Trojan Horse/Adware

Hi, this afternoon my PC became infected with various malware:
The desktop background was changed to a blue screen telling me that my PC was infected with spyware.. it provides a link which takes you to a website selling anti-spyware

Various pop-ups appear with similar messages, for example, saying that I have trojandownloader.XS and abebot and a yellow pop-up speech bubble from the system tray, making similar claims. These are in XP-style but are obviously fake!

Avast found NDNUNI~2.exe whilst I was removing new.net domains 7.48 using add/remove programs.
I also found AKL and Inet delivery in my programs folder. In the programs folder there is also a newdotnet folder - when I opened this Avast said it contained a trojan.

The computer is generally running slower - especially when opening explorer using windows key+E

I have been searching for answers for hours now, and have tried different things - including running smitfraudfix. This has removed the background, but the pop-ups keep coming.
I searched for AKL and Inet in the registry as suggested by another site - couldn't find them, so just deleted the folders.

I would be very grateful for any suggestions. I have attached my HJT log. I hope I have done this correctly - apologies in advance if not.

 

I am attaching all log files as specified in the XP cleaning procedure.

 

After running these tools the pop-ups have stopped and the blue screen has been removed. But is my system now totally clean?

Thank you.

 

Hi lemonthins,
Welcome to Major Geeks!

Your computer is obviously better than it was, but at a glance I did see that there are still some files that need removing. Please using your computer as little as possible until someone can post a set of instructions to you. That will reduce the risk of getting the malware going again. The evaluation of your logs and putting together the instructions takes quite a bit of time, so thanks for being patient.

abri

 

Hi,
Thanks for the advice - I look forward to further instructions.

 

Hi lemonthins,

What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\Documents and Settings\All Users\Application Data\ybmdonof



And now, please do the following:

1) Please disable your guest account if this hasn't already been done.

2) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [48a63af2] rundll32.exe "C:\WINDOWS\system32\tdqiclsi.dll",b

After you click fix, just close hijackthis.



7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi,

There is nothing in that folder.

I completed all the instructions and am attaching the logs.
One other issue: at startup, a dialogue box pops up saying "c:\windows\system32\tdqiclsi.dll Specified module could not be found. However, after running your instructions it didn't happen. Don't know if that was a one off or not though.

Thanks for your help.

 

Hi lemonthins,

The popup was a complaint from the malware.

Please delete the folder I had you look at:

C:\Documents and Settings\All Users\Application Data\ybmdonof

Run CCleaner and then reboot your computer and use it a bit before completing the instructions below.

Everything else looks okay. Please do the final cleanup instructions in the box:

abri

 

Hi Abri,

Thanks for your help - my PC now seems to be running normally again. There was just one problem: A while ago the taskbar would not respond to the mouse, immediately after startup. This happened intermittently, then seemed to stop, but when I turned the computer on today, it did it again! I have to log off and back in again before it will work. Any ideas what might be causing this?

Many thanks.

 

Hi lemonthin,

Do you mean that after waiting until all the icons are in place and completely loaded, that the mouse then fails to get them to work? Please try the following so I have a little more information.

After you boot up, can you point your mouse at the icons and get the info balloon? Like pointing at the clock and getting the date information? Or pointing at one of the programs icons and getting the information about what it is?

If you are not getting a response from the mouse, can you go to the same program via Start / All Programs and then get the program to work?

When the taskbar is unresponsive to the mouse, if you use Ctrl / Alt / Del, does the task manager show whether everything has completed loading?

How long after you've booted up do you wait before deciding it's not responding and then reboot?

abri

 

Hi,

It's difficult as it only happens occasionally! But when it does happen, I can't get the info balloons and clicking left/right mouse buttons has no effect. Also, the 3D rollover effect doesn't happen (ie, when you roll the mouse over the start button for example, it normally becomes lighter)

The programs can be opened from the start menu which can be entered by pressing the windows key on the keyboard.
I ought to mention I cannot access anything on the taskbar - the start menu, minimised programs etc.

I wait until everything has completed loading. Sometimes, I just carry on using the machine, not having time to reboot - the problem remains.

Ending the process "explorer" and relaunching it cures the problem, but is inconvenient as I lose certain programs which run in the background (for example, my desktop calendar)

Thanks for your reply

 

Hi lemonthins,
I have to find out more on this. Thanks for your patience.
abri

 

Thanks,

I look forward to hearing from you.

 

Hi lemonthins,

At the moment we have more questions than answers and I may ask you to start a thread in the hardware or software forums where you can get more feedback, but I would like to get more information first and have you try a couple of additional scans.

First some questions.

How does the computer run when it's in safe mode? Do you have the same problem?

What kind of mouse are you using? wired/wireless, programmable?

Chaslang noticed you have a lot of services running. What happens if you go to Start / Run and type in services.msc and click on ok. Find the services listed in the box below and disble them. Do you still have the same problem? (You can re-enable them afterwards)

Finally, I would like for you to run two scans, one an online scan which requires Internet Explorer and the other to look for rootkits traces.

Please begin with Using PandaActiveScan There are instructions for running the scan. It requires Internet Explorer and Active X needs to be enabled. Also in the instructions, you'll find information on how to save a log. I would like to see this.

Then when you finish with that one, please go to Alternate Scans and scroll about halfway down the page to the list of rootkit scans. Please download and run GMER.

When you're finished please attach both the ActiveScan log from Panda and the GMER log along with the answers to the above questions.


Thanks very much.
abri

 

Hi Abri,
Thanks for your suggestions. It's been a busy few days, but I'll try and get back to you as soon as possible with the results!

 

Hi Abri,

I've not had the problem since I wrote to you about it last. However, it will probably crop up from time to time. I'll follow your instructions and write to the hardware or software forums if it does.

Thank you very much for your help! My computer now seems in perfect health.

Thanks,
lemonthins.

 

Hi lemonthins,

Hopefully the problem will stay away.
Best of luck to you!

abri