Popups trojan ?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Lewis_V, Feb 4, 2007.

  1. Lewis_V

    Lewis_V Private E-2

    I started having Adware yesterday and started looking around the web for solutions. Tried to download some free stuff that might have harmed more than helped...

    I googled Hijackthis after seeing the ware on ++ forums and found Major Geeks.
    Like a good boy I followed the : Read and run me first. Things are getting better as Spybot, Bitdefender and Panda scaned and removed malware (except for Panda whom only pointed out some). The CPU stopped being weird and is purring smoothly.

    It looked like a Vundo as Vundofix (I went that way) found and removed a couple of .dll , .exe and others... the only thing is when I reboot and run it again it always finds a xntharkn.dll in system32. This file is removed and detected over and over... I disabled recovery but this doesnt seem to do.

    Thanks in advance



    Here are my logs
     

    Attached Files:

    Lewis_V, Feb 4, 2007
    #1
  2. Lewis_V

    Lewis_V Private E-2

    Popups trojan ? Continued (logs)

    Here is the rest
     

    Attached Files:

    Lewis_V, Feb 4, 2007
    #2
  3. Lewis_V

    Lewis_V Private E-2

    I have been trying things since yesterday,


    though I d refresh these logs

    Things are working good, there are the O20 HJT lines I was wondering if they were good or not

    I got one or two pop ups but I don t know if they are site related or attributable to Winfix,

    Cheers
     

    Attached Files:

    Lewis_V, Feb 5, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is your copy of Spyware Doctor a paid version or a free trial? Does it actually protect against and remove malware??? If not, uninstall it to stop wasting the resources on running it for no reasone. You have AOL Antispyware running already.

    Also is your copy of Trojan Remover also a free trial version? If so, uninstall it now unless you are going to buy it.

    Okay now also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also uninstall the below old version of Sun Java:
    J2SE Runtime Environment 5.0 Update 2

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: (no name) - {3F3C38A9-B0B0-44E1-B50B-A69526F64B98} - C:\WINDOWS\system32\ddcya.dll (file missing)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\xntharkn.dll (file missing)
    O2 - BHO: (no name) - {B528C6CC-AA98-4753-8980-A6B97A220A63} - C:\WINDOWS\system32\ddcyaxy.dll (file missing)
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinSystems] C:\WINDOWS\system32\winsystems16.exe
    O4 - HKLM\..\RunServices: [WinSystems] C:\WINDOWS\system32\winsystems16.exe

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\winsystems16.exe
    C:\WINDOWS\system32\exec1.exe
    C:\WINDOWS\system32\irlbjpak.exe
    C:\WINDOWS\system32\ddcya.dll
    C:\WINDOWS\system32\ddcyaxy.dll
    C:\WINDOWS\system32\xharwfhy.dll
    C:\WINDOWS\system32\aycdd.ini
    C:\WINDOWS\system32\wodriyye.ini
    C:\WINDOWS\system32\yhfwrahx.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\VSAdd-in

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 5, 2007
    #4
  5. Lewis_V

    Lewis_V Private E-2

    Removed Spyware Doctor, Trojan Remover, old sun java and Counterspy.

    Installed Pocket Killbox

    Ran HJT but some lines I had already deleted. Deleted the following : the 2 R0 as the other lines were already gone. Fixed with browser closed.

    Ran pocketkillbox and pasted the files as requested. when I clicked the arrow to show pasted files only 2 came up : C:\WINDOWS\system32\exec1.exe and I guess I forgot what the other one was. confused

    Did NOT receive : PendingFileRenameOperations prompt

    PC rebooted and couldn't find C:\Program Files\VSAdd-in

    As I said in my last post I did try things that seemed to delete some unwanted files (ie Sysprotect remover).

    I had also installed Subelt's Kerio Firewall (should I disable Windows's ?). So I didnt delete all the folders (''C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software'' was deleted and ''C:\Program Files\Sunbelt Software'' partially deleted) you told me because I would have removed it.

    The system is working good and I am not having any popups while running Firefox or MSN explorer. :)

    I have much less active icons in my taskbar (not that I mind).

    Here are the logs, hope they are clean

    Thanks for the help greatly appreciated

    Ciao
     

    Attached Files:

    Lewis_V, Feb 5, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Installing Kerio Firewall should have already disabled the Windows Firewall during the install.

    I have no idea what you were trying to say here but you still need to delete the below folder as I requested:

    C:\Program Files\Sunbelt Software

    Also here are two more to delete:
    C:\Documents and Settings\Owner\Application Data\PC Tools
    C:\WA6P


    Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    Last edited: Feb 6, 2007
    chaslang, Feb 5, 2007
    #6
  7. Lewis_V

    Lewis_V Private E-2

    What i meant in a (I must admit) very complicated fashion, is that I still have : C:\Program Files\Sunbelt Software\Personal Firewall

    although I deleted C:\Program Files\Sunbelt Software\Counterspy

    Boring statement anyways zzz

    Thanks again for your time and knowledge

    See ya
     
    Lewis_V, Feb 6, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Now I understand. Surf safely!
     
    chaslang, Feb 6, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds