PLEASE HELP! SERIOUS Adware/Trojan problem! I am helpless :(

maria21xox · Apr 17, 2005

Okay, let me paint the scenario that I have been going through since 10 AM this morning. I went to a website, did not download anything, and then all of a sudden I had about 10 icons on my desktop about poker, and bargains and what not. I immediately knew it was spyware so I downloaded norton antivirus and ran a full system check, where it found Trojan.Alwaysup, it said that it deleted it, however every time I try to play something on Windows Media Player the AlwaysUpdatedNews ad pops up.

I then downloaded Ad-Aware which supposedly it deleted over 801 infected files. But somehow I still manage to receive pop-ups. I then replaced my hosts file to block TONS of adservers from popping up on my computer. Basically I want to restore my system but unfortunately it gives me the message "Cannot normally execute the initial setting of partition information."

All I want is to rid my computer of this mess so I can perform a full system restore on my C Drive. Please help. I have gone through countless tutorials on how to manually "remove" programs like: cashback.exe. DLMax, Pynix, SAHAgent, and farmmext.exe - which were all installed on my computer today. They say that they are deleted yet I *STILL* receive pop-ups. And still certain files will not open (like my WMP) - and there is one file under a "DrTemp" folder that I cannot delete because it says it is in use and it is called "bho_prob.exe"

I also got a warning from my norton program that gave me a security alert about an "Internet Protection Worm" and how someone was trying to access my computer. Not to mention weird txt files popping up that have logs inside of them... it's really freaking me out. My computer is royally screwed, and I am sooooooo drained! I am so fed up and just helpless. PLEASE shed some light and tell me I can remove all of this and be able to restore my PC!

Completely frustrated,
Maria

SGC_Geek · Apr 17, 2005

The folks here will help you get through this. However, you will be required to go through their tutorial :

DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal
http://forums.majorgeeks.com/showthread.php?t=35407
Click to expand...

One thing you will need to do is disable your System Restore. The tutorial will cover this.

Please post your results after going through the tutorial. The tutorial gives everyone here a baseline. Plus, they know what has and has not been done for certain.

maria21xox · Apr 18, 2005

Okay I followed that WHOLE tutorial. I am ready to toss this computer OUT OF MY WINDOW!

Let me tell you what happened:

I first ran Trend Micro's online scan, where it found 3 infected files:
2 named TROJ SMALL.AGT (Non-Cleanable)
and 1 TROJ WINTOOL.EXE (Non-Cleanable)

So, I just deleted them.

Then I ran Symantec Security and did a Security Scan it said everything was Safe. I then ran the virus detection scan and it gave me this log file:

C:\WINDOWS\Temp\DrTemp\bho_prob.exe is infected with Adware.BetterInternet
C:\WINDOWS\system32\elitedme32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\elitefeg32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\elitevdp32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\elitexut32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\elitexxe32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\eliteztc32.exe is infected with Adware.EliteBar
C:\WINDOWS\system32\lsp.dll is infected with Adware.SAHAgent
C:\WINDOWS\system32\SahAgent.exe is infected with Adware.SAHAgent
C:\WINDOWS\system32\SahHtml.exe is infected with Adware.SAHAgent
C:\WINDOWS\system32\nytkvwam\makw.exe is infected with Adware.ZioCom.B
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc1.dll is infected with Adware.BetterInternet
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc335.exe is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc336.exe is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc337.exe is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc342.dll is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc346.dll is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc351.exe is infected with Adware.SAHAgent
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc334\EliteToolBar version 60.dll is infected with Adware.EliteBar
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc327\bin\bargains.exe is infected with Adware.BargainBuddy
C:\RECYCLER\S-1-5-21-602162358-308236825-1801674531-500\Dc310\bho_prob.exe is infected with Adware.BetterInternet

I then ran the McAfee AVERT Stinger - and it found none.

Then I ran Ad-aware and it found 7 objects but somehow removed 12 of 14 (2 of which could not be removed - they gave me the file names of certain registry keys under Classes/CLSID, but both file names did not exist??? I have no idea how they got the names.

Then I ran SpyBot - it found 43 problems but only fixed 41, it said it would remove the other two if they were being in use when I restarted the next time. It never did.

Then I ran CWShredder, found nothing. Then I ran Kill2me, again I found nothing. I then tried about:Buster, and found nothing. And then I used HSR and I found 12 which were all removed.

That was all done in safe mode with system restore turned off, I have windows XP. So, I then restarted my computer, went back into Normal Mode. And guess what?!?! All my lovely little adware programs were back. Cashback, NaviSearch, The Bullseye Network.... no matter how many programs I run to delete them. No matter if I manually delete them from the registry, from safe mode...they just...KEEP...COMING... BACK!!! And on top of everything, I am still getting pop-ups GALORE. I am ready to just break my computer. I have been working on it since 10 AM and I am burned OUT!

I appreciate your help but is there any hope left for me? I am just a wreck right now! Please help.

Maria

maria21xox · Apr 18, 2005

I have also noticed the HiJack This program that people use. I can make an HJT file if needed. Just please help. I need to get my computer cured by morning!

chaslang · Apr 18, 2005

Empty your Recyle Bin. This should have been done by Ccleaner which should have been run during the READ ME FIRST steps.

Did Symantec delete any of those files? You need to delete all of them from safe mode if it did not delete them.

Follow the steps below to post a HijackThis log.
- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

maria21xox · Dec 5, 2007

I got an access denied, for the bho_prob.exe so I cannot delete it, even in safe mode.

All the files that began with "elite" in the system32 folder are already gone

the SAHagent files are gone too

and I cleared out my Recycle Bin. Also, I don't know if this will help analyze my situation but I am also getting redirected to a terp17.com everytime I click on a webpage...

Here is my attachment for HJT.

chaslang · Apr 18, 2005

Your OS and IE version are way out of date and represent a major security risk to you. When we finish fixing you current problems you MUST get your system updated to help reduce the risk of continued problems like this.

Are the below StartPage settings valid:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/

Is this Clock G2 application valid? Are you sure?
C:\Program Files\Clock G2\Clock G2.exe

You may not have found all of the elitexxxx.exe files yet as shown in your HJT log.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or someplace you can locate it to follow along with after rebooting to safe mode.
RESTART your Computer in SAFE MODE.

Click START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for the below service name

aurmbnno

Double click on it and then STOP the service. In the drop down menu, change the startup type to Disabled. Now use Windows Explorer to find and delete this file: C:\WINDOWS\System32\bnno\aurm.exe

Now repeat the above for the below two services and filenames:
Service >>> ifnnoffhstsuh
Filename >>> C:\WINDOWS\System32\hstsuh\ifnnoff.exe

Service >>> makwnytkvwam
Filename >>> C:\WINDOWS\System32\nytkvwam\makw.exe

Stay in safe mode and run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

aurmbnno

Then repeat the Delete an NT Service steps with the below two services:

ifnnoffhstsuh
makwnytkvwam

Now exit HijackThis and then re-run it again as follows. Run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\KEXDDLL.EXE
C:\WINDOWS\BWKMENC.EXE
C:\WINDOWS\System32\bnno\aurm.exe
C:\WINDOWS\System32\nytkvwam\makw.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com

The next line is from SonyVaio but is considered spyware. It is upto you whether to fix this one or not:
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [KEXDDLL] C:\WINDOWS\KEXDDLL.EXE
O4 - HKLM\..\Run: [BWKMENC] C:\WINDOWS\BWKMENC.EXE
O4 - HKLM\..\Run: [ifnnoff] C:\WINDOWS\System32\hstsuh\ifnnoff.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [makw] C:\WINDOWS\System32\nytkvwam\makw.exe
O4 - HKLM\..\Run: [qglgysix] C:\WINDOWS\System32\ujcfc\qglgysix.exe
O4 - HKLM\..\Run: [aurm] C:\WINDOWS\System32\bnno\aurm.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexxe32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O23 - Service: aurmbnno - Unknown owner - C:\WINDOWS\System32\bnno\aurm.exe
O23 - Service: ifnnoffhstsuh - Unknown owner - C:\WINDOWS\System32\hstsuh\ifnnoff.exe
O23 - Service: makwnytkvwam - Unknown owner - C:\WINDOWS\System32\nytkvwam\makw.exe

After clicking Fix, exit HJT.
Run Windows Explorer to delete:
C:\WINDOWS\KEXDDLL.EXE
C:\WINDOWS\BWKMENC.EXE
C:\WINDOWS\System32\hstsuh\ifnnoff.exe <--- double checking
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\System32\nytkvwam\makw.exe <--- double checking
C:\WINDOWS\System32\ujcfc\qglgysix.exe
C:\WINDOWS\System32\bnno\aurm.exe <--- double checking
C:\windows\system32\elitexxe32.exe <--- also look for and delete other files beginning with elite and ending with exe. There could be as many as ten more.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

maria21xox · Dec 5, 2007

Well, I did everything you stated. And I am still receiving pop-ups BIG TIME!

sigh... what do I do??? Here is the HJT after rebooting in Normal Mode and following every step.

maria21xox · Apr 18, 2005

Also, everytime I want to play something on Windows Media I have something called "AlwaysUpdatedNews" pop up. I know it's a trojan but I thought I fixed this already... why does this always keep coming back?

maria21xox · Apr 18, 2005

Is anyone out there? I am online right now. I'd love to get some feedback My computer is a royal mess!

SGC_Geek · Apr 18, 2005

Have some patience. Chaslang will get to it.

SGC_Geek · Apr 18, 2005

The HJT log you posted was after performing all the steps Chaslang suggested? Some entries that should be gone are still there.

chaslang · Apr 19, 2005

maria21xox said:

Well, I did everything you stated. And I am still receiving pop-ups BIG TIME!

sigh... what do I do??? Here is the HJT after rebooting in Normal Mode and following every step.
Click to expand...

You need to provide some feedback on all the steps. Were you able to do everything I requested? Did you locate the services and actually stop and disable them? Your current log shows an increase in malware which typically occurs when a fix is not followed completely or properly.

What happened while running the previous procedure?

Below is the current set of problem processes and registry entries you now have.
C:\WINDOWS\System32\yswmm\vtisx.exe
C:\WINDOWS\System32\dbufy\dogawio.exe
C:\WINDOWS\System32\dbufy\dogawio.exe
C:\WINDOWS\System32\dbufy\dogawio.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\yswmm\vtisx.exe
C:\WINDOWS\System32\yswmm\vtisx.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [ewcndtbg] C:\WINDOWS\System32\jirul\ewcndtbg.exe
O4 - HKLM\..\Run: [ichgv] C:\WINDOWS\System32\edsaehpw\ichgv.exe
O4 - HKLM\..\Run: [rnmkf] C:\WINDOWS\System32\gvfgrhxm\rnmkf.exe
O4 - HKLM\..\Run: [lkvccgp] C:\WINDOWS\System32\lfmio\lkvccgp.exe
O4 - HKLM\..\Run: [gtefv] C:\WINDOWS\System32\wfamrknv\gtefv.exe
O4 - HKLM\..\Run: [vtisx] C:\WINDOWS\System32\yswmm\vtisx.exe
O4 - HKLM\..\Run: [spjsandc] C:\WINDOWS\System32\ikpfpgfs\spjsandc.exe
O4 - HKLM\..\Run: [pxtjptb] C:\WINDOWS\System32\egxftp\pxtjptb.exe
O4 - HKLM\..\Run: [dogawio] C:\WINDOWS\System32\dbufy\dogawio.exe
O23 - Service: dogawiodbufy - Unknown owner - C:\WINDOWS\System32\dbufy\dogawio.exe
O23 - Service: lkvccgplfmio - Unknown owner - C:\WINDOWS\System32\lfmio\lkvccgp.exe
O23 - Service: rnmkfgvfgrhxm - Unknown owner - C:\WINDOWS\System32\gvfgrhxm\rnmkf.exe
O23 - Service: vtisxyswmm - Unknown owner - C:\WINDOWS\System32\yswmm\vtisx.exe

Can you locate these O23 lines Services and stop and then disable them?

Log in or Sign up

PLEASE HELP! SERIOUS Adware/Trojan problem! I am helpless :(

maria21xox Guest

SGC_Geek Private First Class

maria21xox Guest

maria21xox Guest

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

maria21xox Guest

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

maria21xox Guest

maria21xox Guest

maria21xox Guest

SGC_Geek Private First Class

SGC_Geek Private First Class

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

PLEASE HELP! *SERIOUS* Adware/Trojan problem! I am helpless :(

maria21xox Guest

SGC_Geek Private First Class

maria21xox Guest

maria21xox Guest

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

maria21xox Guest

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

maria21xox Guest

maria21xox Guest

maria21xox Guest

SGC_Geek Private First Class

SGC_Geek Private First Class

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

PLEASE HELP! SERIOUS Adware/Trojan problem! I am helpless :(