Trojan Downloader

I hope you can help and Im not being a total idiot, although Ive tried everything now, and am asking for help as a last resort. Please be patient with me as I try to explain a problem I dont really have a clue about.

Having written down the viruses that AVG keeps informing me about (aswell as Bullguard V5.0 which I downloaded on trial due to desperation of trying to get this repaired) I have comeup with 3 viruses.

JS.Trojan.Downloader.1stBar.A

Trojanhorse startpage 19.AO

Trojanhorse downloader agent 11.Q

I have been through the read me first section of this site and downloaded and run all the nifty programmes there (such as ccleaner and aboutbuster) but still no cigar.

Main obvious symptoms here is my homepage is being changed to about.blank and putting 3 porn links on my favourites. No matter how many time I delete them and reset my homepage, it just comes back.

So Im out of ideas and head hurts, been at this for two days now. I really hope someone here has the patience to help me out.

Here is my HJT log:

 

Try deleting all the files inside the windows\prefetch folder, then run aboutbuster twice.

Were you able to run the online virus scans? Here are a couple I like the best:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/housecall/start_corp.asp

 

Have done AboutBuster twice as suggested (log attached)

However when I did the on line virus scan http://www.pandasoftware.com/active...n_principal.htm
my internet will not connect so I can access report and fix detected problems.

I can not access the other online scanner http://housecall.trendmicro.com/hou.../start_corp.asp
as the internet shuts down as soon as I access the site.

Any further suggestions welcome

 

Bump...

Maybe someone more experienced with hjt logs can join in...

 

Clint,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

winlw.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.iol.ie/cgi-bin/dslcd?affiliate=IB143001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\njuee.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.bbc.co.uk/sport2/hi/football/default.stm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B8F30120-3B81-D4B0-8765-8223F1BE22BE} - E:\WINDOWS\system32\msbu.dll

O4 - HKLM\..\Run: [tnpwgrjv] E:\WINDOWS\dbcqsf.exe
O4 - HKLM\..\Run: [rpbmjcm] E:\WINDOWS\System32\culvob.exe
O4 - HKLM\..\Run: [d3ip32.exe] E:\WINDOWS\d3ip32.exe
O4 - HKLM\..\Run: [winlw.exe] E:\WINDOWS\system32\winlw.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=f997f658de92b402e166a43c399bf b885f10f9726ad6487e486538897a2c82089f448b227659b4c718274f07ad93eca89b7aac938850a 65a59e4ed:8bf42082588399698be90b54b48c5ce9
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

E:\WINDOWS\system32\winlw.exe

E:\WINDOWS\system32\njuee.dll

E:\WINDOWS\system32\msbu.dll

E:\WINDOWS\System32\culvob.exe

E:\WINDOWS\dbcqsf.exe

E:\WINDOWS\d3ip32.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

thank youo for the advice

Things have gone from bad to worse, as when I got home from work I found I couldnt even access the net anymore, seems like every website I attempt to go to, I get redirrected elsewhere. Have had to drive over to my brothers to save this reply on disk to apply it.

Wil let you know how it goes tomorrow, or tonight if things go better than I expect.

 

Thanks again

internets back and all seems well *looks about tentatively*

am touchin all kinds of wood, but it seems like the problem is solved.

Heres my HJT log


Im reluctant to say the problem is solved though till you've seen the log, but fingers crossed all is well now.

 

You HJT log is clean!

Are you having any further problems?

You should also see this article on How to Protect yourself from malware!

 

everything seems fine, thanks aghain for both of your help, it was really really appreciated .

 

Your Welcome!