I need help with a trojan and not the condom kind...

Hi guys, I'm having a very big problem which I hope to God you can help me with. I went to get a serial code from a website and instead I got a trojan on my system now I went and did a scan with Hijackthis and deleted some unwanted stuff but don't know what else to do I plz I need help. Oh and the virus is on my laptop and I can't go online with it cuz it will not let me so I don't know how else to get the hijack this log to you guys. I scaned also with AVG and came up with a trojan dialer.coh that can't be deleted. Plz help me I'm going crazy

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gif In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I did all the steps here are the first set of logs

 

Here are the last set of logs hope you can help me fix this problem

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

VSAdd-in

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ishost.exe

ismini.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {0B8171E9-08E4-13FB-1B5C-033BA11CF7A0} - C:\WINDOWS\system32\igcoqrj.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {3BAFEC54-8776-49DE-9EA7-024DB0D46F1C} - C:\WINDOWS\system32\nkqtoqc.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {6EE9219A-12A4-1D8C-DCA7-075F195B717F} - C:\WINDOWS\system32\kbbsgrc.dll
O2 - BHO: (no name) - {764FBC11-FAEF-4124-B72B-2C66B7651FC5} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\uljpmvth.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkkhfg.dll

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{365D11E7-05D8-4105-1215-051222200002}\MyToolBar.dll

O4 - HKLM\..\Run: [ddztaem.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ddztaem.dll,kuidogg
O4 - HKLM\..\Run: [uoijkan.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uoijkan.dll,cpoinaf
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgig.dll,startup
O4 - HKLM\..\Run: [wswszli.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wswszli.dll,rhetwzb
O4 - HKLM\..\RunOnce: [RemoveModule] command /c del C:\WINDOWS\system32\drvfal.dll

O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: jkkkhfg - C:\WINDOWS\SYSTEM32\jkkkhfg.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\VSAdd-in ← Delete this whole folder if it exist!

C:\Program Files\Common Files\{365D11E7-05D8-4105-1215-051222200002} ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also, please attach a fresh HJT log.

 

Did everything yousaid and the icon in my toolbar flashing my system in danger is gone now, but I still don't know if everything is gone I'm still paranoid lol Anyways here is the HJT log after everything is gone. Hope everything looks good and thanks again for your help.

 

Okay let's start by downloading two tools we will need:

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of geebx.dll & jkkkhfg.dll once and then click the kill button. After you have killed all of the geebx.dll & jkkkhfg.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of geebx.dll & jkkkhfg.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {B254234C-3916-49AD-956E-10FAE03EE0C7} - C:\WINDOWS\system32\geebx.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkkhfg.dll

O20 - Winlogon Notify: geebx - C:\WINDOWS\system32\geebx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkkkhfg - C:\WINDOWS\SYSTEM32\jkkkhfg.dll
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\ishost.exe

C:\WINDOWS\system32\ismini.exe

C:\WINDOWS\SYSTEM32\xbeeg.ini
C:\WINDOWS\SYSTEM32\xbeeg.ini2
C:\WINDOWS\SYSTEM32\xbeeg.bak
C:\WINDOWS\SYSTEM32\xbeeg.bak1
C:\WINDOWS\SYSTEM32\xbeeg.bak2
C:\WINDOWS\SYSTEM32\xbeeg.tmp
C:\WINDOWS\system32\geebx.dll

C:\WINDOWS\SYSTEM32\gfhkkkj.ini
C:\WINDOWS\SYSTEM32\gfhkkkj.ini2
C:\WINDOWS\SYSTEM32\gfhkkkj.bak
C:\WINDOWS\SYSTEM32\gfhkkkj.bak1
C:\WINDOWS\SYSTEM32\gfhkkkj.bak2
C:\WINDOWS\SYSTEM32\gfhkkkj.tmp
C:\WINDOWS\system32\jkkkhfg.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Wow didn't know there was more damn and I thought I was in the clear loloh well hopefully its all gone now here is the hjt log after all the things you told me to do in your last reply.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\gktrnkov.dll

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\gktrnkov.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After completing this, reboot once more and attach a fresh HJT log.

 

Latest HJT log

 

Your HJT log is now clean, you should now install a firewall. Personally, I recommend ZoneAlarm because it uses little resources and does a great job.

Are you having any further problems?

You should see this thread on How to Protect yourself from malware!

 

Thx everything is working much better its not as slow anymore. Thanks alot for your help.

 

Your Welcome!

 

Ok I don't know if this is that serious but everytime I do a scan with Spybot search and destroy Windows active desktop keeps coming up as a problem and I fix it everytime and it says problem fixed but then I do a scan again and its there again. It has no problem fixing it but I just thought it was weird that it keeps showing up. Is this a problem?

 

Run another scan, let it detect it and attach the results so I can see what's being detected.

 

here it is

 

Please download smitRem.exe and save to your desktop.

Double click on the smitRem.exe file to extract it to it's own folder on the desktop. (this should be the default selection). Now open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed.

Attach the log from this utlity.

 

Here it is

 

Now run Spybot and see if it's still being detected. It's nothing major, we can manually remove it if it's still there.

 

just ran Spybot and it showed up again.

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_USERS\S-1-5-21-1659004503-1177238915-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies

Right click on "Policies" and select Export. Save this file to your desktop and then compress it to a ZIP file and upload it here so I can check something.

 

I hope this is right.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Reboot into Safe Mode, be sure nothing is running when you do this merge.

Once in Safe Mode, double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.