Major Problems with virus, trojans, etc. that I can't clean out

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jerryi, Aug 14, 2005.

  1. jerryi

    jerryi Private E-2

    Hi,

    I have gone through your recommendations to try to remove spyware, trojans, etc. I am still getting constant IE pop-ups to clean my registry, winfixer2005, aurora and about.blank. it is driving me crazy. Here is my Hijack this log:


    Can you help???
     

    Attached Files:

    Last edited by a moderator: Aug 14, 2005
  2. PhilliePhan

    PhilliePhan Guest

    Hi Jerry,

    Let's see what we can do here . . . .

    FIRST:

    Please unzip Pocket KillBox to its own folder. Just leave it where you can find it for now.

    NOW:
    Please run the Uninstaller here: Uninstaller

    NEXT:
    Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
    Please make sure the Viewing of Hidden Files is Enabled.

    Look in Add/Remove Programs for the following and Uninstall them if found:

    SurfSideKick 3
    SSK
    Elite ToolBar
    Etb
    Adna
    AdwareAlert
    + note other suspicious entries


    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end them, if found.

    command.exe
    agxhrln.exe
    obpbaq.exe
    well.exe
    winspool.exe


    Now scan with HijackThis and Check the Boxes for the following, if they remain:

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
    O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
    O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
    O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\obpbaq.exe reg_run
    O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\obpbaq.exe reg_run
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [Jptdxnz] C:\WINNT\system32\??sks\winspool.exe
    O4 - HKCU\..\Run: [Smac] C:\Program Files\adna\well.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

    O15 - Trusted Zone: http://www.jayloden.com
    You ought to keep stuff out of here on principle
    O15 - Trusted Zone: http://*.windowsupdate.com

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = microfocus.com
    If these are the desired setting, then leave them alone.
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = microfocus.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = microfocus.com

    O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\ucbui.dll (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NEXT:
    Please open Pocket KillBox.

    NOW, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

    C:\WINNT\QWRtaW5pc3RyYXRvcgAA
    C:\WINNT\system32\agxhrln.exe
    C:\WINNT\system32\obpbaq.exe
    C:\Program Files\adna
    C:\WINNT\system32\??sks
    C:\WINNT\Nail.exe
    C:\WINNT\etb
    C:\WINNT\ttupt.exe
    C:\Program Files\AdwareAlert
    C:\Program Files\SurfSideKick 3
    C:\WINNT\system32\ucbui.dll

    When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If KillBox doesn't reboot your machine, do it manually.

    NEXT:
    Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.

    Reboot to Normal Windows and Scan with HijackThis and attach that log. We may have to look at a VX2 fix . . . .

    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

    ** Also, don’t forget to Update your OS to SP4

    Best luck :)
    PP
     
  3. jerryi

    jerryi Private E-2

    Hi,

    I ran through your instructions. Attached is the latest hijackthis log. I am running Windows 2000. It is my son's computer and his cd rom doesn't work so I am not able to reformat unless I find some floppy disks with an operating system. He is getting a new lap top but I was hoping to have my daughter use the computer for IM and itunes for her ipod. I am hoping your instructions worked and will let you know if the problem doesn't seem to have been resolved. Thanks for your help.
     

    Attached Files:

  4. PhilliePhan

    PhilliePhan Guest

    Happy to help.

    Your HJT log looks much better. We just need to deal with this baddie:


    C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe



    FIRST:
    Click Start > Run > type services.msc and Click OK

    Locate Command Service (cmdService) and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply.

    NEXT:
    Run HijackThis and open the Misc Tools section and select Delete an NT service and follow the instructions to enter and remove that entry.

    Then, use Pocket KillBox to delete that folder on reboot:
    C:\WINNT\QWRtaW5pc3RyYXRvcgAA

    Let me know if you have any problems removing this baddie.

    PP :)
     
  5. jerryi

    jerryi Private E-2

    Followed your steps and have atached the latest hijack this log. Haven't noticed any problems. thanks for all your help.....
     

    Attached Files:

  6. PhilliePhan

    PhilliePhan Guest

    You're Welcome!

    Latest HJT Log looks OK. You should check this one and see if the file is indeed missing. If so, you can remove this.
    O23 - Service: GEARSecurity - Unknown owner - C:\WINNT\system32\gearsec.exe (file missing)

    Other than that, you are good to go! Don't forget to update to SP4.

    PP :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds