need help removing malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by wes2323, Jul 12, 2006.

  1. wes2323

    wes2323 Private E-2

    Hi there, I've had some recent trouble with my internet explorer. It stops working after about5 minutes of surfing the web. I believe it is a spyware problem. I went through the listed steps and had found some problems. Spybot and adware said my computer was fine. I then used panda scan and it found a list of things. I'm hoping someone could tell me how to get rid of them. I will enclose my scan results along with a HIjack log, if needed.


    Edit by chaslang: Inline Panda & HJT logs attached
     

    Attached Files:

    Last edited by a moderator: Jul 13, 2006
    wes2323, Jul 12, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    The READ & RUN ME must be followed completely and exactly. It tells you in multiple place to no post any logs inline with messages. They must be attachments. You did not follow instructions in multiple other spots.
    1. You did not run CounterSpy and attach the log as required since you cannot run Windows Defender
    2. You did not run Bitdefender and attach the log as requested in step 6 and this should be done before Panda
    3. You did not follow the directions in step 7 for installing HijackThis properly and as a result you are running it exactly where we specify not to run it. That is directly from the ZIP file.
    4. As mention above you posted logs inline rather than attaching them.
    Please finish all the required steps in the READ ME and attach ALL the required logs.
     
    chaslang, Jul 13, 2006
    #2
  3. wes2323

    wes2323 Private E-2

    ok, I applied the steps I missed.


    counterspy:


    Spyware Scan Details
    Start Date: 7/13/2006 8:26:45 PM
    End Date: 7/13/2006 8:42:49 PM
    Total Time: 16 mins 4 secs

    Detected spyware

    BHO.WStart Browser Plug-in more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\wstart.dll


    ABetterInternet Adware more information...
    Details: ABetterInternet shows advertisements based on the web pages you view and the web sites you visit.
    Status: Deleted

    Infected files detected
    c:\windows\susp.exe


    Bridge/WinFavorites Spyware more information...
    Details: Bridge monitors your Internet surfing activities. It can log keystrokes and sending them to a webserver online. Also is known to popup advertising.
    Status: Deleted

    Infected files detected
    c:\windows\system32\jao.dll


    Unclassified.Trojan.43 Trojan more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\txfdb32.dll


    Transponder.Pynix Spyware more information...
    Status: Deleted

    Infected files detected
    c:\windows\pynix.dll


    Xplugin Trojan Downloader more information...
    Details: Xplugin is an adware type program, which offers the application in which it is included at the only cost of viewing a series of adult advertisements.
    Status: Deleted

    Infected files detected
    c:\windows\system32\tcpservice2.exe


    Bitdefender:


    BitDefender Online Scanner



    Scan report generated at: Thu, Jul 13, 2006 - 20:02:24





    Scan path: A:\;C:\;D:\;







    Statistics

    Time
    00:16:37

    Files
    160549

    Folders
    2567

    Boot Sectors
    2

    Archives
    722

    Packed Files
    10656




    Results

    Identified Viruses
    9

    Infected Files
    14

    Suspect Files
    0

    Warnings
    0

    Disinfected
    0

    Deleted Files
    14




    Engines Info

    Virus Definitions
    407702

    Engine build
    AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

    Scan plugins
    13

    Archive plugins
    39

    Unpack plugins
    5

    E-mail plugins
    6

    System plugins
    1




    Scan Settings

    First Action
    Disinfect

    Second Action
    Delete

    Heuristics
    Yes

    Enable Warnings
    Yes

    Scanned Extensions
    *;

    Exclude Extensions


    Scan Emails
    Yes

    Scan Archives
    Yes

    Scan Packed
    Yes

    Scan Files
    Yes

    Scan Boot
    Yes




    Scanned File
    Status

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP171\A0052018.exe
    Infected with: Trojan.FakeAlert.CL

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP171\A0052018.exe
    Disinfection failed

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP171\A0052018.exe
    Deleted

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067758.exe
    Infected with: Trojan.Downloader.Galapoper.A

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067758.exe
    Disinfection failed

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067758.exe
    Deleted

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067759.exe
    Infected with: Trojan.Downloader.Galapoper.A

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067759.exe
    Disinfection failed

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067759.exe
    Deleted

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067761.exe
    Infected with: GenPack:Trojan.Downloader.Galapoper.A

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067761.exe
    Disinfection failed

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067761.exe
    Deleted

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067763.exe
    Infected with: Trojan.Tibs.G

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067763.exe
    Disinfection failed

    C:\System Volume Information\_restore{AAAEE216-D13A-46D5-A464-AC50721C2BB3}\RP197\A0067763.exe
    Deleted

    C:\WINDOWS\system32\adobepnl.dll
    Infected with: Trojan.FakeAlert.CK

    C:\WINDOWS\system32\adobepnl.dll
    Disinfection failed

    C:\WINDOWS\system32\adobepnl.dll
    Deleted

    C:\WINDOWS\system32\cmxjdynf.exe
    Infected with: Trojan.Downloader.VB.OY

    C:\WINDOWS\system32\cmxjdynf.exe
    Disinfection failed

    C:\WINDOWS\system32\cmxjdynf.exe
    Deleted

    C:\WINDOWS\system32\hsovrfdl.cnx
    Infected with: Trojan.Clicker.Small.JS

    C:\WINDOWS\system32\hsovrfdl.cnx
    Disinfection failed

    C:\WINDOWS\system32\hsovrfdl.cnx
    Deleted

    C:\WINDOWS\system32\jlsxnlfi.gzy
    Infected with: Trojan.Clicker.Small.AM

    C:\WINDOWS\system32\jlsxnlfi.gzy
    Disinfection failed

    C:\WINDOWS\system32\jlsxnlfi.gzy
    Deleted

    C:\WINDOWS\system32\parad.raw.exe
    Infected with: Trojan.Proxy.Lager.AQ

    C:\WINDOWS\system32\parad.raw.exe
    Disinfection failed

    C:\WINDOWS\system32\parad.raw.exe
    Deleted

    C:\WINDOWS\system32\qfymjetd.lny
    Infected with: Trojan.Clicker.Small.AM

    C:\WINDOWS\system32\qfymjetd.lny
    Disinfection failed

    C:\WINDOWS\system32\qfymjetd.lny
    Deleted

    C:\WINDOWS\system32\qjrkvy.exe
    Infected with: Trojan.FakeAlert.CL

    C:\WINDOWS\system32\qjrkvy.exe
    Disinfection failed

    C:\WINDOWS\system32\qjrkvy.exe
    Deleted

    C:\WINDOWS\system32\ravuntha.exe
    Infected with: Trojan.Downloader.VB.OY

    C:\WINDOWS\system32\ravuntha.exe
    Disinfection failed

    C:\WINDOWS\system32\ravuntha.exe
    Deleted

    C:\WINDOWS\system32\winflash.dll
    Infected with: Trojan.FakeAlert.CL

    C:\WINDOWS\system32\winflash.dll
    Disinfection failed

    C:\WINDOWS\system32\winflash.dll
    Deleted


    I will attach my hijack log this post,

    thanks for your help.
     

    Attached Files:

    wes2323, Jul 13, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please rememeber that ALL LOGS must be attachments!

    And I repeat for the third time, you MUST install HijackThis exactly as instructed in step 7 of the READ ME. You are no running it from one of the other places we specify not to run it from.
    - do not run it from the zip file (that was how you ran it previously)
    - do not run it from your Desktop
    - do not run it from any subfolder of C:\Documents and Settings (which is what you are now doing)

    To avoid further delays in getting help to fix your problems, please follow the directions that we have taken the time to create for many reasons.

    However note that running the other tools appears to have fixed most of your problems. Your HJT log is clean. Just run Windows Explorer and delete the below files if they are found (make sure you have hidden and system file viewing enabled as per the READ ME):
    c:\windows\system32\runsrv32.exe
    c:\windows\system32\tcpservice2.exe
    c:\windows\system32\txfdb32.dll
    c:\windows\bg.gif
    c:\windows\BTGrab.dll
    c:\windows\dlmax.dll
    c:\windows\susp.exe
    C:\WINDOWS\system32\idaplhwt.exe
    C:\WINDOWS\system32\nzqqloac.exe
    C:\WINDOWS\system32\osvffueu.exe
    C:\WINDOWS\system32\phqghume.exe
    C:\WINDOWS\system32\qjrkvy.exe
    C:\WINDOWS\system32\tuvafgdc.exe
    C:\WINDOWS\system32\users32.exe
    C:\WINDOWS\system32\xplnzwyi.exe
    C:\WINDOWS\system32\zhopaizdupla.exe

    Use safe mode to delete them if you have a problem deleting them in normal boot mode.


    How are things working?
     
    Last edited: Jul 14, 2006
    chaslang, Jul 14, 2006
    #4
  5. wes2323

    wes2323 Private E-2

    thanks for getting back to me.

    I still seem to have my internet explorer problem. I went into controll panel and saw a program on there, "program updates". I've never seen it before. maybe it came with one of the program I downloaded to get rid of my spyware.

    beyond that, some of those files showed up and were deleted.

    are their any other resources I can use to detect spyware?

    thanks.
     
    wes2323, Jul 14, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Let's dig in. There are four logs requested below. You will need to use 2 messages to attach the four logs because only 3 can be attached in a single message. Please make sure you attach them.

    Run this Running Ewido Anti-Malware and attach the Ewido log afterwards.



    Please download ProcessExplorer
    • Unzip it to its own folder somewhere you can locate it.
    • Now run procexp.exe by double clicking on it.
    • Let's configure some options first:
      • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
      • Now click on iexplore.exe.
      • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
    • Now click on File and then Save As. And save the process list.
    • Post it back here as an attachment.
    Now run the below procedure and attach the runkeys.txt log.
    Now run the below procedure and attach the newfiles.txt log.
     
    chaslang, Jul 15, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds