Help with Trojan

Overview:
Having an issue with what appears to be a trojan virus. I have attached the following files below for your review: the AVG Scan (couldn't run Counter Spy), the BitDefender scan, and the PandaActiveScan file. I will attach the ShowNew file and the Hijack This log in a separate file. Please note that I tried running the GetRunKey bat file, but the program seems to hang on me.

Visible Signs:
I have McAfee (came free with Comcast service). When I ran the various scans in Safe Mode, none of the pograms noted any issues. When I went to Safe Mode with Networking to run BitDefender and PandaActiveScan, BitDefender noted no viruses, but a few other issues. PandaActive noted no issues. However, when I perform a normal boot, all hell seems to break loose. McAfee pops up every two to three minutes to inform me that it removed several trojan viruses including the following: Generic.f, Generic component (2 pop-ups), Puper (2 pop-ups), and Adclick-fc. As McAfee continually to generate these pop-ups, it's clearly not fixing or removing the source of the problem. Additionally, I periodically receive generic pop-ups relating to "Windows Security Alerts" when I "x" out these pop-ups, an IE page opens up offering some virus removal product/service. I am also receiving "system alerts" in the system tray.

Conclusion:
Any help would be greatly appreciated.

 

Here are the other two files - the ShowNew file and the Hijack This file.

Thanks again for any help!

 

Hi Malleus!
Welcome to Major Geeks.

I'm missing your runkeys.txt log from GetRunKeys. Please run it at the end of these instructions and post it along with the other requested logs. Also, it doesn't look like AVG 7.5 Antispyware ran.

1) Please go to add/remove programs and uninstall the following:

J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 5"
J2SE Runtime Environment 5.0 Update 6"
J2SE Runtime Environment 5.0 Update 9"
Java(TM) 6 Update 2"
Java(TM) SE Runtime Environment 6 Update 1"

2) Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

abri,

Thank you for your help. I removed all the Java items requested, and I "fixed" the issues with Hijack This.

Also, I downloaded Avenger, and ran the program as directed. However, it stated it could not locate some of the files for Avenger and therefore it did not appear to work properly. I am attaching the log, but I don't believe there's any information in it.

Also, the GetRunKeys does not appear to work. I let it run for 15+ minutes, and it only got this far as copying the first three files. Then, the only activity appears to be the cursor simply blinking at me, taunting me...

When I ran the Hijack This log, I noticed the "software referral" line returned.

Also, I ran the ATF Cleaner. No problems with running it. It seemed to work properly.

All the same pop-ups come up, it doesn't appear that any of the activity has stopped.

Please advise on the next steps. Thanks again for your help with this matter.

 

abri,

the Avenger log would not upload in the last message. I get an "upload failed" message when I try to attach. Please advise. Also, I forgot to mention that three icons appear on my desktop each time I reboot, even though I delete them. They appear to be shortcuts to the webpages that randomly load with this bug.

Thanks!

 

abri,

Sorry for the multiple messages. I tried Avenger again to no avail. It mentions it can't find the *.reg file, and can't locate the avenger.txt file. I took screenshots of what I could and pasted them into the attachment below. Hope this helps.

Thanks!

 

Hi Malleus,
Try disconnecting from the internet and disabling McAfee as completely as possible before you run them. I expect that's what's blocking them. You may have to print out the instructions or store them where you can get to them without the internet. Make sure when you reconnect to the internet, that your McAfee starts up normally again.

The problems with the attachments are a problem of vBulletin, which doesn't seem to get corrected. It helps to either empty the browser cache or switch browsers.

abri

 

abri,

I disabled McAfee and tried running the directions in your reply to my original post. GetRunKeys continues to "hang". It only copies the first three .txt files then stops. Avenger continues to not find the necessary files to run. The ATF Cleaner states that there are no files to clean (probably due to the fact that these were already cleaned from the last time I ran the program).

I reran the Hijack this. The "software referral" line returned, along with the "blank" line. All the other lines that you requested I remove stayed "gone".

Sorry, I don't have any progress to report. Any other thoughts?

 

Hi Malleus!
yes! Please post the most recent Hijackthis log and I will see if anyone knows why these things aren't running. ShowNew and GetRunKeys both run in less than a minute normally. I think the referral problem is not a nice one. It may require a more robust approach.
abri

 

Abri,

Here is the Hijack This log for your review. I'll be heading to work, so I won't be able to run any fixes until this evening.

Thanks!

 

Hi Malleus,

Please do this: Using SDFix
and then post the log to us.

abri

 

abri,

Ran the SDfix. Wow! So far, no pop-ups or repetitive trojan removal messages from McAfee. Here's the log. Do you think we got this bug? If so, any recommended clean up procedures?

Thanks again for your help!

 

Hi Malleus!
Please post fresh hijackthis and newfiles (from Shownew) logs.
Thanks.
abri

 

abri,

Here are the files. Still seems okay. No pop-ups, no McAfee messages. Crossing fingers on my end.

Thanks again!

 

Hi Malleus,

1) Please look in the Taskmanager and see if this program is running. If so, please end it.
Whether it's in the task manager or not, please then look in add/remove programs and see if it is there. If so, please uninstall it.

C:\WINDOWS\ALCXMNTR.EXE

If it is not in add/remove programs, we will try to delete it with Pocket Killbox below.


2) Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Again, make sure ALL browser windows are closed when you click FIX.


3) Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\ucqtajat.txt
C:\Program Files\uvfhhqrp.txt
C:\xcuexpSH.txt
C:\xcupolsys.txt
C:\xcupolexp.txt
C:\xcuproto.txt
C:\xlmBHO.txt
C:\xlmdefpre.txt
C:\xlmdns0.txt
C:\xlmdns1.txt
C:\xlmdns3.txt
C:\xlmpolexp.txt
C:\xlmpolsys.txt
C:\xlmshared.txt
C:\xlmshell.txt
C:\xlmssodl.txt
C:xlmsys1.txt
C:xlmsysc.txt
C:xmodul.txt
C:xrkey00.txt
C:xrkey01.txt
C:xrkey02.txt
C:xrkey05.txt
C:xrkey06.txt
C:xrkey07.txt
C:xrkey08.txt
C:xrkey10.txt
C:xrkey12.txt
C:xrnotif.txt
C:xrquery.txt
C:xrquery2.txt
C:xtmpsysccs.txt
C:xtmpsyscs1.txt
C:xtmpsyscs3.txt

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

4) Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) After you have completed the above in the correct order, please give GetRunKeys another try and see if it still hangs. It doesn't take more than a minute to run, so don't wait long. In any case, please post new logs for Shownew (newfiles.txt) and HijackThis.

• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Hello abri,

1) Done. ALCXMNTR.EXE removed from process. Went to Add/Remove Programs. I did not see any similarly named program to remove. However, I had this Capicom "security fix" file that I hadn't seen previously. As a precaution, I removed it.

2) Done. "Fixed" through HijackThis.

3) Downloaded. Ran with no issues. Never received the "PendingFileRenameOperations" prompt.

4) Done. ATF-Cleaner ran with no issues.

5) Attached the ShowNew log below. GetRunKey continues to freeze up. HijackThis log is also attached. Should I consider getting GetRunKey again and saving it over the current version that I have?

Thanks again!!

 

abri,

I forgot to add that the computer seems fine. I know appearances can be deceiving. Still not getting any popups or message from McAfee. I did receive a security warning in the system tray (red shield with an "x" in it. When I right clicked on the icon, it gave me the option to open up the program or open up the Microsoft security center. Seemed like a legit item.

Many thanks for your time and efforts!

 

Hi Malleus!
The xfiles directly under C: are multiplying and those we deleted are repearing with the same name, but a different size. I don't recognize these files, so I would like to try to figure out what's causing them. I don't think your computer is clean yet.

Before you do that, is the following something you put in your trusted zone?

If not, please scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
Again, make sure ALL browser windows are closed when you click FIX.

Also, please do this: If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

After this, please try to run GetRunKeys again. Try it in either normal or safe mode. See if either one works.
abri

 

abri,

I removed that trusted zone line item with HJT. I've attached the new log. When the computer was shutting down, I noticed several prompt boxes that asked me to "end files". Sorry, but I don't have specifics. This may be indicative of the need to perform more clean up.

I rebooted in Safe Mode with Networking. Ran GetRunKey with success!!! I've attached this log below as well.

We use Windows Live Messenger frequently. We use the Live Video conference feature so the grandparents and visit their grandkids. So, I'd prefer to leave this alone, if we can.

Many thanks!

 

abri,

I shut down the computer to see if those prompt boxes came up again. They did. One states that "dwwin.exe DLL Initialization Failed". The second was an "End Program - sw". Not sure if it's important, but I wanted to provide specifics to my last message.

Thanks,
Malleus

 

chaslang,

I started the GetRunKeys process, and it's been running for 1.5 hours now. How long should this go?

Thanks!
Malleus

 

4 hours and counting with the GetRunKey...

 

Hello chaslang,

Almost 11 hours and this is how far GetRunKey progressed:

NOTE: Ignore any error messages about not finding registry keys!
Just wait for the program to finish running!!
C:\xtmpsysccs.txt
C:\xtmpsyscs1.txt
C:\xtmpsyscs3.txt
1 file(s) copied.

GetRunKey accomplished the above in less than 10 seconds. The remainder of the time was spent with the cursor blinking at me.

You are correct. GetRunKey worked in Safe Mode with Networking. I attached the log in a previous post. What's interesting is that everything seems to be running fine with the computer. No more pop-ups, no more McAfee warning messages. I only get prompt boxes when I shut down the computer, as I noted in a prior post. McAfee ran a normal scheduled scan today, and it encountered two items that appear to be cookies. No script warnings of any sorts.

If needed, I can run everything from scratch again. My main concern is the message from abri that xfiles under the C:\ are multiplying and reappearing.

Please advise, and many thanks for your time.

 

Thanks, chaslang.

I manually deleted the files. Is there anything further at this time that you'd like to review? Everything seems normal on my end.

 

Hi Malleus!

There's some information specifically relating to the popup you're getting,
"dwwin.exe DLL Initialization Failed" at this website:
http://help.lockergnome.com/windows/dwwin-exe-DLL-Initialization-Failed-ftopict560970.html

The English is a bit rough, but the information I found quite useful. It explains that dwwin.exe is the report, not the problem, and shows you how you can get more information on which program could be causing this report. It's possible that this problem is also related to your not being able to run GetRunKeys in normal mode.

abri

 

abri,

Thanks I will look into the dwwin issue separately. With regards to the original trojan issue, is there anything else you would like to review or should we close this thread down? My computer seems to be running normally. You and chaslang have been a tremendous help.

Thanks!
Malleus

 

Hi Malleus,
This is our standard set of final instructions. I'm not sure why your GetRunKeys wouldn't work, but mine doesn't work now either. Hopefully we'll figure out why. I don't have McAfee, so that can't be the problem.

abri