Please HELP! Trojans, hijackers, rogue anti-spyware...

Discussion in 'Malware Help (A Specialist Will Reply)' started by brunobru, Apr 1, 2009.

  1. brunobru

    brunobru Private E-2

    Hello Majorgeeks!...I really need some help with my sister’s computer. The pc couldn’t perform windows update, nor NAV 2009 updates, startup was extremely slow along with internet and basic computer functions were grindingly slow. She said popups were an issue. I did all the read me run me first and all kinds of problems were found with the scans. IE8 was hijacked, webpages hooked, Google homepage and desktop manager were hijacked, loads of Trojans, worms, Hosts file was hijacked and redirected, etc.
    So I’ve spent hours and hours (and hours) doing a lot of cleaning up, but I can’t get to the Norton AV quarantine to delete lots of infections that were quarantined from several months ago which leads me to believe it’s been affected too. I don’t know if the Windows firewall is active…it says it is in the security center but I don’t trust it. There were a few Trojans I couldn’t get rid of (at least I read at bleepingcomputer they were Trojans) and there were probably more. Windows still cannot update, nor the AV.

    BTW, she has only one antivirus program (NAV) but you’ll see Panda because of online scans. And she is using only Windows firewall which we are going to change to Zone Alarm when the pc is clean.
    Panda ActiveScan found adware/24-7-search, Spyware/PeoplePC, and Trojans Bck/Radmin.AN and Trj/Banker.LNO that they supposedly fixed. Spybot Search & Destroy found 94 (WildTangent, Tinybar, MyWay.MyWebSearch, Virtumonde). HJT showed a rogue anti-spyware program, Ask Toolbar and more Trojans. I was able to fix a lot of the problems, but not all.

    I would really appreciate some help with this, so thank you so much in advance!
     

    Attached Files:

    brunobru, Apr 1, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are running about two to three days behind. MA asked that we look at your situation. You did a good job of cleaning the system, but there are a few items to deal with still.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now download and install:
    Java Runtime 6

    Now use windows explorer to find and delete:
    c:\windows\Tasks\lwgrstrp.job
    c:\windows\system32\xxyayYrP.dll
    C:\WINDOWS\8272TYWD.INI

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Apr 3, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are currently still about 47 threads older than her first post time which is why she was not getting answered and still really should not have been. Obviously the 2nd msg (the one you soft deleted Tim) would have bumped her and caused additional delay but that is what happens when you don't read the notices about not bumping.
     
    chaslang, Apr 3, 2009
    #3
  4. brunobru

    brunobru Private E-2

    Hi Tim and many, many Thanks for your response. :):):)

    Sorry about the confusion...I thought something was wrong chaslang...not trying to get out of turn:-o. I don't know why my 2nd response would bump me but then again, I'm not experienced with forums...only a few times here. I apologize if it caused a problem.

    Tim, I will do your instructions this later today when I have access to the computer. Thanks again.
     
    brunobru, Apr 3, 2009
    #4
  5. brunobru

    brunobru Private E-2

    Okay, so I couldn't find this file c:\windows\system32\xxyayYrP.dll

    These two files show up as running processes and when I research them, all I find is that they are trojans, but they won't go away. Are these bad files?
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\dllhost.exe

    I wanted to mention that everytime the computer is started up, these language temp files show up in the ccleaner. After cleaning they're gone with reclean/scan, but reappear everytime after rebooting the computer and I've never seen this happen on anyones computer except hers:

    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Arabic.bin 20.43KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Czech.bin 23.68KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Danish.bin 22.17KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Dutch.bin 25.07KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\English.bin 21.34KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Finnish.bin 22.26KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\French.bin 26.54KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\German.bin 25.08KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Greek.bin 24.42KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Hebrew.bin 19.03KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Hungarian.bin 25.39KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Italian.bin 26.69KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Japanese.bin 23.69KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Korean.bin 19.63KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Log.IntelligentUpdater.txt 34.26KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Norwegian.bin 21.39KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Polish.bin 23.58KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Portuguese(Brazil).bin 24.41KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Portuguese.bin 25.57KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Russian.bin 25.45KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\SimChin.bin 15.99KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Spanish.bin 27.04KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\SWEDISH.bin 23.46KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Thai.bin 21.40KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\TradChin.bin 16.52KB
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Turkish.bin 21.67KB

    Thanks SO SO much for your time and help.
     

    Attached Files:

    brunobru, Apr 3, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Both of those files are legitimate files. Your logs are clean. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Apr 7, 2009
    #6
  7. brunobru

    brunobru Private E-2

    Thanks so much for your time and your kind help...it is very much appreciated!:):cool:)

    :wave Bye

    Oh, I almost forgot...Windows and NAV still won't update since the malware...any suggestions on how to get them back to working?
     
    Last edited: Apr 9, 2009
    brunobru, Apr 9, 2009
    #7
  8. brunobru

    brunobru Private E-2

    The malware disabled the windows update and antivirus but I was able to get them running again:), so you can disregard the question about it in my last post.

    Thanks again for the help.
     
    brunobru, Apr 11, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.....safe surfing. :)
     
    TimW, Apr 13, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds