Trojans - Need Help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Scot-to, May 27, 2006.

  1. Scot-to

    Scot-to Private E-2

    Please help- in various scans I have seen ABetterInternet.Nail, Win32.TrojanDownloader, Monnet, Surfsidekick3, Qoologic. I have followed the Major Geeks instructions correctly (I hope) for READ& RUn Me First, SurfSidekick Removal and Qoologic/Winsync/Kavsvc. Logs are attached (2 batches--see attachments to this and next email)

    This is kids computer and relatively new. It is feasible, though not preferable, to do a full restore (I'd need to copy off pix and music to either network disk or additional disk).

    Thanks,
    Scot-to
     

    Attached Files:

  2. Scot-to

    Scot-to Private E-2

    Additional logs
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    It appears you have a bunch of bad stuff of your system. There are a bunch of baddies in the root folder of drive C that WinPfind is showing.

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    c:\windows\wnsxs~1\spoolsv.exe
    c:\keyboard21.exe
    C:\bootsys.bat
    C:\configdll.pif
    C:\loaderboot.pif
    C:\ntboot.bat
    C:\services.exe
    C:\sp2ini.pif
    C:\svchost.com
    C:\svchost.exe
    C:\sysconfig.bat
    C:\sysload.bat
    C:\sysload.pif
    C:\WINDOWS\system32\tiskf.dll
    c:\windows\system32\WinNB57.dll
    C:\WINDOWS\system32\hxjekok.exe
    C:\WINDOWS\system32\gtlvaj.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\outlook\outlook.exe
    C:\WINDOWS\FNTS~1\javaw.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: UserInit=userinit.exe,hxjekok.exe
    O2 - BHO: (no name) - {99C753D8-BD3B-BCE7-388D-E17B418E24CB} - C:\WINDOWS\system32\tiskf.dll
    O4 - HKLM\..\Run: [fkpnah] C:\WINDOWS\system32\gtlvaj.exe reg_run
    O4 - HKCU\..\Run: [chwob] C:\WINDOWS\system32\gtlvaj.exe reg_run
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

    c:\windows\wnsxs~1 <--- the whole folder
    c:\keyboard21.exe
    C:\bootsys.bat
    C:\configdll.pif
    C:\loaderboot.pif
    C:\ntboot.bat
    C:\services.exe
    C:\sp2ini.pif
    C:\svchost.com
    C:\svchost.exe
    C:\sysconfig.bat
    C:\sysload.bat
    C:\sysload.pif
    C:\WINDOWS\system32\tiskf.dll
    c:\windows\system32\WinNB57.dll
    C:\WINDOWS\system32\hxjekok.exe
    C:\WINDOWS\system32\gtlvaj.exe


    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now attach a new HJT log and a new log from FindQool

    Also tell me how things are working!
     
  4. Scot-to

    Scot-to Private E-2

    Thank you.

    Logs attached. Windows Defender came back clean on full scan.

    I suspect AIM (Aol Instant Messenger). Kids use it all the time, and I don't seem to have the same issues on my computer (I use Internet Explorer, but not AIM). I've read the article on preventing Malware, and understand it may be beneficial to switch to Mozilla. But is AIM a vulnerability and if so is there a way to give the kids this functionality without the vulnerability?

    Thank you.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean. Anything you use on a PC can really be a vulnerability. You just have to be very careful with what you click on like it says in the below thread (which it sounds like you started reading already). Millions of people use all kinds of instant messengers everyday including AIM. Protecting you PC properly and using some common sense (tuff to do with kids) is the best thing you can do.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds