Trojans and others

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MightyBeaker, Oct 22, 2006.

  1. MightyBeaker

    MightyBeaker Private E-2

    2 days ago I got infected with spy_heal and some other various trojans (-wareout, -ruin) and various new things keep popping up.
    I have run all preliminary scans etc and downloaded all recommended programs (see attachments for scan results).
    I have windows XP Professional (no SP), IE 6.0, Athlon 64, 512MB RAM (PC3200 DDR SD RAM).
    I have tried to remove wareout, but something else is still there or loads back on. Spywareblaster found much (microsoft.windows.activedesktop, vcodec, and more).
     

    Attached Files:

    Last edited: Oct 30, 2006
  2. MightyBeaker

    MightyBeaker Private E-2

    here are the other scan results, any and all help will be appreciated.
     

    Attached Files:

    Last edited: Oct 30, 2006
  3. MightyBeaker

    MightyBeaker Private E-2

    Sorry, here is BD scan:
     
  4. MightyBeaker

    MightyBeaker Private E-2

    HERE is BD scan
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Your copy of Windows XP is way out of date with its updates. This is a major security risk. After we fix any current malware problems, you MUST get updated.

    In your Outlook Express email folder, a message dated Thu, 11 Aug 2005 21:54:30 that has a file attached named Taxes.rar, appears to be infected. You should delete this, unless you know what this file is and you trust the sender to be clean! You can see more info on what I'm referring to i both your BitDefender and PandaActiveScan logs.

    Is your copy of Spy Sweeper a paid or free trial verion?

    Is your copy of CounterSpy a paid or free trial verion?

    You have Spybot - Search & Destroy 1.3 installed. This version has not been used in 2 years. Why didn't you follow the directions in the READ ME and install the version specified. Uninstall your old version, reboot, and then install the proper version.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    What is the below for and why is it installed to run from your Desktop?
    O4 - HKCU\..\Run: [IridiumTimeWizard] C:\Documents and Settings\Andrew\Desktop\iridium.exe

    At one time did you have SpyCatcher installed?

    Is the below ProxyServer setting something you added? (For your ISP?)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 63.211.141.184:80


    Okay let's beging the real malware cleaning now!

    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of geedd.dll once and then click the kill button. After you have killed all of the geedd.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of geedd.dll and kill it. (If you do not find the dll, just continue on.)


    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
    O2 - BHO: (no name) - {1034FAD1-2488-4FDE-BF99-DDCCCC0ABD2F} - C:\WINDOWS\System32\geedd.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43F528D7-9ECF-4B40-A507-166ABF48E7E9}: NameServer = 85.255.115.42,85.255.112.114
    O17 - HKLM\System\CCS\Services\Tcpip\..\{61337A8A-D486-44FC-8D07-E353E9E9E23E}: NameServer = 85.255.115.42,85.255.112.114
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9C2F433-3608-414F-AC51-488FE07054A6}: NameServer = 85.255.115.42,85.255.112.114
    O17 - HKLM\System\CS1\Services\Tcpip\..\{43F528D7-9ECF-4B40-A507-166ABF48E7E9}: NameServer = 85.255.115.42,85.255.112.114
    O20 - AppInit_DLLs: interceptor.dll
    O20 - Winlogon Notify: geedd - C:\WINDOWS\System32\geedd.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\{B0B28F78-070A-1033-0309-05040924003d}Update.exe
    C:\WINDOWS\system32\ifdnbkhc.DDD.exe
    C:\WINDOWS\system32\issearch.DDD.exe
    C:\WINDOWS\system32\geedd.dll
    C:\WINDOWS\system32\ddeeg.ini
    C:\StubInstaller.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.
    After reboot locate the below folders and delete if found:
    C:\Documents and Settings\All Users\Application Data\obmlf
    C:\Program Files\Common Files\{B0B28F78-070A-1033-0309-05040924003d}

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp
    C:\Documents and Settings\Andrew\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Oct 26, 2006
  6. MightyBeaker

    MightyBeaker Private E-2

    Gee you guys are busy, thanks once again for your help.
    Spyware Sweeper and Counterspy are trial versions.
    I have installed new spybot S&D, did not know about new version, old one has been finding and installing updates and seemed to work. It does keep finding 'microsoft.windows.activedesktop' though, is this a problem? Are they violating me?
    Anyway, got that. Have new Java and have done all of the above fixes. Things are certainly moving a lot faster now.
    Attached are new logs.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to answer three of my questions from my previous post! I cannot complete your fixes without these answers:
    Also here are some new questions!

    Since Spy Sweeper and CounterSpy are only trials, have your trial periods ended on these.
    Did you just install CounterSpy while running the READ ME?

    Do you know what the below file is for?
    C:\WINDOWS\system32\impborl.dll

    You missed a file with Pocket Killbox. You need to delete the below file. You can do it manually or using Killbox (whatever works).
    C:\WINDOWS\system32\ddeeg.ini
     
    Last edited: Oct 26, 2006
  8. MightyBeaker

    MightyBeaker Private E-2

    Sorry. The iridium.exe is a small program for finding out the time in different parts of the world. I have had it for years and it has never caused a problem or been detected by anything, nor has an internet search come up with anything adverse about it.
    The proxy server setting thing was something I added and have now deleted.
    I think I did have spy-catcher installed cos I have the zip file in my download folder still.
     
  9. MightyBeaker

    MightyBeaker Private E-2

    Sorry, here are answers to new questions also:
    trial periods are not over.
    Counterspy was installed while running the readme.
    Don't know what imporl.dll is.
    Killing the ddeeg.ini now.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you plan on buying either of them?


    Can you put this file into a ZIP file and attach the ZIP file here for me to look at?


    Are you still having any problems! If the new version of Spybot is detecting anything, please attach a log from it.
     
  11. MightyBeaker

    MightyBeaker Private E-2

    I don't plan buying either spysweeper or counterspy. Should I un-install them?
    I don't have the problems with spyware alert balloons or slow loading of pages and applications that I previosly had.

    Attached is a spybot log from 2 days ago which found 2 objects and cleaned them. Todays search came up clean. I can't seem to attach the zip of impborl.dll. I get 'Upload Errors' and 'impborl.zip:
    Attachment in Progress. Can be deleted here.'

    I will try again in a new post.
     

    Attached Files:

  12. MightyBeaker

    MightyBeaker Private E-2

    Still no good, can't attach the zip file created today with winzip. Properties of the original tell me it was created two months before my current spyware dramas and it has not been modified, if thats any help.
     
  13. MightyBeaker

    MightyBeaker Private E-2

    Worked this time. Here is impborl.dll.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That file is nothing to worry about! It is a valid compression library.

    Yes you should uninstall Spy Sweeper and CounterSpy since they are only time restricted trials. You would not want both installed at the same time even if they were not trials.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds