    Attached Files:

  4. abri

    abri MajorGeek

    Hi eagle8787!
    Welcome to Major Geeks! Please run this utility:
    abri
     
  5. eagle8787

    eagle8787 Private E-2

    I have run Combo Fix....as of right now, I am still getting pop-ups in Internet Explorer, even though I only use Firefox.

    The "Online Security Guide" and "Live Safety Center" shortcuts on my desktop have been deleted.

    I appreciate any help you are able to give me.
     

    Attached Files:

  6. abri

    abri MajorGeek

    Hi eagle8787!

    Your computer is still infected. Please download and run the following. We have to figure out where the virus is loading. USING MG TOOLS
    Please look for the tools that are for your operating system. This will download a file called MGTools.exe which you can run and it will produce a zipped file of all the logs we need to see. Just upload the zip file to us.
    Thanks.
    abri
     
  7. eagle8787

    eagle8787 Private E-2

    Thanks abri.

    Here is the log.

    I really appreciate your help.
     

    Attached Files:

  8. abri

    abri MajorGeek

    Hi Eagle8787!
    I must apologize. I've had a post for you finished and waiting for review since the 26th and things happened here which distracted everyone for several days. I will try and post my instructions for you, I hope in the next few hours. Thanks for your patience!
    abri
     
  9. abri

    abri MajorGeek

    Hi Eagle!!
    Sorry this took so long!

    1) Please make sure your msconfig is set to normal startup. If you're not sure, go to Start / Run and type in msconfig and hit okay. Normal System Start should be checked. If it's not, please check it click on ok.

    2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    3) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

    4) Do you know what's in this folder? (do not open any files)
    C:\Videos

    5) Continue by downloading a tool we will need

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    uzcdshux.dll
    pnjmawek.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    uzcdshux.dll
    pnjmawek.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    uzcdshux.dll
    pnjmawek.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    6) Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )
    7) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    9) [/b][/size][/color]After you have completed ALL of the above in the correct order, please attach the following logs.
    • Avenger Log
    • ShowNew Log
    • GetRunKey Log
    • HijackThis Log


    abri
     
  10. eagle8787

    eagle8787 Private E-2

    Abri,

    Sorry it has taken so long to reply. I was out of the country on business and I didn't have my computer with me. The Show New log and Hijack This log were run this morning (11/24/07) while the other steps that you instructed me to take were completed around 11/5 (there was little, if any, user activity on my computer between 11/5 and 11/24). The videos file contains videos that I have either downloaded or had friends send to me (there are 13 videos total). I don't think that anything has been added to that folder since around March or April.

    Again, I appreciate any help that you are able to give me, and I apologize for the delay in posting.
     

    Attached Files:

    Last edited: Nov 24, 2007
  11. eagle8787

    eagle8787 Private E-2

    Here is the Hijack This log....
     

    Attached Files:

  12. abri

    abri MajorGeek

    1) Please go to add/remove programs and uninstall the following:

    - LiveUpdate 2.6 (Symantec Corporation)



    2) Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    After clicking Fix, exit HJT.


    3) Run ATF Cleaner as per the instructions in step 8 of Post Number 9 of this thread. Make sure when you run it that the local settings temp folder is checked. For some reason it didn't get things from this folder last time you ran it.

    4) After you've completed these, please post a fresh hijackthis log and a newfiles log (from ShowNew). Also, please let me know if you are still getting the same symptoms you first mentioned and how your computer is working in general.

    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds