Trojan help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by agof78, Oct 27, 2005.

  1. agof78

    agof78 Private E-2

    I have followed your instructions in the "READ & RUN ME FIRST" sticky as updated by Chaslang on 10/9/05.
    Chaslang helped me rid another computer of the Trojan:Vundo earlier this month. I have tried diligently to protect all of our computers (we have 3), but I am having a problem with this one.

    Norton popped up with the following message a couple of days ago:
    Download.Trojan Repair failed Access denied. It showed it to be located in the following file:
    c:\Documents...\Temporary Internet Files\Content.IE5\8PYVSPEB\kkatvrn[1].js

    I ran all of the scans as instructed-using safe mode where indicated and physically disconnected from the internet where indicated , but nothing concerning this trojan was picked up that I could see.
    I followed the instructions for the HJT log, ran it, saved it.
    This morning when I was connecting to Firefox in order to post the log, MS AntiSpyware gave me a warning that HuntBar was trying to install. I blocked it, but am afraid that it might still have files lurking.
    I am attaching my HiJackThis log. Please let me know if I still have issues that need fixed.
    Thanks so much for helping me again!
     

    Attached Files:

  2. agof78

    agof78 Private E-2

    Sorry-First HJT log was not in normal boot mode. Here is the correct one, I hope.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install Desktop Weather 3 yourself? If not, I would uninstall it.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/04d5d63a64864059e401/netzip/RdxIE2.cab
    O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/internetwasherpro.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\NDrv.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  4. agof78

    agof78 Private E-2

    Chaslang-
    I did not install Desktop weather3, but cannot find it when I go into Add/Remove programs. Please tell me how to address this.

    I am using WinXP and have disabled Sys.Restore, and have had it set to view hidden files.

    I ran HJT per your instructions. However, I did not find the first two lines:
    R1-HKCU/Software|Microsoft\Internet Exploere..../left.html or
    04 - HKCU....NDrv.exe

    I "fixed" the 016 lines you indicated.

    After booting into safe mode, I was not able to find the file c:\WINDOWS\System32\NDrv.exe --- even by looking in Task Manager processes.

    Before proceeding further, please tell me what to do. Should I go ahead with CCleaner which was installed, I'm pretty sure, according to instructions?

    Thanks so much for your help!
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before finishing my previous instructions lets fix the Desktop Weather item.

    Run HijackThis and select the below line and the click Fix:

    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

    Now boot in safe mode delete the below folder if found:
    C:\Program Files\THEWEA~1 <--- not sure what the exact name will be. It could be The Weather Channel

    Then continue to run from the CCleaner point of my previous steps on down thru posting the follow up HJT log.
     
  6. agof78

    agof78 Private E-2

    I have completed the following 2 things:

    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

    Now boot in safe mode delete the below folder if found:
    C:\Program Files\THEWEA~1


    Then I ran CCleaner and reset web settings.

    The computer is very slow to boot, but I have not gotten another Norton warning about the trojan.
    Please let me know if there are other items in the HJT log that should be addressed. Thanks!
     

    Attached Files:

  7. agof78

    agof78 Private E-2

    Since I posted earlier this morning, I have had the Microsoft AntiSpyware warning that HuntBar was trying to install and asked if I wanted it removed, which I did. At about the same instant, Norton popped up at warning that my computer might be at risk since Norton was not running. But Norton is running unless something caused it to temporarily quit. I have not disabled it.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to follow the steps from message # 3 again. These items are still in your log. I'm not sure how you cannot see them.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
     
  9. agof78

    agof78 Private E-2

    I did find the two lines and fixed them. I'm sorry for missing them earlier.
    However, I was not able to find C:\WINDOWS\System32\NDrv.exe. I am not sure how to work in Task Manager to find it. If I still need to do that, please tell me what I need to do.

    I re-ran CCleaner and reset web settings, rebooted into Normal mode.
    Here's the new logfile.
    Thanks for hanging in there with me.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not need Task Manager to find it. Task Manager is used to kill running processes not to delete files or find them. Since it is no longer running, you do not need to worry about it. HijackThis was probably able to delete the file.

    How are things working?
     
  11. agof78

    agof78 Private E-2

    I am still getting the Microsoft Spyware warning about HuntBar trying to install if I log onto this computer as another user. When I tell it to "Uninstall", it seems to go through some process and then tells me it has been removed, but then the warning is back again the next time I log on.

    I no longer get that warning when logged on as "Becky."
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Each user account needs to be cleaned using the same methods. So if you have not done the READ & RUN ME for each account begin there.

    Which account had we been working on? Was it Becky?
    How many accounts are there?
     
  13. agof78

    agof78 Private E-2

    Including "Becky", there are 4 accounts. Administrator does not show up on the log in screen in normal mode, so I'm not counting it. However, in Safe Mode, only Administrator and Becky show up. The accounts are:
    Becky (the one we have been working in)
    Joe
    Joe's Business
    Megan and Greg
    After completing all of the Read me First, should I post a HJT log for each account all at once? Or should I just work on one at a time and post a HJT when I have completed the procedures on the one? I had thought I would do the latter. Please advise.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First I would like to know if the account for Becky is clean? I believe it is!

    If Becky is clean, here is what I would like you to do.

    1) Disconnect the PC from the internet by unplugging the cable to make sure nothing can get in or out.
    2) Run the READ & RUN ME FIRST for each user account but skip the online scanners (since I have you disconnected). Just run all the cleaning tools for each user account and keep track of anything reported but not fixed. You will need to run the steps in normal boot mode for some accounts since they only appear in normal mode. But make sure you clean the Admin account in safe mode.
    3) After ALL accounts have been cleaned, post one HJT log and name it appropriately and with a number to keep track. Like joe1.log or joe1.txt. The next log if necessary would be joe2.txt.
    4) After we finish with Joe, move to the next like joebus1.txt .... etc.
     
  15. agof78

    agof78 Private E-2

    Chaslang-
    Sometimes I feel really dense, but I really want to make sure I do this correctly.--forgive my next question:

    "Becky" seems to be working fine.

    I am currently working on getting "Joe" up to speed. Am I interpreting your instructions to mean that I should first run all of the scans on "Joe", save a HJT log called "Joe", then move to the next account and repeat all steps, etc., BEFORE I get back online with that PC to begin posting the individual logs??? Since the scans take quite awhile, I want to do it right! Thanks!
     
  16. agof78

    agof78 Private E-2

    The scans went quicker than I had expected. I am posting each account's HJT log.
     

    Attached Files:

  17. agof78

    agof78 Private E-2

    Here's the last one since I could only post two attachments last time.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Fix the below from M&G1

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9999

    How is this account working?
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Joe1 is clean! How is it working?

    What about the Administrator account?
     
  21. agof78

    agof78 Private E-2

    I fixed both lines you had designated. Those accounts seem to be working fine.

    "Joe" is still getting the Microsoft Antispyware warning that HuntBar is trying to install. I know you said that the HJT log was clean. Any more ideas of how to get rid of it?
    I will work on running all of the scans again today and will post again if they find anything.
     
  22. agof78

    agof78 Private E-2

    On "Joe" I ran the following scans again in normal boot mode:
    AdAware, CCleaner, MSWindows Antivirus,Spybot.
    I was also able to run PandaScan after a couple of unsuccessful attempts.
    Also ran Bitdefender which picked up WheaterbugA. Both of the last two logs are attached.
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete the below folder after booting in safe mode:

    C:\Program Files\csaa


    Where did you get the install_AIM.exe file from that you are using to install and run AIM?

    I would like to see you use the below link which uses 22 free scanners to check files for problems. Connect to the below link and browse to your file at one of the below two locations (if one is bad, the other is probably bad too, so just scan one of them):

    C:\Documents and Settings\All Users\Documents\My Documents\Greg\Install_AIM.exe
    C:\Documents and Settings\Joe\My Documents\gregs stuff fo real\Install_AIM.exe

    Hopefully you have a fast connection to the internet. Be patient, it takes awhile to upload the file and then pass it thru all the scanners. A screen will popup when done. Copy and paste the results here.

    http://www.virustotal.com/flash/virustotal_en.html

    When I run this on the install_AIM.exe that is downloadable from Majorgeeks, it comes up clean on all scanners.
     
  24. agof78

    agof78 Private E-2

    Chaslang-

    I deleted the C:\Program Files\csaa

    I do not know where the AIM file came from for sure, but judging by the file names, my 14-year-old, Greg, downloaded it. Will I be able to uninstall it completely?

    Here is the scan report:

    This is a report processed by VirusTotal on 10/31/2005 at 22:43:35 (CET) after scanning the file "Install_AIM.exe" file.
    Antivirus Version Update Result
    AntiVir 6.32.0.6 10.31.2005 no virus found
    Avast 4.6.695.0 10.31.2005 no virus found
    AVG 718 10.29.2005 no virus found
    Avira 6.32.0.6 10.31.2005 no virus found
    BitDefender 7.2 10.31.2005 Adware.Wheaterbug.A
    CAT-QuickHeal 8.00 10.31.2005 no virus found
    ClamAV devel-20050917 10.31.2005 no virus found
    DrWeb 4.33 10.31.2005 no virus found
    eTrust-Iris 7.1.194.0 10.30.2005 no virus found
    eTrust-Vet 11.9.1.0 10.31.2005 no virus found
    Fortinet 2.48.0.0 10.31.2005 no virus found
    F-Prot 3.16c 10.31.2005 no virus found
    Ikarus 0.2.59.0 10.31.2005 no virus found
    Kaspersky 4.0.2.24 10.31.2005 no virus found
    McAfee 4616 10.31.2005 no virus found
    NOD32v2 1.1269 10.31.2005 no virus found
    Norman 5.70.10 10.31.2005 no virus found
    Panda 8.02.00 10.31.2005 no virus found
    Sophos 3.99.0 10.31.2005 no virus found
    Symantec 8.0 10.31.2005 no virus found
    TheHacker 5.9.1.026 10.31.2005 no virus found
    VBA32 3.10.4 10.31.2005 no virus found
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just delete the two files manually:

    C:\Documents and Settings\All Users\Documents\My Documents\Greg\Install_AIM.exe
    C:\Documents and Settings\Joe\My Documents\gregs stuff fo real\Install_AIM.exe

    See if your Bitdefender online scan now comes up clean.

    And tell your son to look for downloads here on MG's first. For example: AOL Instant Messenger (AIM) MG's does check to make sure they are clean.
     
  26. agof78

    agof78 Private E-2

    RATS!!!!!!
    I still don't think that we're clean.
    Bitdefender is still finding Wheaterbug. Here's the log.
    I ran this scan both under "Becky" and "Joe".
     

    Attached Files:

  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Empty your Recycle Bin.
     
  28. agof78

    agof78 Private E-2

    I emptied Recycle Bins. Ran another Bitdefender scan which came up clean.

    This morning when I logged onto "Joe" I got the same HuntBar warning from Microsoft AntiSpyware.
    I double-checked that System Restore was still off and it is.
    This is really frustrating!
    Thanks for your continued help!
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does MS Antispyware give you more information on what it is finding?
    Is it a registry key or is it finding a file? And for either, it would be useful to know the exact info.

    Is your MS Antispyware up to date? Have you run a full scan with it in safe mode? Did you tell it to fix the problem? Sometimes it does not fix unless you change the option to fix. It could be on ignore.

    Try looking in Add/Remove programs for any of the below and uninstall if found:
    Internet 404
    MSIETS
    Tools for Internet Explorer

    If we cannot find it this way, the only way we can fix it is if we can see it. This means we would take the approach of uninstalling MS Antispyware and Ewido too. Then reboot and then we would get a new HJT log and see what we find.
     
    Last edited: Nov 1, 2005
  30. agof78

    agof78 Private E-2

    I repeated all of the scans again today in Safe Mode (as in the past). MS AntiSpyware (which is updated daily) doesn't pick anything up. All the information I find in the Quarantined Items is that HuntBar - Browser Modifer is in there after being caught by the Real-time protection function. I've been deleting it. It doesn't mention either files or registry keys.

    I didn't find any of the 3 programs in Add/Remove.
    Should I proceed with uninstalling MSAS and Ewido?
     
  31. agof78

    agof78 Private E-2

    I don't know if this is imp't, but in Add/Remove Programs, there is something called "Toolbar - My Toolbar" When I select the Change/Remove button, it doesn't do anything. Could this be somehow related to the HuntBar issue?

    Since my Ewido has expired, I went ahead with the uninstall.
    Will wait to hear back from you before I uninstall the Microsoft AntiSpyware.
     
    Last edited: Nov 1, 2005
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes uninstall MS Antispyware and then reboot your system. See if anything obvious shows up. Then I would run a full scan with Spybot S&D and see if it finds anything. Also look in Add/Remove programs now to see if anything showed up.

    You may want to give the below tool a run to see if it can get rid of that Toolbar item in Add/Remove programs.

    Windows Installer CleanUp Utility
     
  33. agof78

    agof78 Private E-2

    I uninstalled MSAS, rebooted, ran Spybot. Didn't pick up anything. I didn't see any changes in the Add/Remove Programs. I downloaded the clean-up utility, but the Toolbar item didn't show up on the list of stuff that it gave an option to change.
    I'm attaching the recent HJT to see if you see anything different.
     

    Attached Files:

  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your HJT log is clean. Does Toolbar - My Toolbar still show in Add/Remove programs?

    If so, run regedit and navigate to the below key and tell me exactly (word for word) how this item appears in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
     
  35. agof78

    agof78 Private E-2

    Chaslang-
    Please forgive me if this isn't what you need to see, but here's a copy of the registry info. I'm at the TRULY CLUELESS stage.
    B.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not post anything! All I need you to do is navigate to that registry key and located the item that looks like it relates to that Toolbar info you see in Add/Remove programs. Then just tell me eactly what it says.
     
  37. agof78

    agof78 Private E-2

    Sorry - I was trying to copy the entire string that shows up under "uninstall", but it didn't upload.
    I am seeing an entry that says: MyToolbarIEToolbar
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixMTB.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixMTB.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Now check Add/Remove programs and see if it is gone.
     
  39. agof78

    agof78 Private E-2

    I followed the cut and paste, and then realized that there was a space between My and Toolbar so I adjusted it, and I the line is gone. Yay!
     
    Last edited: Nov 1, 2005
  40. agof78

    agof78 Private E-2

    Should I reinstall Microsoft Antispyware?
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Go for it!! ;)
     
  42. agof78

    agof78 Private E-2

    Went for it!
    Got the stupid WARNING again about HuntBar after I rebooted.
    AAAAAAAArrrrrrrrrrrgh!
    Part of me want to get rid of MS AnitSpyware so I don't have to deal with the alerts, but the other part says I want to beat this thing- whatever it is.
    Where to now?
     
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hang in there! Let's try two other tools (I forget if we ran these yet):

    Running Ewido Security Suite

    Make sure you save and post the Ewido log.


    Then download, install and update Spy Sweeper
    - Run it once while you are in normal boot mode (save the log).
    - Then boot in safe mode from and run SpySweeper one more time (and save a second log).

    Now reboot in normal mode.

    Attach the three logs (will need two messages to do that). Also tell me if MS Antispyware is still finding Huntbar.
     
  44. agof78

    agof78 Private E-2

    I got a little confused in the Ewido Instructions and after downloading, updating, I clicked scan and began the scan in Normal mode. The scan immediately picked up some infections. Then I read further in your instructions and I cancelled the scan to reboot into Safe Mode and to disconnect the cable. Anyway, after running the complete scan in Safe Mode, Ewido only picked up two additional problems. I'm not sure if the saved report will include the info on the earlier infections, so I am posting a copy of the Quarantined Items. I am seeing HuntBar in some of the items.
    I will post the SpySweeper results after running it.
    Thank you for hanging in there with me as I bumble my way thru this!
     

    Attached Files:

  45. agof78

    agof78 Private E-2

    Ran the SpySweeper in Normal, then Safe Mode. I'm attaching the reports.
    I'm very excited to say that I'm no longer getting the MSAS warning about HuntBar!
    BUT, my computer was extremely slow in booting. Was this due to both SpySweeper and Ewido running at startup? I have disabled both.

    I'm really impressed with the Ewido program and how it was able to find so many things missed in the other scans. Since both of these latest programs are Shareware, do you think they are worth buying, or should I just attack any problems as they pop up? I have three computers so the expense would be quite a lot.
     

    Attached Files:

  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Having all three spyware blockers (MS Antispyware, Ewido, and SpySweeper) all running at the same time will slow things down. I mentioned this in step 5 of How to Protect yourself from malware! You should look at this thread now too since it would seem that we are done. :)

    I like SpySweeper too. Had it been run before Ewido you may have seen it removing more than it listed. Both of Ewido and SpySweeper are very good. So is Counter Spy. But only use one of them for long term solutions to avoid the slow down issue.

    If you want to avoid the expense, your best solution is to use the below:
    - MS Antispyware - does use significant resources but necessary for security
    - Spybot (without Teatimer) - uses minimal resources unless scanning
    - SpywareBlaster - no resources used
    - Ad-Aware SE - free version uses no resource unless scanning
     
  47. agof78

    agof78 Private E-2

    Thank you SO MUCH for all of your help! I am absolutely impressed with your knowledge and ability--not to mention patience!
    I also appreciate your software recommendations and plan to follow them.

    Becky
     
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. And thank you for the compliments. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds