problem with trojan

You must remember to exit browsers ( C:\Programmi\Internet Explorer\iexplore.exe
) before using HijackThis.

Is this next line your expected start page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/indexn.php?RedirectionMsg=Access+from+outside+FastWeb&FlagGAF=

Do you know what C:\WINDOWS\TEMP\SVCC97.EXE is for? I would guess that it is bad.

You must not use MSConfig.exe to inhibit loading of startups. If you do, we cannot see all items that may be hiding. Please run msconfig and select normal startup. Do not reboot if it asks you to do so. We will do that further down.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\lalaa.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [Vdat Update] lalaa.exe
O4 - HKLM\..\RunServices: [Vdat Update] lalaa.exe
O4 - HKCU\..\Run: [Vdat Update] lalaa.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\lalaa.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay it looks like that file I questioned was bad because now it has a new name.

C:\WINDOWS\TEMP\PZC28C.EXE

It may rename itself at each reboot. Next time you boot look for the process again. It may have a new name but you can recognize it since it is always running from the c:\windows\temp folder. Locate the process and have HijackThis kill it. Then run Windows Explorer and goto the c:\windows\temp folder and delete all files in this folder. Some may not delete. Keep track of which ones and report back. Do not reboot afterwards?

 

It is not in your visible services list. Please do the below:

Download RunKeys and unzip it to your desktop. Then doubleclick to run it. It will generate a text file. Attach the text file to your next message.

Now download SilentRunners and save it to your desktop. Doubleclick it to run it. You may have to disable script blocking if your antivirus interferes. It will create a text file on your desktop. Also attach this text file into your next message.

 

Well that did not show me anything useful. Try the below:

Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

Also post a new HJT log and DO NOT REBOOT or power down at this point. If you do, any bad process may rename themselves making any suggest fixes worthless.

 

Okay the bad process is back. Now named: C:\WINDOWS\TEMP\AK80D5.EXE

I hope you followed my instructions and did not reboot or power down. Otherwise the below may not work.


Please download Pocket KillBox and extract it to its own folder somewhere.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the below file into the Full Path of File to Delete box.

C:\WINDOWS\TEMP\AK80D5.EXE

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!

If the above delete fails (because of a similar message about a process running) continue with the next steps.

- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path C:\WINDOWS\TEMP\AK80D5.EXE the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? Click Yes

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot get a new HJT log and post it and tell me what happen while running the above steps. Again DO NOT reboot or power down just in case there is still an infection.

 

Now it is named: C:\WINDOWS\TEMP\MB14E9.EXE

 

It came back as: C:\WINDOWS\TEMP\AV7BD7.EXE

Tell me what happen during the steps I just gave you. Did Killbox find and delete the file? Which method was needed?

We may need to use a different method. Is the above file visible to you right now? Do not do anything with it. Just look for it. Are there other similar randomly named .EXE files in that folder?

 

Do you mean Standard File Kill deleted the file okay? Or was delete on reboot needed?

If Standard File Kill worked, here is what I want you to try. Shut down all applications expecially browers and also disconnect from the internet. Then use Windows Explorer to locate the file and delete it.

Then immediately afterwards, I want you to pull the power plug into your PC. Yes you read that correctly. I want to prevent a graceful shutdown because this file maybe recreating itself and renaming itself at shutdown. After pulling the plug, leave the PC off for a couple minutes and then power it back up in safe mode. And then look in C:\windows\temp and delete any files you find there.

Then reboot in normal mode and get a new HJT log and post it here.
Again DO NOT reboot or power down just in case there is still an infection.

 

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\Temp\AV7BD7.EXE <--- just replace with whatever the file is named right now

Then exit HJT and pull the power chord to your PC. Yes that is what I said. We need to force a non-graceful shutdown. This process may be renaming itself at shutdown. After pulling the power chord wait 2 minutes and then power your PC back up. Then get a new HJT log and post it here. DO NOT Reboot or power down after posting this log.

 

Did you mean.... kill the process? I did not say delete it.

 

Download and install Unlocker 1.65
Accept all the install default settings.

Now open Windows Explorer and navigate to C:\WINDOWS\Temp\AV7BD7.EXE <--- just replace with whatever the file is named right now

And right click on the file name and select Unlocker
A Window will pop up showing some information about the locked file and which Process Paths are using it. Make sure you write down the info so you can tell me later what you saw. Then click Unlock All Now Kill the process! Did that work?

Tell me what info you saw in the window and if this worked to kill the process.

 

What is the process name right now?

Press CTRL-ALT-DEL to bring up Task Manager and select Processes.
Now look at the process list. Does the bad process appear?
Also do you see one instance of Explorer.exe?

 

Okay here is what I want you to do. Print this or save locally in a notepad file because your browser Windows MUST be closed and we will double check that using Task Manager to kill them.

With Task Manager kill the in the below order (I have added some notes to the right of each process):
iexplore.exe - kill any of these to make sure all browsers are closed
explorer.exe - do not be alarmed when your Desktop and icons etc disappear. This is normal. We will bring them back later.
MG7D78.EXE - try killing this now and see if it can be kill and that it does not respawn

To bring back your Desktop, in Task Manager click File and select New Task (Run...) In the popup window enter explorer.exe into the Open: box and then click OK. Now come back here (run your browser) and tell me what happened.

 

Okay so right now that process is stopped and a new one has not started? Right? If so, continue with below. Otherwise do not continue with below, just tell me.

Delete the file now too any any others in C:\windows\temp that look like it.

Then immediately afterwards, I want you to pull the power plug into your PC. Yes you read that correctly. I want to prevent a graceful shutdown because this file maybe recreating itself and renaming itself at shutdown. After pulling the plug, leave the PC off for a couple minutes and then power it back up in safe mode. And then look in C:\windows\temp and delete any files you find there.
Then reboot in normal mode and get a new HJT log and post it here.
Again DO NOT reboot or power down just in case there is still an infection.

 

Please do the following:

Click Search and the Select "All files and folders"
Enter the explorer.exe in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Now tell me all the places you find explorer.exe also tell me the size of the files for each case.

 

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. Just leave this Window open. We will come back to it.

Print this or save locally the following instructions because your browser Windows MUST be closed and we will double check that using Task Manager to kill them.

With Task Manager kill the in the below order (I have added some notes to the right of each process):
iexplore.exe - kill any of these to make sure all browsers are closed
explorer.exe - do not be alarmed when your Desktop and icons etc disappear. This is normal. We will bring them back later.
MG7D78.EXE <--- just replace with whatever the file is named right now

Okay now that explorer.exe has been stopped go back to the command prompt window and enter the below commands each followed by the enter key.
cd c:\windows
copy C:\windows\system32\dllcache\explorer.exe
del c:windows\prefetch\explorer.exe-082f38a9.pf
del C:\WINDOWS\Temp\MG7D78.EXE <--- just replace with whatever the file is named right now

When you come back, let me know if each of those commands work or if there were any errors.


Now bring back your Desktop, in Task Manager click File and select New Task (Run...) In the popup window enter explorer.exe into the Open: box and then click OK. Now come back here (run your browser) and tell me what happened.

 

Which file? And did you check to see what the name of the process is now? Don't forget it keeps changing names but it always is running from c:\windows\temp

Look in a new HJT log for the process and see what it is named now and repeat the steps in message # 41.

 

So everytime you stop the process, the file actually disappears?
Look in the c:\windows\temp folder after killing the process and see if any other .EXE filenames show up. If so, delete them.

 

Something else is hiding on your PC and is recreating and changing the name of this process at reboot into normal boot mode. Let's run the steps below.

I want you to run the below trial version of Ewido. Follow the steps given.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, do not start the scan yet.

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Normally I would boot to safe mode here, but since your problem seems to only show in normal boot mode, we will stay in normal boot mode to scan.

Click on Scanner

• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot your PC into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. Also psot a new HJT log.

 

Download Autoruns and extract it to its own folder. Then locate the autoruns.exe file and double click on it. It will immediately do a scan which can take a minute or so. But I want to configure some options first to eliminate some know good items from Microsoft. Otherwise the log can be too long.

So when it opens, first make sure the Everything tab is selected and then click on Options and make sure the below two items are checked:
Verify Code Signatures
Hide Signed Microsoft Entries

Then hit your F5 key or click the Refresh button which is right under the Entry menu selection. Give it a minute or so (watch the bottom of the Window - it will tell when it is Ready which means done scanning). Then click File and Save As and save the autoruns.txt file. Then upload it here as an attachment.