Many trojans found

Discussion in 'Malware Help (A Specialist Will Reply)' started by mneenee, Feb 22, 2007.

  1. mneenee

    mneenee Corporal

    Hi all,

    Got this compuer fom a halfway house. It has all kinds of junk on here. I have done all of what I could do in the read and run steps. I couldn't run counterspy but was able to run avg, also could not run panda but did run bitdefender. I cannot access the internet through normal start up only through safe mode with networking which is what I am in now. Cannot get into misconfig it just spits an error at me saying it could not find it. I ran HJT Getrunkey and Shownew in normal mode. Also not sure if or when the last windows update was done can't run it also. All logs are attached. Please let me know if you need anything else. Any help would be greatly appreciated.

    Mneenee
     

    Attached Files:

    mneenee, Feb 22, 2007
    #1
  2. mneenee

    mneenee Corporal

    Here is the HJT.
     

    Attached Files:

    mneenee, Feb 22, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\lssas.exe
    O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\System32\explorer.exe
    O4 - HKLM\..\RunServices: [Windows MS Update 32] sucker.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Marda Loop\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
    O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} - http://imgfarm.com/images/nocache/community/ExciteNotifierInitialSetup1.0.0.12.exe

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\winstall.exe
    C:\WINNT\system32\wins\DLLHOST.EXE
    C:\us22.exe
    C:\WINNT\system32\dwsnj.exe
    C:\WINNT\system32\awgvut.exe
    C:\WINNT\system32\iaqtcgz.exe
    C:\WINNT\system32\krber.exe
    C:\WINNT\system32\ndilsmo.exe
    C:\WINNT\system32\nujhvcwt.exe
    C:\WINNT\system32\setup_35130.exe
    C:\WINNT\system32\setup_44686.exe
    C:\WINNT\termsrv.exe
    C:\WINNT\system32\xlibgfl254.dll
    C:\WINNT\system32\algs.exe
    C:\WINNT\system32\lssas.exe
    C:\WINNT\System32\iexplore.exe

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Run CCleaner

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    TimW, Feb 22, 2007
    #3
  4. mneenee

    mneenee Corporal

    Hello again Tim,

    Ok did the fixME.reg. Ran HJT and found and fixed five of these lines the others were not there. Ran killbox with no errors.

    Still cannot access internet through normal start up. Although AVG is not going nuts anymore upon reboot.

    Was wondering though what these errors were while running getrun and shownew it is as follows:

    16 bit ms dos subsystem


    C:\winnt\system32\cmd.exe
    System\curentcontrolset\control virtualdevicedrivers.vdd.
    virtual device driver format in the registry is invalid. Chose close to terminate the application

    Then options to close or ignore. I chose ignore and they run???

    Also I noticed that upon enabling show hidden files and folders two icons appeared on the desktop:
    u32File.cfg and readme.gid

    And finally I noticed 3 programs in C directory they are: g.exe, arcldr.exe and arcsetup.exe/**

    Have attatched logs.

    Thanks so much

    Mneenee

    Ok just checked out system processes running and Issas.exe is still there just thought I'd let you know. This is in Safe mode with networking.
     

    Attached Files:

    Last edited: Feb 22, 2007
    mneenee, Feb 22, 2007
    #4
  5. mneenee

    mneenee Corporal

    Sorry but just noticed iexploler.exe running as well, and yes it is spelled that way not a typo lol.
     
    mneenee, Feb 22, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to SYSTEMSVC
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste SYSTEMSVC into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O4 - HKLM\..\Run: [Services] C:\WINNT\System32\iexploler.exe
    O23 - Service: LWEVHP - Unknown owner - C:\DOCUME~1\MARDAL~1\LOCALS~1\Temp\LWEVHP.exe (file missing)
    O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINNT\system\system.exe
    O23 - Service: Terminal Server-Services - Unknown owner - C:\WINNT\termsrv.exe (file missing)
    O23 - Service: UPPEKVX - Unknown owner - C:\DOCUME~1\MARDAL~1\LOCALS~1\Temp\UPPEKVX.exe (file missing)

    After clicking fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system\system.exe
    C:\g.exe
    C:\WINNT\system32\91.exe
    C:\WINNT\system32\lyll.exe
    C:\WINNT\system32\iexploler.exe
    C:\DOCUME~1\MARDAL~1\LOCALS~1\Temp\LWEVHP.exe
    C:\DOCUME~1\MARDAL~1\LOCALS~1\Temp\UPPEKVX.exe

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. lick on the processes tab and make sure none of the .exe files are running (if found,ckick kill). Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.


    arcldr.exe and arcsetup.exe/ are leftovers from trying to install sp/4.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    TimW, Feb 22, 2007
    #6
  7. mneenee

    mneenee Corporal

    Ok looked in services but there is no SYSTESVC just system event notification??? also tried to copy and paste info for fixME.eg into notepad and it wont let me??????????? It was letting me before. I even tried copying it into wordpad just o see if it woked but it didn't. I could type it in myself but am not sure what the last character is, is it:=- or what??? not sure what to do now as i have to be in safe with networking to get here thanks again.

    Mneenee
     
    mneenee, Feb 22, 2007
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Does this service exist: Windows System Service (SYSTEMSVC) ....

    Are you sure you are following the steps for the Reg. edit? and yes it is a = followed by a minus sign.

    If you are unable to run this or stop the service, we may have to use Process explorer.
    Let me know.
     
    TimW, Feb 22, 2007
    #8
  9. mneenee

    mneenee Corporal

    Nope I can't see it in the list?

    I tried every which way to copy and paste the fimME but no luck. I figured it was a minus sign so I typed it myself and checked it twice lol. it is sitting on the desk top. So what now lol.

    Mneenee
     
    mneenee, Feb 22, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do the rest of the instructions and post the logs.
     
    TimW, Feb 22, 2007
    #10
  11. mneenee

    mneenee Corporal

    Completed all the steps. When doing the first HJT step it said that it couldn't do it because the service was still running?? I looked for it 20 times but could not find anything like systemsvc??/ Sorry.

    Did the reg fix and it seemed to work fine.

    Ran kilbox and it seemed to go off without a hitch as well.
    restarted ran logs and still cannot access internet in normal start up.

    So am back in Safe with Networking and I can now copy and paste from this thread lol. Just had to check.

    Will attach logs let me know what you think. Thanks

    Ok while browsing for the new and un logs I noticed that g.exe was back grrrr:cry .

    Mneenee
     

    Attached Files:

    mneenee, Feb 22, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download and run Prevx1.

    Attach the logs.
     
    TimW, Feb 23, 2007
    #12
  13. mneenee

    mneenee Corporal

    I got it installed but cant run it in safe mode with networking but I have 2 as that is the only place i can get an internet connection and it requires one to activate it. Please advise thanx

    Mneenee
     
    mneenee, Feb 23, 2007
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you able to download Firefox, reboot into normal mode and install it? Have you tried any other browser?
     
    TimW, Feb 23, 2007
    #14
  15. mneenee

    mneenee Corporal

    Downloaded firefox it didn't work:cry . Works in safe mode though. Am just gonna try slim browser to see if it will work I have a feeling it wont though.

    Nope didn't work. Starting to get annoyed now :p . Remember that song when you were a kid: I am slowly going crazy 123456 switch..... Well thats about how I feel right now :D . Thanks once again.

    Mnenee
     
    Last edited: Feb 24, 2007
    mneenee, Feb 24, 2007
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Disable or better yet, uninstall Zone Alarm ....reboot and see if you can connect in normal mode.
     
    TimW, Feb 24, 2007
    #16
  17. mneenee

    mneenee Corporal

    OK before i do that though just wanted to mention that I have been doing some playing around and noticed that whenever i went into panda active scan it would shut down ie when scrolling about a qaurter of the way down the page. So i decided to pull up task manager and see what process loaded while doing that. the process was spooisv.exe. It wouldn't let me terminate it so I googled it and it came back with W32.Linkbot from symantec. Also I ran another scan and it found spybouncer. exploler.exe is back (nothing but gobbly gook in google). Alright I'm off to normal mode.

    Mneenee
     
    mneenee, Feb 24, 2007
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Where your logs from normal mode? Spooisv.exe is not showing in your previous logs.

    Kill logon.exe process and remove logon.exe from Windows startup using RegRun (http://majorgeeks.com/download.php?det=531). Post the log from it.
     
    TimW, Feb 24, 2007
    #18
  19. mneenee

    mneenee Corporal

    Uninstalling zone alarm worked. I installed and ran pevx1. It found 3 things and put them in Jail. I didnt see any options for logs? I noticed that there are 2 logs in the prevx1 folder but 1 is blank and the other seems to be an program error log is this what you want? here is the 3 things it found:

    SYSTEM.EXE
    C:\WINNT\SYSTEM\SYSTEM.EXE

    IEXPLOLER.EXE
    C:\WINNT\SYSTEM2\IEXPLOLER.EXE (not smilies should be L O L no spaces)

    81.EXE
    C:\WINNT\SYSTEM32\81.EXE

    In reply to your last post. The spooisv.exe was happening in safe mode with networking when trying to run panda active scan webpage. I also noticed that when I tried to scroll on other pages including this one sometimes ie will shut down. Now when I go into panda active scan in normal mode it just won't let me select the scan pc button it recognizes it as a picture not a link.

    Am just going to run regrun I will let you know how it goes.

    Hope this helps

    Mneenee

    Just a note just tried to click on your link and it wouldn't let me. Will have to close and come back this has been happening alot as well.
     
    mneenee, Feb 24, 2007
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Progress.

    Can you run counterspy now?
     
    TimW, Feb 24, 2007
    #20
  21. mneenee

    mneenee Corporal

    Will have to download it and try, this will take a while lol.
     
    mneenee, Feb 24, 2007
    #21
  22. mneenee

    mneenee Corporal

    Counter spy downloaded but when trying to install said: The windows installer service could not be accessed. This can occur if you are running in safe mode (I'm not) or if the windows installer is not correctly installed. reg run installed nicely but did not see the process logon.exe. however there is another one and it looks like this:

    winlogon.exe Path: [\??\C:\WINNT\system32\]

    Is this legit? Just wondering as the path doesn't seem right it is the only one that starts with[\??\.

    Update:
    Just tried to go into add and remove programs and it wont open just hangs.
     
    mneenee, Feb 24, 2007
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run Installer Cleanup

    If that doesn't help ...attach the logs from normal mode.

    We will get there yet!
     
    TimW, Feb 24, 2007
    #23
  24. mneenee

    mneenee Corporal

    Installer cleanup wont install either. Which logs are you referring to? Did you mean the ones from Installer clean up lol? Sorry I have been doing this way to long zzz .

    Mneenee
     
    mneenee, Feb 24, 2007
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Feb 24, 2007
    #25
  26. mneenee

    mneenee Corporal

    K will get u those and yes i can run firefox in normal mode all browsers work.
     
    mneenee, Feb 24, 2007
    #26
  27. mneenee

    mneenee Corporal

    Here's the logs now gonna run trend.
     

    Attached Files:

    mneenee, Feb 24, 2007
    #27
  28. mneenee

    mneenee Corporal

    Trend found 3 items they were:

    ADWARE_FUNWEBTRENDS (Cleaned it)

    This one was my fault it was a Keyfinder program that I accidentally downloaded (I actually wanted "keyfinder" just in case).

    Rockxp (cleaned it)

    and This one it couldn't heal

    TROJ_ZLOB_BLU 2 entries

    Again I couldn't find a log for housecall. If there is one let me know and I will attach it.

    Also I can't get to program files from my computer it is the same thing as add remove programs???? I have to use explore.

    However I am done for tonight, my husband feels like a widow LOL. I will check back in the morning. Thanks Much



    Mneenee
     
    mneenee, Feb 24, 2007
    #28
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sophos Anti-Rootkit will scan your computer for files that have been hidden using rootkit technology.

    Many of the newer malware infections use this technology to hide themselves and to make them more difficult to remove.

    Installation
    Download Sophos Anti-Rootkit 1.1 and save to a location you will be able to find such as your desktop

    Run sarsfx.exe by double clicking on it.

    Click Accept to agree to the EULA

    Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)

    Once it finishes copying files, exit the installer​
    Running the scan
    Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)

    Run sargui.exe by double clicking on it.

    Ensure that all three of the options are checked

    Click Start Scan

    Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

    DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON
    Finding the logsClick on Start --> Run

    Type in %TEMP%\sarscan.log and press enter

    The log file will open in the default editor (probably Notepad)

    Click File --> Save As and save the file to your desktop or other location for easy retrieval.
     
    TimW, Feb 25, 2007
    #29
  30. mneenee

    mneenee Corporal

    Ok heres the update. It has been a fun morning :( . I got up this morning and started some scans had a coffee came back and the pc had restarted itself only it would not boot. Just kept giving me the NTLDR error. So I did a repair install and am now back up and running. Sophos found nothing but things are getting much worse here. Dr.Watson has had some errors it takes about five minutes to get any browser to start. Am starting to wonder if I should just do a clean install on here? I have never done one before but if you know of any good walkthroughs I'm sure I could pull it off. I am just going to donate this pc to Woman in need society anyway. Let me know what you think. Thanks

    Didn't bother posting log from sopho as it is blank.
    Mneenee
     
    mneenee, Feb 25, 2007
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Feb 25, 2007
    #31
  32. mneenee

    mneenee Corporal

    What a disappointment~!!~~!~

    Well the motherboard is now officialy shot. I think there was a hardware problem as well. I accidentally kicked the tower:eek: and I heard a frying noise and that was that, done, fried, no more:cry So I opened it up and the wires for the dvd player must have come loose and touched something. What a waste of time. I should know better than to do anything but, open up the casing and have a look inside first thing. Oh well live and learn. Thanks so much for your help anyhow I really appreciate it:wave .

    Mneenee
     
    mneenee, Feb 25, 2007
    #32
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Put the ghoul mask on and harvest the parts ....Sorry ...guess it falls under the looking a gift horse in the mouth....:(
     
    TimW, Feb 25, 2007
    #33

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds