Help Please! Trojan.Adclicker

Doug, start here please:

http://forums.majorgeeks.com/showthread.php?t=35407

 

Before we get started, I have to ask why you would allow an account to change the settings on your PC. Accountants are not PC security experts! If he was accessing your PC remotely to perform financial related procedures on your PC, this could even be classified as being irresponsible. You security (especially financial) is at risk when this was done.

Second question, did you, or did your account install TightVNC on your PC. It is not malware, but could be used for malware type purposes and if used, must be properly password protected (and I would not keep it the same as what you may have setup for your account to use if it was used by him/her).

You did not attach the properly log from GetRunKey. As stated in the READ ME, the correct log and the only one from it that we want is named c:\runkeys.txt. You must also wait for GetRunKey to finish running and for the notepad file to pop up with the log in it before doing anything else. Then you should close the notepad window before running ShowNew (this is also stated in the READ ME). If you don't do this, all of the temporary files will show in the ShowNew log. At the end of the below procedure, I will ask for a new log from GetRunKey. Make sure to allow it to run to completion next time and do not run ShowNew while GetRunKey is still running.


Trojan Adclicker is the least of your problems! You have a serious case of Virtumonde and Winlogonhook that will will be working on.

Please run CounterSpy again and this time make sure you allow it to fix the iMesh malware that was found. Last time you Ignored it.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of byxutss.dll once and then click the kill button. After you have killed all of the byxutss.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
ddayw.dll

Next double click on explorer.exe and again click once on each instance of byxutss.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
ddayw.dll

Next double click on iexplore.exe and again click once on each instance of byxutss.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
ddayw.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\ctaddohl.dll
O2 - BHO: (no name) - {1E57F60C-8543-4373-8CDE-F99EE48A39EE} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\byxutss.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\igqseyte.dll",setvm
O20 - Winlogon Notify: byxutss - C:\WINDOWS\SYSTEM32\byxutss.dll
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{3CBEE2BC-063A-1033-0314-020311260002}\UnInstall.exe
c:\program files\saap.log
C:\WINDOWS\Luxury Liner Tycoon Uninstaller.exe
C:\WINDOWS\s4Setp.exe
C:\WINDOWS\niFish3.exe
C:\WINDOWS\3dg32.dll
C:\WINDOWS\sysgtime.dll
C:\WINDOWS\uninstBVRP.dll
C:\WINDOWS\system32\byxutss.dll
C:\WINDOWS\system32\ctaddohl.dll
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\hxempbyw.dll
C:\WINDOWS\system32\igqseyte.dll
C:\WINDOWS\system32\jftbkedh.dll
C:\WINDOWS\system32\P2P Networking v124.cpl
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.tmp
C:\WINDOWS\system32\etyesqgi.ini
C:\WINDOWS\system32\wyadd.ini"
C:\WINDOWS\system32\wyadd.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{3CBEE2BC-063A-1033-0314-020311260002}
C:\Program Files\Common Files\{9CBEE2BC-063A-1033-0314-020311260002}
C:\Program Files\Common Files\{9CBEE2BC-063B-1033-0314-020311260002}

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

That's because in between you first posting and my fixes and you executing my fixes, your infection had already spread into more files not showing in your first logs. Also since you did not attach a proper log from GetRunKey the first time, other items were also missed that can be seen now. Thus we have some similar steps to repeat and some new steps too.


Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of jkhfg.dll once and then click the kill button.
After you have killed all of the jkhfg.dll under winlogon click ok.
(If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs
(If you do not find the dll, just continue on):
ntpiesvv.dll
txsnfcdj.dll
vemdcmsu.dll

Next double click on explorer.exe and again click once on each instance of jkhfg.dll and kill it.
(If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs
(If you do not find the dll, just continue on):
ntpiesvv.dll
txsnfcdj.dll
vemdcmsu.dll

Next double click on iexplore.exe and again click once on each instance of jkhfg.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs
(If you do not find the dll, just continue on):
ntpiesvv.dll
txsnfcdj.dll
vemdcmsu.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\vemdcmsu.dll
O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\byxutss.dll (file missing)
O2 - BHO: (no name) - {C8C048C3-4069-4CC2-A282-71E9652DB5B4} - C:\WINDOWS\system32\jkhfg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\UniFish3.exe
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\ntpiesvv.dll
C:\WINDOWS\system32\txsnfcdj.dll
C:\WINDOWS\system32\vemdcmsu.dll
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\wyadd.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did the fixME.reg patch add to the registry properly? Did you get a success message? It looks like it failed to me.

You did not run GetRunKey properly this time. Please make sure you run GetRunKey.bat from a Window Explorer session and not from inside the ZIP file. Run it again and attach a new log. You last one even looked like you edited it.

Maybe you did not attach a new log???? And maybe that is why the fixME.reg patch looks like it failed????

 

Don't right click on it. Do what the directions said and double click on it. What happens? It is not working thus far! Are you getting any popups from your antivirus or antispyware programs when trying to use this patch?

The only log I need is GetRunKey. And I only need a new one after you get a message indicating that it was successfully added to the registry.

If necessary, try booting in safe mode and make sure ALL processes and protection software are shutdown. Then double click on fixME.reg to see if it will add in successfully.

 

It is not supposed to open in notepad! It is supposed to automatically run the Windows Registry Editor and add import the contents into the registry. Sounds like you have some messed up file associations.

Copy the bold text below to notepad. Save it as RegFileFix.reg to your Desktop. Be sure the "Save as" type is set to "all files". Do not try to double click on it or run it though. See below!

After saving the above to your desktop, click Start, Run, and enter regedit an click OK. This should open the Windows Registry Editor. Now click File and select Import. Navigate on the next form to your Desktop and locate the RegFileFix.reg you just created and double click on it to open it and add it to the registry. You should get a success message. (Tell me if you do).

Then reboot your PC (this is necessary). After reboot, try double click on the fixME.reg patch to see if it now automatically calls the registry editor and imports the fixes into the registry. If it does then attach a new log from GetRunKey.

 

That's much better.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!