Need help! Got Trojans!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GRWDAD, Nov 19, 2006.

  1. GRWDAD

    GRWDAD Private First Class

    Awesome site. I have followed the instructions you guys have laid out. So I will attach the files you request. I am on dial up. The way the problem started was my dial up box would pop up wanting to connect. If it connected, it seemed to load other viruses. Please help.
     

    Attached Files:

    GRWDAD, Nov 19, 2006
    #1
  2. GRWDAD

    GRWDAD Private First Class

    Also these files. DId the HJT not make it? I'll try again.
     

    Attached Files:

    GRWDAD, Nov 19, 2006
    #2
  3. GRWDAD

    GRWDAD Private First Class

    What's up with this HJT log?
     
    GRWDAD, Nov 19, 2006
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    It is there, so dont sweat it, the guys will be with you asap.
     
    Major Attitude, Nov 19, 2006
    #4
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
    O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\gebxust.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O20 - Winlogon Notify: gebxust - C:\WINDOWS\SYSTEM32\gebxust.dll
    O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll

    O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)

    Again, make sure ALL browser windows are closed when you click FIX.

    Next, run CCleaner to clean up cookies and temp files.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    After you complete the above, REBOOT and proceed with the rest of this fix...

    Next Reset Web Settings & Default Security Settings

    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

    Note for IE 7 users:
    Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    bjgarrick, Nov 19, 2006
    #5
  6. GRWDAD

    GRWDAD Private First Class

    That for your help. I think I did everything as you asked. I will attach the new HJT log. The dialer POP up is still popping up every few minutes. As I got on line to reply to the post, AVG popped up with a virus warning in the temp internet files. AS this has been the case, I clicked on "put it in the vault." I noticed on the new HJT log that the following lines were still present:

    O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\gebxust.dll
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    I think I did everthing right. Thank you again for the help. WHat can we do next?
     

    Attached Files:

    GRWDAD, Nov 19, 2006
    #6
  7. GRWDAD

    GRWDAD Private First Class

    Ran the BitDeFender again as well. Will Post. Looks like you got it down to the AGENT.HT. I think I had three before. Awesome job.
     

    Attached Files:

    GRWDAD, Nov 19, 2006
    #7
  8. GRWDAD

    GRWDAD Private First Class

    Also to mention that SpyBot S&D find a ....SMITFRAUD TOLLBAR 888....or something like that, everytime it runs. I think this may be related to the AGENT.HT. But anyway, I click fix but it is always there again. I also have a ..Saftey Alert 2006.. in my ad/remove programs that I do not remeber from before. Trying to give you all the stuff I can. Thanks again for the help. We're almost there!
     
    GRWDAD, Nov 20, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a couple of issues still remaining! One is a SmitFraud infection and the other is a form of Winlogonhook/Vundo. Let's fix the SmitFraud issue first.

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.



    After attach these TWO versions of rapport.txt move on to my next message. I will add some redundancy into my next steps to make sure we get everything.
     
    Last edited: Nov 20, 2006
    chaslang, Nov 20, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing the instructions in message # 9, continue with the below.


    Start by downloading another tool we will need

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it later.

    Now uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2
    Safety Alerter 2006

    Now Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of gebxust.dll once and then click the kill button. After you have killed all of the gebxust.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of gebxust.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.


    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Program Files\Common Files\{EC9A87FB-0958-1033-1202-030527030001}\Update.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\gebxust.dll
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O20 - Winlogon Notify: gebxust - C:\WINDOWS\SYSTEM32\gebxust.dll
    O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\{EC9A87FB-0958-1033-1202-030527030001}\Update.exe
    C:\WINDOWS\System32\cfltygd.dll
    C:\WINDOWS\System32\drvles.dll
    C:\WINDOWS\System32\gebxust.dll
    C:\WINDOWS\System32\wineak32.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Common Files\{EC9A87FB-0958-1033-1202-030527030001}


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Williams\Local Settings\TEMP

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 20, 2006
    #10
  11. GRWDAD

    GRWDAD Private First Class

    How do you guys know all this stuff? You are amazing. I am at work, so it will be tonight sometime before I get to do all this. But I will post ASAP. Thanks again for all this help.
     
    GRWDAD, Nov 20, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Many of us have used PCs for a long time and we spend a lot of time fixing PCs and malware problems. Experience is a great thing. ;)
     
    chaslang, Nov 20, 2006
    #12
  13. GRWDAD

    GRWDAD Private First Class

    OK, instructions were great if I hadn't missed the "root in normal mode" at the end of step two. Man I was having some issues. But after I saw that, things were great. I will attach the logs for you to see. Step #1 log will be rapport1 and step #2 will be rapport2. I am about to go to bed. But the pop up dialer did not appear the short time I was in normal mode before connecting to write back here. I will leave it up tonight, with the cable unplugged, to see if it occurs over night. Things seem to be running fast already though. Thank you so much for oyur help!
     

    Attached Files:

    GRWDAD, Nov 20, 2006
    #13
  14. GRWDAD

    GRWDAD Private First Class

    And here are the other files.
     

    Attached Files:

    GRWDAD, Nov 20, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not extract all the files from GetRunKey.zip into a folder of its own. It is not running properly because of this. As an alternative you can just move GetRunKey.bat to the C:\ShowNew\ folder where all the necessary files already exist since you did extract ShowNew.zip properly.

    Based on what I see thus far, I would say you are clean now.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Nov 20, 2006
    #15
  16. GRWDAD

    GRWDAD Private First Class

    OK, I moved it to the ShowNEw folder and this is what it gave me.
     

    Attached Files:

    GRWDAD, Nov 21, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now it ran correctly! You are still clean! I assume everything is working okay and that you have or you are in the process of completing what I gave you in message # 15.
     
    chaslang, Nov 22, 2006
    #17
  18. GRWDAD

    GRWDAD Private First Class

    Yes, I did those steps already. Thank you so much for your help. I use the firewall that comes with XP, should I use another like the ZoneAlarm, I think it is. I use AVG for virus protection, Spybot S&D, Adware SE, XoftSpy, and SpyBlaster I think it is. Avg did pop up warning me and I think I must have pressed "IGNORE." This is the first time that I am aware of that I have had an infection like this since I started computing in the early 90's. I never realized how much trouble virus can be to remove from your system. But once again, thank you very much and my kids that you very much. I hope you have a good and Happy Thanksgiving!
     
    GRWDAD, Nov 22, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you did not catch an important part of step 3 in that link. The Windows firewall does not provide adequate protection. So in short, yes yo need to use a different firewall like ZoneAlarm.

    And you do the same! :) And surf safely too! ;)
     
    chaslang, Nov 22, 2006
    #19
  20. GRWDAD

    GRWDAD Private First Class

    Thank you guys again for all the help. Even though I only get 24k on dial up, my internet speed even seems faster to me and still clean on every scan! Since all this cleaning with the trojans I had, my Jasc PhotoShop has stopped functioning. We use this exclsively from scanning pix to downloading from digital cameras. We have like 1000 pix of the kids. Anyway, I had trouble with Quicktime once before and when I would open PhotoShop it would popup saying update or something was wrong, but everything still worked and I finally got Quicktime issue corrected a year or so ago. My question in, in the first set of instructions, you had me remove this:
    "O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime "

    I was wondering if this might be the reason PhotoShop stopped working? Since I know it is somehow tied the Quicktime. My question is how can I re-insert this to see if it corrects my PhotoShop issue. I did try tying Quicktime to the startup list but it didn't re-insert this line. I cannot reinstall the software because of SP2 and I purchased the add on package on line years ago. I tried already and it said it wasn't the same as the OEM. Anyway, just wondering about this before I apply an old image I have. Thanks for any help.
     
    GRWDAD, Dec 27, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The qttask.exe process is not a process that is normally required to load at startup and we remove it to avoid wasting the System Resources. Every application that typically requires QuickTime will normally cause this process to startup anyway. And when you shut down the application (like a picture viewing program) you will notice that the QuickTime icon in the tray does not shutdown (another annoying design feature - when the program is not in use, it is not require and should be shutdown). QuickTime is not usually required just to view pictures. It is used for animations/movies like .MOV files....etc

    You can get that line back into your HJT log by running HJT and selecting Open Misc Tools section and then select Backups. In the Backup list you should be able to find this and put a check next to it and then click Restore on the right side of the screen.
     
    chaslang, Dec 27, 2006
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds