Need Help With Trojan

I have followed all of the steps, could someone please look over my logs.
I could not find where to copy the files with Counter Spy But i wrote it down.

Counter Spy
1) Trojan.syddldg.4EBA5B48
C:\windows\system32\yayvspm.dll
2) Hocus
C:\Documents and Settings\Administrator\Local Settings\A

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I did follow all of the steps but something is still redirecting me when i try to search. Here are the other Logs. Thanks

 

New to this so work with me. I was not sure that you got my last post so please review when you can.

 

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

 

I ran Ewido Here is the report. I also ran Counter Spy again and it is still finding -Trojan.syddldg.4eba5b48trojan. Seem like it has something to do with the yayvspm.dll. Whats next confused

Thanks in Advance!

 

Ok, here it is!

 

chaslang, just to let you know i also have a bug that create random words when i create a new folder.

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.

• Click the X to exit the program.

Once you complete this, attach a fresh HJT log.

 

No, I didn't, I briefly galnced thru the logs as I didn't have the time to do a full fix.

 

I ran Hoster, here is the new HJT Log.

Thanks!

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Spybot - Search & Destroy 1.3

Java 2 Runtime Environment, SE v1.4.2_06

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search /search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {59CD7310-98A4-48BF-BE77-C12032C98D31} - C:\WINDOWS\system32\yayvspm.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O2 - BHO: (no name) - {7FE6296B-2824-435E-88C1-15B5A394D5F8} - C:\WINDOWS\system32\pmnnn.dll

O4 - HKLM\..\Run: [{4AA3331E-04E1-1033-1215-031101040001}] "C:\Program Files\Common Files\{4AA3331E-04E1-1033-1215-031101040001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{4AA3331E-04E2-1033-1215-031101040001}] "C:\Program Files\Common Files\{4AA3331E-04E2-1033-1215-031101040001}\Update.exe" mc-110-12-0000272

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} -

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O20 - Winlogon Notify: yayvspm - C:\WINDOWS\SYSTEM32\yayvspm.dll

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to COM+ Messages
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteCOM+ Messages into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\{3AA3331E-04E2-1033-1215-031101040001} ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Still getting redirected while surfing and when i create a "new folder" the folder is still being created with random words.

Again Thanks!

 

First, let's uninstall ewido anti-spyware 4.0 and CounterSpy.

Let's start by downloading two tools we will need

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of [byayvspm.dll & pmnnn.dll[/b] once and then click the kill button. After you have killed all of the yayvspm.dll & pmnnn.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yayvspm.dll & pmnnn.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {59CD7310-98A4-48BF-BE77-C12032C98D31} - C:\WINDOWS\system32\yayvspm.dll
O2 - BHO: (no name) - {BF928F45-3465-407C-9BC0-9554E84CC0AE} - C:\WINDOWS\system32\pmnnn.dll

O15 - Trusted Zone: http://www.iwon.com

O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://www.webtrain.com/cabinet/wt0223.cab

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O20 - Winlogon Notify: yayvspm - C:\WINDOWS\SYSTEM32\yayvspm.dll

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\mpsvyay.ini
C:\WINDOWS\SYSTEM32\mpsvyay.ini2
C:\WINDOWS\SYSTEM32\mpsvyay.bak
C:\WINDOWS\SYSTEM32\mpsvyay.bak1
C:\WINDOWS\SYSTEM32\mpsvyay.bak2
C:\WINDOWS\SYSTEM32\mpsvyay.tmp
C:\WINDOWS\system32\mpsvyay.dll

C:\WINDOWS\SYSTEM32\mpsvyay.ini
C:\WINDOWS\SYSTEM32\mpsvyay.ini2
C:\WINDOWS\SYSTEM32\mpsvyay.bak
C:\WINDOWS\SYSTEM32\mpsvyay.bak1
C:\WINDOWS\SYSTEM32\mpsvyay.bak2
C:\WINDOWS\SYSTEM32\mpsvyay.tmp
C:\WINDOWS\system32\yayvspm.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

I got redirected while i was trying to post :cry . Here is the log

 

I posted the log, are we out of options or is there still hope?

 

I went back and ran Process Explorer, I did make a mistake the first time......sorry! It look like it ran fine this time. Here are the logs, tell me what you think.

Thanks!

 

When i post a HJT log i am in normal mode. I click the "do a system scan and save a logfile" after that i click on the problems, then click fix and then i close HJT.

When following you new directions: when i get to the SymWMI Service it is already stopped and disiabled. When i go to HJT and get to where i need to put in SymWSC to delete it i get " The service you entered is system-critical! It can't be deleted......?????

I want to get this right!

 

There wasn't anything to delete in HJT. The two files that you mentioned that might have been in Regedit was not there. When i ran Killbox i saw all of the .dll's that you put in your post and i did delete them but i also saw nnnmp.bak1 and nnnmp.bak2 and was not sure if i should delete them so i didn't. I didn't recieve a PendingFileRenameOperations prompt.

Thanks!

 

Hey chaslang I think that my computer is fixed, I just wanted to tell you guys THANKS! very much for your time.