Help, Demon within laptop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tdragger, Mar 28, 2005.

  1. tdragger

    tdragger Private E-2

    I have upon entering my main windows page gotten a box labeled RUNDLL with text saying error loading snim.dll. The specified module could not be found. This seems to have started after updating from AGV 6 to 7.
    While I am typing this I get redirected to http://horseserver.net/search and C:\windows\blank.htm. While not on the internet I sometimes get a pop up labeled Antivirus Report asking is your computer infected with spyware. yes/no. AGV has detected several Trojans and seem to remove all but one in C:\Windows\system32\tibs3.exe called Trojan horse Downloader Tibser.e
    I have installed and ran the recomended programs as required per the sticky. Doing so seems to improve my internet time but does not eliminate my problems. Would it be ok to attach my HJT log for someone to look at?
    Thanks!!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download: HSFix.zip
    Extract the files from the ZIP File to a folder that you can find (preferably in its own folder - like c:\HSFix). Now boot to Safe Mode open the HSFix Tool folder and doubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt

    Now reboot in normal mode and post that hslog.txt file here as an attachment.

    Then run the below procedure. Do no skip any steps!


    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. tdragger

    tdragger Private E-2

    Hello Chaslang,

    I ran Hsfix in safe mode and will attach the log.
    Trend Micro scan found twoTroj Small.ACG in C:\\Windows\system32\open3
    and two Troj Yobit.A in C:\\Windows\syslib.exe, infected files which were not cleanable. I did not attempt to delete these. I learned that that Delete key can be your best friend and worst enemy when it comes to computers.
    The Symantic scan found four files on disc drive infected. Two Adware.multidropper in C:\Documents and Settings\Default User\My Documents\Data\all files 4.exe and two in C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe.
    I performed all of the sticky requirements. Spybot said five DSO Exploits removed.
    Since running Hsfix I am not being redirected while typing this. I did run a HJT scan and save the log file but not sure about posting both.
    Thanks for your help Chaslang!!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I still need you to post your HJT log. Make sure you follow the directions on installing it and running it.
     
  5. tdragger

    tdragger Private E-2

    Here is my HJT log. Sorry if I did incorrect. Zip files and extracting are new terms to me. Tried to read as much as I could before doing this.
    tdragger
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please use the links that we provide! You do not have the proper version of HijackThis as I gave in my message to you. Please download the correct version and repost your log.
     
  7. tdragger

    tdragger Private E-2

    Here is the correct version of HJT log file.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you recognize the next URL and also do you need the below Proxy Server setting?
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startingline.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.5:8080


    First look in Add/Remove Programs and uninstall the below if found:
    ClockSync
    WhenU or WhenUsave

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - - (no file)
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\ClockSync <--- the whole folder
    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  9. tdragger

    tdragger Private E-2

    Hello Chaslang,

    I do recognize the URL, although my home page is set to Google.
    The Proxy Server I do not know if I need.
    I did not see those programs in Add/Remove, nor could I locate the ClockSync file. I checked task manager also to see if such a process was running. I have not had time to use computer much so I am not yet sure of it.


    Here is the new HJT log file.
    Thanks!!
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so how is everything working right now? Anymore problems?
     
  11. tdragger

    tdragger Private E-2

    Hi Chaslang.

    I have been on for over an hour using various functions and this darn computer has not behaved this well for a long time. Am I to assume that those Demons have been destroyed or have they gone into hiding? I greatly appreciate your kind help getting me going again. The service pack 2 for xp, should I be installing this to help prevent further intrusions?

    Thanks again!!
    tdragger
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Complete all the steps in the below link to help you avoid future problems:

    How to Protect yourself from malware!

    The first step in the above is to go to MS update to update your PC. While WinXP SP2 will help, nothing truly is a "prevent" solution. Security starts with you. Where you surf and what you click on are two very large factors.

    After installing Win XP SP2 you must disable its built-in firewall to avoid conflicts with the third part ones recommended in the How to Protect. The one in WinXP SP2 is not sufficient.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds