Cannot delete xxywutt Trojan Virus???

I have ran panda scan, adaware, spy bot, semantic antivirus, removed all wierd looking dll's, removed suspicious programs from add/remove programs, plus many more. I cannot delete the dll xxywutt in my System32 directory. I know this is related to my malware problems. Internet explorer is very slow with alot of pop ups.

I download hijackthis and now have a log file please take a look. I have attached the log file.

If i posted this in the wrong forum please let me know where to post.

Thanks in advance!

kOURVOISIER

 

Hi kourvoisier!
Welcome to Major Geeks. Please run the following scan and then follow the instructions in the box below. You do not need to run Panda again. Just post the Panda log (activescan.txt) with your other logs.

Run this utility:

After you've run Combofix, please follow the instructions and links in the box below!

​

 

I was unable to post panda log as i kept getting script error during scanning.
Also i booted up into safe mode ran spybot it found no immediate threats. I then browsed to directory System32 and there again sits xxywutt.dll and it still wont let me delete it. The pop ups seem to have slowed down a bit, but im still kind of suspect because of that dll. Here are the logs.

See next reply for additional 4th attachment.

Thanks again.
Kourvoisier

 

Additional attachment please view.

Thanks
Kourvoisier!

 

Hi kourvoisier!
Your computer is still infected and it will help if you don't use it much until I can get the next instructions to you. There are a number of files which will need to be deleted but it takes awhile to find them, so thanks for your patience. I'm not as familiar with your operating system as with XP. Do you not use Java?
abri

 

just another small note to add to my last post. Please turn off Teatimer in Spybot as it will prevent us from fixing your computer. Double-click on the program to open it and go to modes (at the top) and set it to advanced. Then look at the left side of the screen towards the bottom and click on tools. A red and white shield called Resident should appear on the left side. Click on that, then in the middle of the page, you'll see Teatimer. Make sure it is unchecked.

Also, there are some infections now which evade detection by hijackthis if it is named hijackthis.exe. Therefore we ask you to rename this to analyse.exe. Please go to the C:\ProgramFiles\HijackThis folder and open it. Right click on hijackthis.exe and select rename. Then type in analyse.exe and click somewhere outside of the name. After that, please rerun it again and post the new log which will still be called hijackthis.log.

Also, please see if you can make all of your hidden files visible. You should be able to get to this through Windows Explorer, Tools, Folder Options and View. Under View, check through the whole list and make sure anything which hides or reveals files and their extensions is set in such a way as to make them visible. Sometimes they are worded backwards so some of these have to be checked while others have to be unchecked. Two of yours are still showing as hidden.

Thanks.
abri

 

and here a third post with questions:

Do you know what any of the following are?

If you don't know what this folder is C:\Documents and Settings\lagalaviz please check the contents and let us know what's in it. Do not open any of the files.

If you do not know what this file is: C:\znodestorefront.bak please upload it to VirusTotal or jotti. There is a small window with a button next to it for you to search for the file on your computer. Once you find it, click on submit and wait for the results. Please post the results to us.

Thanks.
abri

 

Ok, Thanks, No i do not have java installed on my server due to environment restrictions.

Thanks

 

sorry, my posts came one after the other, so you may not have seen them. Please check my posts numbers 6 and 7.
thanks
abri

 

Ok i have turned off teatimer, renamed hijackthis to analyse, and made sure all files are not hidden. Also:

The registry value corp.sorvive.com is the domain this computer is registered to.

lagalaviz is a user account that was logged onto this computer

znodestorefront has been deleted this was an old file of mine.

I have attached the new hijackthis log

Thanks

Kourvoisier

 

All the files showed up after you changed the name!
Teatimer still shows as being active. Please see if it is really unchecked.
I need to rest. Back in some hours.
abri

 

Hi kouvoisier!
Before you do the following, Teatimer needs to be turned off. If you have problems getting it turned off, please post to me before you continue with the instructions below. Resident Teatimer has to be unchecked. Resident SD Helper can remain with a checkmark. Make sure you click first on tools, then on the red and white shield on the LEFT side of the screen (not in the extensive list in the middle) and then you will see the two above options in the middle of the page. Only these two will be listed, Teatimer and SD Helper. There are two places where the red and white shield appears and you may have unchecked the shield in the middle column rather than clicking on the red and white shield on the left side. If you cannot get Teatimer turned off (it's appearing in HijackThis and you can search for Teatimer in the log yourself), then you will have to uninstall Spybot altogether via add/remove programs. Once it's turned off, please do the following:

1) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


4) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Ok, nothing worked.

I turned off Teatimer because it was checked when i opened the app up. I unchecked it close the app, reopened the app and it was still unchecked to that should be good.

I then ran hijackthis click the Fix checked button and it did not delete any of the files that you said check.

Also i downloaded Avenger and it says it doesnt support my operating system. I am running Windows Server 2003

I will reattach my hijackthis log.

let me know how to proceed.

Thanks

 

Hi Kouvoisier,
Yes. As long as Teatimer is running, it will block the fixes. Therefore you may have to simply go to add/remove programs and remove Spybot. We can reinstall it later.
Try that and then see if the hijackthis fixes work.
You're probably right about Avenger, weep weep. I forgot about that. That means we'll have to do something else. I'll get back to you in a bit.

abri

 

Abri, Ok, i have uninstalled spybot and tried deleting those files thru hijackthis once again with no success.


System does appear to be getting worst since the removal of spybot.

Let me know what to do next.

Thanks for your help in this.

Kourvoisier

 

Hi Kourvoisier,
I've put together a fix based on your operating system, but I need to have it checked, because I've pretty much only worked with XP. I hope there will be someone to look at it in about 45 minutes. I appreciate your waiting.
abri

 

waiting patiently thanks.

 

Hi Kourvoisier,

Let's start the malware removal by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\xxywutt.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\xxywutt.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.


Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\xxywutt.dll
O2 - BHO: (no name) - {48C9639F-2442-4687-8622-8679EFB6FE4A} - C:\WINDOWS\system32\awtqn.dll
O20 - Winlogon Notify: xxywutt - C:\WINDOWS\SYSTEM32\xxywutt.dll

Make sure you've exited all browsers! Click Fix and exit HJT.


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now![/quote]

Now please reconnect to the internet.

Please run CCleaner.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

No luck i dont believe it removed the files at all.

Here are the logs... :cry

 

It got two out of hijackthis, so do not dispair just yet. We have to adjust our thinking to Windows Server 2003 ...

abri

 

Sorry, I didnt follow directions all the way thru the first time.
My system seems to be running extremely well!!!

Thanks alot for your assistance

view logs for assurance thanks.

Kourvoisier

 

Hi Kourvoisier!
The newfiles.txt log shows a lot of new files being generated a bit faster than we're getting them out. For the moment, please don't reboot until we can find a more permanent solution. Thanks. (At least we know we're going the right direction.)
abri

 

Hi Kourvoisier!
I wanted to add a note to Chaslang's message. The MGTools he gave you the link for in post 21 include a scan which we didn't have before. As the viruses are using the same mechanisms they used before, but applying them to new areas of the computer, we have to have newer tools to keep up. This is the reason for Chaslang's request. A zip file containing all the logs is produced in the process of running the MGTools.exe and you then only have the one zip file to upload to us.
abri