HJT Log - Is there spyware present?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by skulleh, Oct 28, 2006.

  1. skulleh

    skulleh Private E-2

    I recently installed an application that I'm pretty sure installed spyware onto my computer, considering WinPatrol keeps bugging me about particular random files that are continually attempting to load onto my computer. I've attached my HJT Log to this post. Can anyone here see any files that I can delete?
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

    [​IMG] Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    • Make sure you check version numbers and get all updates.
    [​IMG] Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    [​IMG]After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

    [​IMG] Downloading, Installing, and Running HijackThis
    • Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..
    [​IMG] In your next post, please make sure you attach the following logs and that you have run these scans in the following order:
    • CounterSpy - ONLY IF you were not able to run Windows Defender
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. skulleh

    skulleh Private E-2

    Ok, I followed all the steps in that thread, except I used Ad-Aware SE Personal instead of SpyBot - Search & Destroy. I've included three logs in this post and two logs in my next post. About 9 forms of spyware were found and deleted using Ad-Aware. I also noticed that Bitdefender deleted a few malware infested files and Panda Scan found a few files that it wasn't able to disinfect. What is the next step I could take in cleaning or deleting the files on my computer that are still infected? Should I delete them through HJT?
     

    Attached Files:

  4. skulleh

    skulleh Private E-2

    Here's the other two logs.
     

    Attached Files:

  5. skulleh

    skulleh Private E-2

    My HJT log has changed slightly as I have just installed zonealarm and deleted 4 files in the log. These were:

    1 "O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll"
    2 "O20 - Winlogon Notify: winbue32 - C:\WINDOWS\"
    3 "O2 - BHO: (no name) - {A8AE83F0-18D7-4482-B216-7674D0547714} - C:\WINDOWS\system32\vturs.dll"
    4 "O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\hrkvukql.dll"
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Those entries will most likely be back on reboot, download the utility below and run the fix. Once you have completed it, reboot and attach the log along with a fresh HJT log.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  7. skulleh

    skulleh Private E-2

    I actually ran VundoFix before you replied. Those four files haven't returned after rebooting my computer. Are there any more files in my HJT log to delete?

    Also, I noticed that in WinPatrol, the files "winbue32.dll" and "efccdef.dll" under "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Notify" are still present from when I opened up an exe file yesterday that copied these files onto my computer without my permission. How can I find and delete these?
     

    Attached Files:

  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Manually search for those files and remove them. I would do this in Safe Mode just in case they may be running.
     
  9. skulleh

    skulleh Private E-2

    Sorry for the late reply bjgarrick. The two files I mentioned in my last post that were located in "C:\WINDOWS\" are no longer present in that folder, although they still seem to be coming up in my HJT log. In normal boot mode, I tried using CCleaner, RegSupreme and regedit to find and delete any occurrences of the files but they still seem to show up in my HJT log. What else can I do? I've attached my latest HJT log to this post.
     

    Attached Files:

  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.co.nz/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O20 - Winlogon Notify: efccdef - C:\WINDOWS\
    O20 - Winlogon Notify: winbue32 - C:\WINDOWS\

    Again, make sure ALL browser windows are closed when you click FIX.

    Next, run CCleaner to clean up cookies and temp files.

    After you comlpete the above, reboot and attach a fresh HJT log.
     
  11. skulleh

    skulleh Private E-2

    Thanks for all your help bjgarrick. That seemed to work. Here's a copy of a fresh HJT log.
     

    Attached Files:

  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log looks good to me.

    Are you familiar with these entries below?

     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds