Trackware/Trojan Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by J.D., Feb 22, 2007.

  1. J.D.

    J.D. Private E-2

    Hello,

    I've been getting random popups of IE pages in Chinese for the past few days after some P2P streaming channel apparently loaded a bunch of malware onto my laptop; computer startup is slow and rundll32.exe is all over my Windows Task Manager Processes, and my Internet connections get blocked after the computer's been on for some time.

    I ran the entire Malware Removal Guide, but Symantec is still finding something called Trackware.Alexa every time I turn on the computer and Spybot S&D keeps finding something called Boran (or something to that effect); the original problems are diminished but not gone. Any help at all would be greatly appreciated.

    Thanks,
    J
     

    Attached Files:

    J.D., Feb 22, 2007
    #1
  2. J.D.

    J.D. Private E-2

    The rest of the logs (including HJT)...
     

    Attached Files:

    J.D., Feb 22, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall these thru add/remove programs:
    webwork
    Viewpoint Media Player

    Do you know what these are:
    f735bd71
    "1300"

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\4661cfsb.dll
    C:\WINDOWS\system32\mshtmll.dll
    c:\windows\taskmor.exe
    C:\WINDOWS\system32\1010s.exe
    C:\WINDOWS\system32\7DC4E847.EXE
    C:\WINDOWS\system32\7DC4E847T.EXE
    C:\WINDOWS\system32\drivers\ast.sys
    C:\WINDOWS\system32\drivers\ffpbek.sys
    C:\WINDOWS\system32\t21.exe
    C:\WINDOWS\system32\tubar1250.exe
    C:\WINDOWS\system32\tubar1250.exe
    C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
    C:\WINDOWS\system32\mssys32.exe
    C:\WINDOWS\system32\ffudf.exe
    C:\Program Files\ejst
    C:\Program Files\7B6D~1
    C:\Program Files\7A99~1
    C:\WINDOWS\bar.exe
    C:\WINDOWS\f2.exe
    C:\WINDOWS\intranet.exe
    C:\WINDOWStaskmor.exe
    C:\WINDOWStemp.exe
    C:\WINDOWS~tmp1057.exe
    C:\WINDOWS\system32\
    C:\WINDOWS\system32\1010s.exe
    C:\WINDOWS\system32\1d7b219a.exe
    C:\WINDOWS\system32\1d7b21~1.exe
    C:\WINDOWS\system32\7dc4e847.exe
    C:\WINDOWS\system32\7dc4e8~1.exe
    C:\WINDOWS\system32\bawang.exe
    C:\WINDOWS\system32\cacheur.exe
    C:\WINDOWS\system32\dufs1.exe
    C:\WINDOWS\system32\dufs2.exe
    C:\WINDOWS\system32\ffudf.exe
    C:\WINDOWS\system32\mssys32.exe
    C:\WINDOWS\system32\t21.exe
    C:\WINDOWS\system32\tubar1250.exe
    C:\WINDOWS\system32\1d7b219a.dll
    C:\WINDOWS\system32\4661cfsb.dll
    C:\WINDOWS\system32\4d5entos.dll
    C:\WINDOWS\system32\7dc4e847.dll
    C:\WINDOWS\system32\jsefusf.dll
    C:\WINDOWS\system32\cryptimg.dll
    C:\WINDOWS\system32\mshtmll.dll
    C:\WINDOWS\system32\kwbuf.ini
    C:\WINDOWS\system32\toolset.ini
    C:\WINDOWS\system32\00006dd8.dat
    C:\WINDOWS\system32\1d7b219a.dat
    C:\WINDOWS\system32\431172~1.dat
    C:\WINDOWS\system32\431172~2.dat
    C:\WINDOWS\system32\431172~3.dat
    C:\WINDOWS\system32\431172~4.dat
    C:\WINDOWS\system32\4320df~1.dat
    C:\WINDOWS\system32\4324b2~1.dat
    C:\WINDOWS\system32\432dc0~1.dat
    C:\WINDOWS\system32\4333d5~1.dat
    C:\WINDOWS\system32\4340c6~1.dat
    C:\WINDOWS\system32\4345d0~1.dat
    C:\WINDOWS\system32\4345d4~1.dat
    C:\WINDOWS\system32\434cd1~1.dat
    C:\WINDOWS\system32\4357cd~1.dat
    C:\WINDOWS\system32\jsds3utj.dat
    C:\WINDOWS\system32\drivers\ast.sys
    C:\WINDOWS\system32\drivers\chbahbac.sys
    C:\WINDOWS\system32\drivers\hidproc.sys
    C:\WINDOWS\system32\drivers\msusbbux.sys


    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html G
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
    O2 - BHO: (no name) - {5accd45b-f800-4661-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4661cfsb.dll
    O2 - BHO: (no name) - {A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E} - C:\WINDOWS\system32\mshtmll.dll
    O2 - BHO: 8896 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4d5entos.dll G
    O3 - Toolbar: 8896 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4d5entos.dll
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\drivers\ttp.exe] C:\WINDOWS\system32\drivers\ttp.exe G
    O4 - HKLM\..\Run: [sdafdsafds] C:\WINDOWS\temp\162.exe
    O4 - HKLM\..\Run: [SvcManager] systemnt1.exe
    O4 - HKCU\..\Run: [mssys32] C:\WINDOWS\system32\mssys32.exe G
    O4 - HKCU\..\Run: [mshtmll] regsvr32 /s C:\WINDOWS\system32\mshtmll.dll
    O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\Program Files\CNNIC\Cdn\cdnuc.exe (file missing) G
    O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\Program Files\CNNIC\Cdn\cdnuc.exe (file missing)
    O11 - Options group: [CDNCLIENT] Chinese Navigation
    O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll

    After clicking Fix, exit HJT.

    Reboot and attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    TimW, Feb 23, 2007
    #3
  4. J.D.

    J.D. Private E-2

    Hi Tim, thanks for the help. I followed your steps and here're the results:

    1. I could find "webwork" on the add/remove programs list, but Viewpoint Media Player is gone.

    2. I have no idea what "f735bd71" and "1300" are, but they don't seem to be there anymore.

    3. I did run into the "PendingFileRenameOperations..." prompt after running Killbox.

    I'm not sure that the original problems are gone, though, as I'm still getting the IE popups from time to time. The new logs are attached below.

    Thanks again. :)
     

    Attached Files:

    J.D., Feb 24, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now download and run Prevx1.

    Attach the log and the other three also. (ShowNew, GetRun, HJT).
     
    TimW, Feb 24, 2007
    #5
  6. J.D.

    J.D. Private E-2

    Prevx1 kept freezing up on me at 98% ("Scanning Registration Files"), but here's the log anyway -- I had to divide it up into several files because it was over the size limit. (Let me know if it's not supposed to be that large/long and I'll see if I did something wrong while running the scan? This was from the "Scan Files" button, not the "Scan Processes.")

    Thanks as always.
     

    Attached Files:

    J.D., Feb 25, 2007
    #6
  7. J.D.

    J.D. Private E-2

    More logs...
     

    Attached Files:

    J.D., Feb 25, 2007
    #7
  8. J.D.

    J.D. Private E-2

    ShowNew and HJT.

    Also, I forgot to say that I think something's working -- I haven't gotten any IE popups today (and possibly since my last post) and Symantec's been quiet. I'm getting some message at startup, though, saying "Error loading C:\WINDOWS\system32\ycqi_z.dll -- The specified module could not be found." Any idea what that refers to? (I think ycqi_z.dll is one of the things that Prevx1 found as problematic during the scan, also.)
     

    Attached Files:

    J.D., Feb 25, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall thru add/remove programs:
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 5
    DisplayName = "???"
    "DisplayName"="1300"
    Windows mrxy - if you don't know what it is.

    Reboot and install:
    Java Runtime 6

    Download and Install RogueRemover Free http://www.majorgeeks.com/RogueRemover_d5360.html

    Run RogueRemover and select Scan and the program will walk you through the remaining steps.

    Use windows explorer to delete these folders:
    C:\Program Files\Kaspersky Anti-Virus (If it exists).
    C:\Program Files\EJST
    C:\Program Files\7B6D~1
    C:\Program Files\7A99~1
    C:\Program Files\ËÑË÷À¸
    C:\Program Files\Common Files\{C4D975E5-0574-1033-0306-031224020001}
    C:\Program Files\GENTAD (Unless you know what this is and use it.)
    C:\Program Files\Common Files\MEDIA (Unless you know what this is and use it.)
    C:\Program Files\Common Files\PUAB (Unless you know what this is and use it.)

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\temp.exe
    C:\WINDOWS\system32\dufs1.exe
    C:\WINDOWS\system32\dufs2.exe
    C:\WINDOWS\system32\ffudf.exe
    C:\WINDOWS\system32\jsefusf.exe
    C:\WINDOWS\system32\jsefusf.dll
    C:\WINDOWS\system32\431172~1.dat
    C:\WINDOWS\system32\431172~2.dat
    C:\WINDOWS\system32\432fbf~1.dat
    C:\WINDOWS\system32\4335da~1.dat
    C:\WINDOWS\system32\433ed4~1.dat
    C:\WINDOWS\system32\434aba~1.dat
    C:\WINDOWS\system32\434ad3~1.dat
    C:\WINDOWS\system32\fntcache.dat
    C:\WINDOWS\system32\index.dat
    C:\WINDOWS\system32\jsds3utj.dat

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\PROGRA~1\7A99~1\tbhelper.dll
    O2 - BHO: TBSB03263 - {EEC7E620-B32A-4E3B-B200-291660803474} - C:\PROGRA~1\7A99~1\eqiso.dll G
    O3 - Toolbar: (no name) - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - (no file)
    O3 - Toolbar: ??? - {33E640D8-EB95-4B22-B475-1852B7D35993} - C:\Program Files\ËÑË÷À¸\eqiso.dll

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey - please download the current version first!
    * ShowNew
    * HJT
     
    TimW, Feb 25, 2007
    #9
  10. J.D.

    J.D. Private E-2

    A few minor things:

    I didn't find "1300" in Add/Remove and couldn't delete C:\Program Files\GENTAD\gentad.dll because it claimed to be running (even immediately after reboot).

    RogueRemover didn't find anything, and some of the items listed for HJT weren't there to be fixed, so I just checked the ones that were.

    New logs below...
     

    Attached Files:

    J.D., Feb 27, 2007
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall thru add/remove programs:
    Gentad

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.

    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O9 - Extra button: ²Æ¸»Í¨ - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\Program Files\²Æ¸»Í¨\caif.dll (file missing) (HKCU)
    O23 - Service: 1D7B219A - Unknown owner - C:\WINDOWS\system32\1D7B219A.EXE (file missing)
    O23 - Service: 7DC4E847 - Unknown owner - C:\WINDOWS\system32\7DC4E847.EXE (file missing)
    O23 - Service: NT Data Provider (DATEING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
    O23 - Service: jsefusf - Unknown owner - C:\WINDOWS\system32\jsefusf.exe (file missing)

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey - please download the current version first!
    * ShowNew
    * HJT
     
    Last edited: Feb 27, 2007
    TimW, Feb 27, 2007
    #11
  12. J.D.

    J.D. Private E-2

    New logs...
     

    Attached Files:

    J.D., Mar 2, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean. You may uninstall any programs we had you download.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Mar 2, 2007
    #13
  14. J.D.

    J.D. Private E-2

    Done. Thanks again for your help, you guys are amazing!
     
    J.D., Mar 4, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome ...safe surfing.
     
    TimW, Mar 4, 2007
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds