Trojans problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by Moontalker, Jun 27, 2008.

  1. Moontalker

    Moontalker Private E-2

    Hi there!
    First of all thanks for your help!

    Started having problem with my computer on thursday morning. When i turned the cpu on, windows wanted to do a consistency check during the boot. Was saying I am under NTFS. Now I thought i was under FAT32.
    During the check, it managed to go through the first step ok but during the index check it got stuck. I turned the cpu off and on and skipped the check.
    For what i could see the cpu worked fine.
    When i came back from work, turned on cpu again, again asked for consistency check. Skipped it again. This time problems started to appear. couldnt start msn messenger. I found out my clock was changed to year 2000.
    F-secure found some virus threats but i couldnt quarantined them. It was W32/malware and w32/Suspicious U.gen
    BHO found a malware but i couldnt undo it. It was CoolWebSearch stuff.
    I surfed a bit and saw some site recommanding to run MBAM so I did and it found a few trojans including Trojan.DNSChanger that it couldnt remove without rebooting. So i restarted and malware showed up on BHO. DNSChanger was still there.
    Some files started being corrupted. some softwares too inc. bho and spybot.
    I dl ATF cleaner and ran it. after it tan once it became infected and couldnt rerun it again. MBAM became corrupted as well.
    Went to my local settings to manually delete temp files and i found one i couldnt undo 2.exe. I started trying to uninstall all softwares i didnt really need to save some time during my scans. when i rebooted, i went straight to local settings to see if i could delete 2.exe. When i went there there was now another file 3.exe and as the cpu was starting all processes became 4.exe, 5, 6, .....
    I also tried to uninstall spybot, bho and mbam.

    I kept looking online and found your website.
    I read your tutorial and started cleaning up my cpu. There is some file in my temp folders and recycle bin that I cant delete.
    When I tried to reinstall Spybot it didnt work.
    I managed to install MBAM and run it but when it tries to remove the infected items it freezes and gives an error message. So I included the last log recorded in it from 06/25/08.
    I ran ComboFix and when my cpu rebooted, when windows opens it said cf31016.exe corrupt. It still managed to create a log though.
    MGtools ran properly.

    And here I am now. Sorry if there is some irrelevant info there but im not sure what is a cause and what is a consequence of the problems so I wrote everything I noticed.

    Here are the logs.
    Thanks again!
     

    Attached Files:

    Moontalker, Jun 27, 2008
    #1
  2. Moontalker

    Moontalker Private E-2

    and the last log
     

    Attached Files:

    Moontalker, Jun 27, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not sure where you are surfing at or what/where you are downloading from, but you need to be more selective. It would be a very good idea for you to uninstall the torrent downloader and any other P2P type programs you may be using since they are more than likely at the heart of your problems.

    You are very, very badly infected. In fact you have the amount and kind of infections where you may really be better off deleting your partition and reinstalling from scratch esepcially if this PC is used for anything financial related. Many of the system files on your PC may be infected and untrustworthy. They may also not be cleanable and the act of repairing could possibly make your PC unbootable. If you have important data on this PC you should back up first, but be careful what you back up because many things may be infected. I will give you a starting fix, but please consider what I have said.

    Here is a starting fix.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll
    O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll
    O2 - BHO: (no name) - {80AF1289-F140-A140-D012-C1458759FC08} - C:\WINDOWS\system32\ypcqghlp.dll
    O2 - BHO: yzztkmsn.dll - {B490415F-65F8-B5C5-D8BA-9405FB12054B} - C:\WINDOWS\system32\yzztkmsn.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [svc] C:\DOCUME~1\User\LOCALS~1\Temp\2.exe
    O20 - AppInit_DLLs: yzztkmsn.dll womsoy.dll mymusi.dll qflxs.dll hellodon.dll popsspa.dll yitalle.dll toolbo.dll webliso.dll wolko.dll

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 28, 2008
    #3
  4. Moontalker

    Moontalker Private E-2

    Hey Chaslang!

    Thanks for your help!
    So I followed the steps you advised.

    When doing the HJT these lines you gave me didnt show up on the scan so i couldnt select them:
    O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll
    O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll
    O2 - BHO: (no name) - {80AF1289-F140-A140-D012-C1458759FC08} - C:\WINDOWS\system32\ypcqghlp.dll
    O4 - HKLM\..\RunOnce: [svc] C:\DOCUME~1\User\LOCALS~1\Temp\2.exe

    When i ran combofix, once again when it rebooted it gave me a corrupt error.
    It still managed to reboot and finish the log.

    The fixme.reg was successful.
    The CCleanup and Mgtools run went fine too.

    After that I rebooted, and windows still wanted to do a consistency check.
    As well, F-secure found 2 virus it tried but couldnt get rid of. First w32/ suspicious U.gen then Trojan.win32.Agent.sav. Also gave me this warning:
    Malicious code found in file C:\WINDOWS\system32\apsggjba.dll.
    Infection: Trojan-PSW.Win32.OnLineGames.rxpu
    Action: The file was renamed.

    However i didnt get the flurry of corrupt files warnings that i usually get.

    One other thing I forgot to mention before, F-secure when starting give me all those news about viruses and trojans, thing that i never got before being infected.

    Finally here are the logs.
    Thanks for the time you are taking reviewing this!
    Have a good day.
     

    Attached Files:

    Moontalker, Jun 28, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may be having hard disk problems.

    Click Start, Run and type in cmd and click OK. This will open a Command Prompt window.
    Type in chkntfs C: and then hit the enter key.
    This will tell you if the dirty bit is set ("C: is dirty")

    If not dirty, you will see something like the below:
    If it is dirty, type in chkntfs /x C: at the command prompt and this should prevent chkdsk from scanning drive C: at startup.

    You can read more about Dirty Volumes in the below link:

    http://technet2.microsoft.com/windowsserver/en/library/577908b1-db9b-401e-ba41-988b16b453001033.mspx?mfr=true


    Is this still being detected after another reboot.
     
    chaslang, Jun 28, 2008
    #5
  6. Moontalker

    Moontalker Private E-2

    Thx for the hinf for the consistency check its not doing it anymore. I tried to do it in windows and it actually went through all steps and said it fixed the problems. But i still get the same erroe message and corrupted files.
    I have had LOTS of trouble with my HDD on my laptop (it's hp pavilion zv5000). I have changed the hard drive every other yer (on warranty). always in the summer around the same time ... now! I dont know why. any ideas ? i think it might be time to buy a new cpu actually. I would still like to try to salvage that one if possible though.

    As for the virus check here is what I found after reboot. no matter how i try, i can get rid of it. its as if SAS, MBAM and f-secure dont really get rid of them when they say they cleared the problem.
     

    Attached Files:

    Moontalker, Jun 29, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try posting in the Hardware Forum. This is not topic for the Malware Removal forum.


    I believe we already removed most if not all of this in my fix in message # 3. Show me the results of new scans that are still detecting problems. The log you attach was old.
     
    chaslang, Jun 30, 2008
    #7
  8. Moontalker

    Moontalker Private E-2

    Here are the SAS and MBAM logs.
    i ran C:\MGtools\GetLogs.bat too but it couldnt create a log as zip.exe is now corrupted... :S
     

    Attached Files:

    Moontalker, Jul 1, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\User\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!


    Now download and run this again MGtools.exe


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     
    Last edited: Jul 1, 2008
    chaslang, Jul 1, 2008
    #9
  10. Moontalker

    Moontalker Private E-2

    followed your instructions. Combofix ran ok. fixme.reg was successful.
    However couldnt delete the file in c:/windows/temp and in documents & settings. they are corrupted and unreadable. I made a file with the list of files there. Also I redownloaded Mgtools but i got the same zip error message as before. so it completed its job but the the .zip file didnt get updated from 062808.
     

    Attached Files:

    Moontalker, Jul 2, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like in addition to malware that you have some physical problems within your file system or with your hard disk. We will not be able to solve any physical problems in this forum and they are getting in the way of malware removal. Let's try to continue in spite of them.

    First I want to see how many copies of the zip.exe file are on your PC.

    • Download the attached Findit.zip file (see the bottom of this message) to c:\
    • Then extract the Findit.bat file from it into this folder so that you have C:\Findit.bat
    • Then double click on the Findit.bat file and it will search all of your hard disk for copies of zip.exe. This will take awhile so just be patient.
    • When it finishes running the command prompt window will close and the file C:\report.txt will exist. Attach this file here.
    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!


    Then attach the below log:
    • C:\ComboFix.txt
     

    Attached Files:

    chaslang, Jul 3, 2008
    #11
  12. Moontalker

    Moontalker Private E-2

    new reports coming. fixme.reg worked fine
    Internet seems to run smoother now. before it was a bit slow and jerking when scrolling down.
    how does it look now ?
     

    Attached Files:

    Moontalker, Jul 6, 2008
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are still badly infected. We need to try and get MGtools to work so we can find other problems. The below fix my correct the problem with the zip.exe file. But let's also try a fix with a different tool.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Copy the bold text below to notepad. Save it as fixREG.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jul 6, 2008
    chaslang, Jul 6, 2008
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds