persistent trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by traditionaliq, Apr 25, 2005.

  1. traditionaliq

    traditionaliq Private E-2

    Hello. I need to bother someone in regards to eliminating what appears to be a trojan. I have followed your tutorial first to try and remove this. Symantec continues to find threats and quarantines them. When I log onto IE bookmarks are added to my favorites. (I believe my homepage would change if it wasn't disabled in the registry) Also, so of the desktop icons do not work whwn double clicked which causes an error with DrWatson. I have run all the spyware I can find with no relief. Any help would be greatly appreciated! I think I read that I'm not supposed to post running processes until told to. I have downloaded HijackThis. I am running XP. Thank you!
     
    traditionaliq, Apr 25, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you ran ALL of the READ ME FIRST, follow the steps below.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 25, 2005
    #2
  3. traditionaliq

    traditionaliq Private E-2

    chaslang, thanks......
     

    Attached Files:

    traditionaliq, Apr 25, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What you have is an HSA hijacker.


    Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\system32\d3ty.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gyhhp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gyhhp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gyhhp.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gyhhp.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gyhhp.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {B8533801-522C-4A69-BB3F-F576785D699F} - C:\WINDOWS\system32\ippw.dll
    O4 - HKLM\..\Run: [d3ty.exe] C:\WINDOWS\system32\d3ty.exe

    Then exit HJT after clicking FIX

    Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
    C:\WINDOWS\system32\gyhhp.dll
    C:\WINDOWS\system32\ippw.dll
    C:\WINDOWS\system32\d3ty.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

    - Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

    - NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

    - After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    - After booting in safe mode try to delete any files that you could not delete in the above deletion step (if necessary).

    - Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

    - Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

    - Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.
     
    chaslang, Apr 25, 2005
    #4
  5. traditionaliq

    traditionaliq Private E-2

    Your the best! Appears to be fixed. You said to let you know of any questionable files. When I went into c:\windows\system32 to delete the three files there were a bunch of others that were in the location of the d3ty and of similar name:
    (c:\windows\system32\d3sec32, c:\windows\system32\d3et32, c:\windows\system32\d3fd, c:\windows\system32\d3hy32, c:\windows\system32\d3ii, c:\windows\system32\d3il32, c:\windows\system32\d3jd, c:\windows\system32\d3jj32, c:\windows\system32\d3ka32, c:\windows\system32\d3kl, c:\windows\system32\d3lz32, c:\windows\system32\d3or, c:\windows\system32\d3rh32, c:\windows\system32\d3sv32, c:\windows\system32\d3tv, c:\windows\system32\d3tw32, c:\windows\system32\d3uj32, c:\windows\system32\d3we, c:\windows\system32\d3xv32)
    I left them alone and still have no problems. Also, I did not find the c:\windows\system32\ippw.dll in normal or safe modes.

    Other than that all went great according to your directions. Please find the logs attached and thanks again!
     

    Attached Files:

    traditionaliq, Apr 26, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds to me like you did not follow step 3 of the READ ME FIRST properly. I would bet that you are hiding extensions for known file types. You are supposed to uncheck that. Do that and then tell me what those file names above really are ( they could be .exe, .dat, .ini, .txt). They are all likely to be part of the infection. I bet there file dates are fairly new too. Also now maybe you will find ippw.dll
     
    chaslang, Apr 26, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds