Trojan Startup, Need Help!!! Anyone?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BoneDigger, Jan 29, 2005.

  1. BoneDigger

    BoneDigger Private E-2

    I'm new to the site, so please forgive me if I am a little less than knowledgeable about this stuff.

    Here's my system:
    Dell Latitude Pentium 2
    Windows NT 4.0

    I have apparently received the Trojan startup virus. Norton Anti-Virus has detected a virus in C:/temp/sp.dll but will not delete the file (access denied?). I have run Spybot and Adware Filter, both of which have found problems, but no fix for this one. I also went to Symantec and did as they said for this virus (including editing the registry), but it did not help.

    The only program effected appears to be IE, which automatically redirects me to "About:Blank" and often interupts what I am working on and redirects me to this spot. It also resets my home page.

    I have run hijackthis and have a data log. I'll try to attach it, but I'm not sure how this works... we'll see.

    Is there any help for my system?

    Todd In Texas
     

    Attached Files:

    BoneDigger, Jan 29, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, Please start by following all steps in this sticky thread
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    After you have followed all the steps listed in the above sticky and still are experiencing problems please see this sticky thread
    NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    NOTE: Be sure before running HJT you have all browsers closed as you had IE open the last time.

    C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe

    NOTE: Also be sure to run HJT from a secure location, for ex. (C:\Program Files\HiJackThis)

    C:\Download\HijackThis.exe


    You have some pretty nasty infections so please provide the most information possible so that we can better assist you. Chaslang or PP will be in when time permits until then please follow steps listed above.

    Thanks, Bj:)
     
    bjgarrick, Jan 29, 2005
    #2
  3. BoneDigger

    BoneDigger Private E-2

    I appreciate the help. OK, I've downloaded and ran all of the fixes/scans noted in link one above. The only one that would not work for me was AboutBuster. It would scan to approximately 97% then lock up. Not sure what was going on there.

    I will wait until prompted to do so before posting another log. If anyone can help me with this I would certainly appreciate it.

    I am still having the same issues as noted above. If you want another log, without IE open, let me know and I will post one.

    Todd
     
    BoneDigger, Jan 29, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, If your still experiencing problems please post a fresh HJT log with all browsers closed. Also be sure you have HJT in its secure location. The reason about:buster is freezing is because your infected with the about:blank hijacker and its having trouble removing some of the infected files. Chas of PP will be here when time permits to further help you.

    Thanks, Bj:)
     
    bjgarrick, Jan 29, 2005
    #4
  5. BoneDigger

    BoneDigger Private E-2

    OK, I think I've got this right now. I closed all files, including IE and ran a copy of Hijackthis, from a secure folder. I am attaching the log. Please let me know if there is help for this poor pethetic computer user...

    Todd
     

    Attached Files:

    BoneDigger, Jan 29, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In message # 3 you said
    You did not run all of the steps in the READ ME FIRST. You log shows no signs of the online scanners being run. They are not optional steps. Did you skip anything else?
     
    chaslang, Jan 30, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not be running About:Buster when using HijackThis. You had it running as indicated by:
    C:\Download\AboutBuster\AboutBuster.exe

    You don't need to run it anyway. This is a form of about:blank that About:Buster does not address.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    Did you add in these below proxy overrides? If not, you should fix them too.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9FE712C8-7256-11D9-94C4-00106C14104F} - C:\WINNT\System32\ocmjhk.dll
    O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
    O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
    O4 - HKLM\..\Run: [68A.tmp] C:\TEMP\68A.tmp.exe 0 10001
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O13 - WWW. Prefix: http://
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.125.149 (HKLM)
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x24.chm::/trs24.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/02dde7eed33a6bd9b223/netzip/RdxIE2.cab
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O18 - Filter: text/html - {9FE712C7-7256-11D9-94C4-00101D8B843D} - C:\WINNT\System32\ocmjhk.dll
    O18 - Filter: text/plain - {9FE712C7-7256-11D9-94C4-00101D8B843D} - C:\WINNT\System32\ocmjhk.dll

    After clicking Fix, exit HJT.
    NOTE: Some of these O15 lines may come back. If so, we will get them in the next message.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\AdwareFilterToolBar <--- the whole folder
    C:\WINNT\System32\ocmjhk.dll
    C:\WINNT\System32\pfochk.exe
    C:\TEMP\68A.tmp.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Now empty your Recycle Bin.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jan 30, 2005
    #7
  8. BoneDigger

    BoneDigger Private E-2

    OK, I am back from work now and I'm going to try the fixes you recommend. Sorry about the About:Buster thing, I thought I had it all off. Anyway, let's see how this goes...

    Todd
     
    BoneDigger, Jan 30, 2005
    #8
  9. BoneDigger

    BoneDigger Private E-2

    OK, I've followed the directions indicated. The only problems I had were with deleting the WINNT\System32\ocmjhk.dll file and I could not find the TEMP\68A.tmp.exe. file. When I tried to delete the ocmjhk.dll file it would not let me. It said the file was in use. So, I checked and the Read Only box was NOT checked.

    I rebooted in safe (VGA) mode and ran a new Hijackthis scan. I noted several of the same file sback again, so I deleted them again and ran a new log. THEY"RE BACK!!!!

    So, where do I go from here? I have attached my new log.

    I appreciate the help.

    Todd
     

    Attached Files:

    BoneDigger, Jan 30, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's find a the other problems first and then get back to the hijack. By the way, was that HJT log from safe mode? If so, always post logs from normal boot mode unless we specifically request a safe mode log.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

    Now download and try to install ExplorerXP from here: http://www.explorerxp.com/
    I'm not sure if it will work on Win NT but maybe it will. Let's see.

    If it does install and works, use it instead of Windows Explorer and tell me if you can now see: C:\WINNT\System32\ocmjhk.dll
     
    chaslang, Jan 30, 2005
    #10
  11. BoneDigger

    BoneDigger Private E-2

    I think that was run in regular windows mode, but I might be wrong. I just ran another log and will post it here on this post.

    I did the Move.reg merger as below but could not run the explorerxp program in NT. I can see the C:\WINNT\System32\ocmjhk.dll file but the system will not allow me to remove it because it is in use?!

    I am attching the newest log. Let me know if there is any help. I've run just about every spyware program I can find with no luck.

    Todd
     

    Attached Files:

    BoneDigger, Jan 30, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must stop installing programs on here. SpyCatcher was not here before. There are no programs available that can remove about:blank hijackers. At least none that can remove all forms. You are only complicating matters by installing things that I did not ask for. In fact, if the steps below do not work, I am going to be asking you to uninstall SpywareDoctor, Spybot S&D, SpywareBlaster and SpyCatcher. They may be conflicting with each other and also fighting the changes that we are trying to make.

    Some of the O15 lines are still there. We need to do another merge:

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

    Print these instructions or save them locally because you MUST be disconnected with no browsers running before continuing.

    Now exit all browsers and other applications and physically disconnect (unplug your cable - this is important) before you proceed to the next step.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {F0F82FF8-7336-11D9-94CA-00106636BA91} - C:\WINNT\System32\ocmjhk.dll
    O18 - Filter: text/html - {F0F82FF7-7336-11D9-94CA-001017A92EE3} - C:\WINNT\System32\ocmjhk.dll
    O18 - Filter: text/plain - {F0F82FF7-7336-11D9-94CA-001017A92EE3} - C:\WINNT\System32\ocmjhk.dll

    Then exit HJT after clicking FIX

    - NOW PULL THE POWER PLUG TO YOUR PC (yes you read correctly)! I do not want you to power down the normal way. These problems quite often respawn themselves during a graceful power down.

    - After that wait a minute or two and then power up but into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    Run Windows Explorer and look for and try to delete (if you find it):
    C:\WINNT\System32\ocmjhk.dll

    If you still cannot delete that file. Do the following:

    Open a command prompt by clicking Start, Run, and enter cmd and click OK.
    Now in the command prompt window enter the following lines each followed by the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

    C:\WINNT\System32\cacls.exe C:\WINNT\System32\ocmjhk.dll /g Everyone:f
    cd C:\WINNT\System32
    attrib -r -h -s ocmjhk.dll
    del ocmjhk.dll
    exit

    When you come back, you must tell me what happens with the above steps!

    - Empty your Recycle Bin

    - Immediately reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.
     
    Last edited: Jan 31, 2005
    chaslang, Jan 31, 2005
    #12
  13. BoneDigger

    BoneDigger Private E-2

    Will do. I will be back on in an hour or two with the results. I have removed the other spyware as per your request and we'll try this again.

    I certainly appreciate your help with this. I am only semi-literate with computer stuff, so I was unaware that these programs would interfere with each other. They all CLAIM to be able to remove the about:blank virus, but I guess I am learning the hard way.

    I'll be back...

    Todd
     
    BoneDigger, Jan 31, 2005
    #13
  14. BoneDigger

    BoneDigger Private E-2

    OK, now I think we have gotten somewhere. I did as you requested and can no longer find the file ocmjhk.dll in WINNT/System32. I opened and closed several IE sessions and have not had an issue with the About:Blank page. I am also no longer receiving the error message from Norton saying that the sp.dll file has been quarantined and not available.

    All seems well from the outside. Now, I'm going to post the new log and lets see if we need anything else.

    I notice on the log that something called SpyWare Doctor is still runnnig. I thought I had deleted all of that stuff. I'll try to do so, but hopefully, this won't interfere with your assessment of the log.

    Again, you have been a lifesaver!

    Todd
     

    Attached Files:

    BoneDigger, Jan 31, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do appear to be free of the hijack now. But a couple things remain.
    But first some questions:
    1) You said you removed the other spyware programs. Exactly what did you remove and how did you remove it?
    2) Did you use Add/Remove programs to uninstall?
    3) Was there an uninstall for SpywareDoctor.


    If you did not use Add/Remove programs to uninstall SpywareDoctor, please do so.

    Use HJT to fix the following with all browsers closed:
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.125.149 (HKLM)

    Reboot and then post a new HJT log.
     
    chaslang, Jan 31, 2005
    #15
  16. BoneDigger

    BoneDigger Private E-2

    I had downloaded several types of anti-spyware and most of them were removeable by way of add/remove programs in the control panel. I don't remember there being an uninstall for spyware doctor. I'll try the fixes you recommend and run the HJT log again to try to get rid of this.

    What I have remaining on my machine is:
    Shredder
    Spybot S&D
    Hijackthis

    And, apparently spyware doctor. Do you recommend my keeping any or all of these on my machine?

    I'll post a log this afternoon.

    Again, thanks for all of the help!!!!! You're a lifesaver!

    Todd
     
    BoneDigger, Feb 1, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would get rid of SpywareDoctor as you only had the demo version anyway. But you should have Ad-Aware SE and keep it along with the above mentioned. Also you need a blocking tool. You really should follow the steps in the below link to maximize your protection:

    How to Protect yourself from malware!
     
    chaslang, Feb 1, 2005
    #17
  18. BoneDigger

    BoneDigger Private E-2

    Will do. Thanks again for all of the help with this!

    Todd
     
    BoneDigger, Feb 4, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Feb 5, 2005
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds