Trojan help needed.

I have done everything (except remove MS Java) in the "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan and Virus Removal" and I still have a "Trojan.Win32Agent.AY" that a2 and Bitdefender found but will not remove. There is also a "cookies\abetternet[2]" and a "Trojan\downloader.Win32.intexp.d" that showed up on the a2 scan.

Any and all help would be greatly appreciated.

TIA,
BigDozer66

 

I have done everything in the "DO NOT POST" thread twice now and I still have the thnall1ac.exe that 2 or 3 of the scanners found but none would remove.

Any advice?

Thanks,
BigDozer66

 

Make that 3 complete times now and a couple extra Norton scans.

I'll have to wait until tomorrow to see if it is gone.

BigDozer66

 

Hi BD,

This forum is missing a major contributor and so BJGarrick is pretty much on his own right now. Please be patient.

Go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to check back as time permits.

Best luck
PP

 

PP,
Thanks!

I will attach the HJT log.

BigDozer66

 

These are the ones found and not able to be deleted/removed...

B5BCA52A-DAE
exvecm.exe
inuquzxvig.exe
thnall1a.exe
thnall1ac.exe


My hair is going fast as I am pulling it out!

Thanks,
BigDozer66

 

You'll need to attach the report or something with the full paths of those and we can feed them to Pocket KillBox to remove them.


I only saw a couple things in your HJT Log:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now boot into safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.



O4 - HKLM\..\Run: [splygz] c:\windows\system32\udsndo.exe r --> I do not know what this is, do you? If not, fix with HJT, then boot to safe mode and delete the file.

First, though, you MUST extract HJT from the ZIP to its own safe folder C:\Program Files\HijackThis

PP

 

How do I post the full links?

BigDozer66

 

Here is the new log after doing what you requested.

I didn't see the udsndo.exe thing listed this time?

Thanks,
BigDozer66

 

Either get them from the log of the tool that is finding them or track them down using Windows Explorer. Of course, if you do the latter, you can just manually delete them when you find them.


I see a couple new baddies in your HJT log and one mutated - Try this:

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end it, if found.

hkczrq.exe

Now scan with HijackThis and Check the Boxes for the following, if they remain:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [chcsmy] c:\windows\system32\hkczrq.exe r

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\dsr.dll
C:\WINDOWS\dinst.exe
c:\windows\system32\hkczrq.exe

NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

I'll let you know how it is working!

Thanks a million and hopefully this will get it clean.
BigDozer66

 

Hi BigDozer66,

It looks like this baddie has mutated again:

O4 - HKLM\..\Run: [chcsmy] c:\windows\system32\hkczrq.exe r
has now become
O4 - HKLM\..\Run: [avlusho] c:\windows\system32\mefswkl.exe r

Scan with HJT and see if you can find and fix that (or similar) entry and delete the associated file. The r on the 04 entry should help you pick it out.


Let me know how you fare.

PP

 

I am hopeful that this did it!

Thanks for the help and here is the lastest log.

BigDozer66

 

You're welcome!

Latest HJT Log looks OK. Well done!
I imagine things are now working as they should?

PP

 

I will verify on Monday as I was only at work for 4 hours today and I didn't have any problems!

I do appreciate the help and if by some freak accident it should happen again I will have more knowledge to deal with it.

Now to check out some of the other sections here on MajorGeeks and tune up my PC's!

BigDozer66

 

Cool!