Some trojans, backdoors etc

Description of problem

2.5 yeras old PC where the user never dared to remove anything when the virusprogram indicated a problem.

Then "suddenly" Windows Taskbar disappeared. I can still start programs via clicking Ctrl-Alt-Del to get the taskmanager and then choose Run from it. I tried starting explorer.exe and it flashes the taskbar then closes in less than 1 second (internet explorer does not start either).

I updated virusprogram and ran. Updated Ad-Aware 2007 and ran, it found about 250 instances of different things...
Now Ad-Aware indicate a Adware.DesktopMedia infection and it says it will remove it after rebote, but nothing is removed... Tried removing them with HijackThis and KillBox-Beta.exe, and by editing the registry.

The windows taskbar still does not show nor iexplorer.

The PC has a lot of chinese software installed.

I followed the steps indicated at http://forums.majorgeeks.com/showthread.php?t=35407

0. uninstall by add/remove prog:
Nothing found

MSconfig normal start up:
no difference in performance

1. I manually removed files in DOS (because explorer will not start) from the quarantine folder (but the roreg.sys could not be removed, same as the files indicated by ad-aware can not be removed manually)

2. can not do as explorer refuses to start...

3. i am not sure about this, there is mcafee installed but i cant read the settings because they are in Chineese...
ewido was installed but not actively running, I uninstalled it

4. installed show new and get run keys
installed spybot
installed counterspy

5. booted into safe mode
ccleaner ran succesfully
ran Spybot SD but it did not manage to clean two issues SoBar and SearchNet, it asked to do it after reboot but that didnt work

ran CounterSpy wich found a like 18 bad files etc and tried to remove them.
The described method to get a log file from CounterSpy does not work, when I click "view full details of scan" no window opens.


6A. installed java (had already removed the old IBM java long time ago)
Internet Explorer is like Windows Explorer: they do not start
Tried with Firefox: didnt work
Tried with the "IETab" extension in firefox: did not work

6B reboted into normal mode
ran the two bat files

6C do not recognice any of the names in the 'special removal procedures'

7 i had HJT already from trend. thus i just renamed the trend version of hijackthis to analyse.exe and ran it

Now there is no difference, no taskbar, no explorer or iexplorer will start...

HELP?!

 

Welcome to MG's!

If you have completed the steps in the READ ME please attach the requested logs. As a reference I will post our initial instructions below.

 

Thanks for the answer.

There was some strange posting problem with MG so it gave me an error message (I did get 'Invalid Thread specified. If you followed a valid link, please notify the administrator' but maybe the first try to post had another error message? I did 'Preview Post' before I tried posting 1st time) when I tried posting, this was like my third attempt and then I thought I could just add the log files if the post showed up.

Anyway, here are the log files! As I described in the first post, only these three were possible to get out of the sick computer.

 

Did you try the online scans in Safe Mode? If not, try this as they are very important in the removal of your infections.

Also, let's start by running ComboFix which fixes multiple issues.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Once you complete the above, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• ComboFix

 

I did follow ALL the " READ & RUN ME FIRST Before Asking for Support" instructions (well except that I used HJT from trend, but I did rename it like supposed to). Thus I did try the online scanners in safe mode with networking support.

My problem with the online scans is that they require internet explorer, and on that computer neither windows explorer nor internet explorer will start.

Thus there is no 'double click combofix' possible but I can use Ctr-Alt-Del to start the taskmanager and from it I can run programs (which is how I started all programs in the instructions) for example cmd and firefox etc.

I think I tried combofix before I realized I can not solve this my self and started following the " READ & RUN ME FIRST Before Asking for Support" instructions.

I will try combofix as soon as I get back to that computer (about 9 h from now), thanks!

 

Ok

i could read from the screen what things counterspy put in quarantine, Iran it twice they were:

In 1st run:

3217 Chinese Keywords (CNSMin)
DesktopMedia
PigSearch
BaiduBar
SearchNet
HMToolbar
Caishow
Adware.Sogou
Trojan.Unclassified.gen
Baidu.SoBar
Backdoor.CVM
ChaxunEyeOnBrowser
Adware.AllSum
Backdoor.Win32.Delf.zg
Trojan-Dropper.Win32.Delf.zg
Trojan.Agent.XC

In 2nd run:

DesktopMedia
PigSearch
Baidu.SoBar
SearchNet


I ran combofix in normal mode.

Afterwards there is no difference, windows explorer and internet explore does not start. Attached are the new logs produced after combofix.

 

And here is the new HJT log

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Pre-Instructions:
Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Step 1:
Now, we need to stop/remove some bad services.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Database information combine (DbooInfo)
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above steps to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • System Loader (SystemLoader)
  • SOT Service (SOT_Service)
• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste DbooInfo into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • SystemLoader
  • SOT_Service
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks!

Just a few questions before I dare execute all of your suggestions.

This PC is installed with Chinese as the language, which makes it hard cause I need to get a computer newbie to translate into English.

I guess at least one of these folders is the 'applicatio data' or 'shared documents' or? Though the chinese character have become garbled so I am not sure which.

C:\Documents and Settings\All Users\¡¸¿ªÊ¼~1
C:\Documents and Settings\All Users\×ÀÃæ

Then the folder
C:\WINDOWS\..\Program Files\Zte Systems
belongs to a legitimate company, and they are used to acces internal network. Though maybe they actually do include some spy ware, but probably we will need to reinstall that later.

Cheers
Seth

 

If you are familiar with the two folders in question then you can leave them as is.

 

Ok,

I could not run the hostsxpert program, I get this error message

"ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts"

maybe because I can not turn off the virus program (cause the menus are in Chinese, and my translator cannot make out the right choice), but if I could get the windows explorer to run there should be a easy way to temporary disable mcafee.

Could someone help me to get the windows explorer to run? Till now I had to start every program from a dos window...

By the way, is the hosts file really in need of a reset? As far as I can see it contains only legitimate entries (zte... should be OK).

 

Just skip this step for now and continue.

 

cant run hostsxpert, same error message as before

step 1
SOT just restart automatically after stopping it

step 2 & 3 no problem

step 4
no problem
here i realized i could use the avenger to remove the file that SOT_Service started, so i did a 2nd run to remove it which went fine (though i didnt realize until later that the log file was overwritten), then went back and did step 1 to 3 successfully

rebooted

step 5
can not do as neither windows explorere nor internet explorer will start (they just close in less than a second after i start them),and i do not know how to start the control panel from a dos prompt.

step 6 no problem

step 7
ok


The computer seems OK, except neither windows explorere nor internet explorer will start, thus there is no desktop and i need press ctrl-alt-del to start taskmanager and from there run programs.

And also now i there is something strange with firefox, in that computer there is no "manage attachements" button visible (tried restarting firefox no difference), so i had to email them to another computer that i use to post this from now.

/Seth

 

and the new HJT log

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 3:
Now we need to run Avenger just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 4:
Now we need to run ATF-Cleaner, just like you did before.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ok,

first I do not know how to turn off McAfee as the menus are in Chinese and my translator cant find the right place to turn it off (though she thinks she know how to do it from the Start menu, but that menu does not show...) .

step 1 no problem
step 2 no problem
step 3 avenger gives an error message something like 'Error: can not create zip file' and when i look in avenger.txt it seems the registry keys were not deleted...

step 4 no problem

log files attached

There is no difference in performance: neither explorer nor iexplore will start, thus no desktop. The 'manage attachements' button is back in firefox on majorgeeks.com, good!

/Seth

 

and the getrunkey log file

 

Please see the below threads and attach logs from each one.

Running Rootkit Revealer

Running GMER to detect rootkits

Using Sophos Anti-Rootkit

 

Here are the logs

/S

 

First, have HJT fix the below entry...

Now we need to run Avenger just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Once you complete the above, run ATF-Cleaner and then attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• Avenger

 

Ok

i could do those steps without problems.

By the way the file C:\dwmxbhiu.bat seems to contain stuff that belongs to 'the avenger'
and when I look in the new HJT log there is a new bat file which i check and it has almost exactly the same content as the old one.

The computer has the same problem, no explorer nor iexplore will start. Ugh.

Logs attached.

 

and the HJT log

 

If you open Task Manager and manually type in the process, what does it do?

 

That is how I start most programs, and the others by running cmd in task manager then finding the correct directory and running it from there.

When I try running iexplore nothing happens, i never see the process in the task manager or anything.

When I try explorer, in much less than a second the windows task bar (with start menu etc) flashes at the bottom of the screen and I can see the process in the task manager and then it disappear...

/S

 

It sounds like you need to do a repair install, do you by chance have you Windows disc?

If so, I would do a "Repair" of the current install to fix these issues. If you do not have your disc then I would recommend the Software Forum to get this issue resolved.