Trojan Party - Help!

About a week ago, my computer started running super slow and when I would pull up any website, another window would open with some other unwanted websites. Programs are sending error messages and it's been a mess.

Before this all happened, I had symantec antivirus on my computer (the version a student at a university would be allowed to download compared to the purchased version from the store). It starting picking up a trojan file and told me it had deleted the file. This happed two or three times over the next day or two.

I've gone through the steps by running Spybot, Bitdefender and Counterspy and the other files. Each of the scans identified some version of a trojan file running on my computer.

Spybot found Virtumonde and removed it. The first time it showed 10 items (3 files, some registry keys, etc.) The second time I ran it showed 6 items (2 files, the others were registry keys). The last two times I ran it, it said the computer was clean. Still when I would boot up it took much more time and I noticed the small rectangle that resembles the player bar on the Itunes player that would appear right where the start up icons show up on the bottom right hand of the screen. After about a minute or so, the bar would disappear and the regular icons would show up. Bit defender picked up a trojan related to the Installer Cache for the Itunes player and I wonder if that was the Itunes "player" bar I was seeing each time I booted up the computer.

The application error popup screens are going crazy. The ones that consistenly came up for drwin.exe saying that the "instruction at "0x7c883f9c" referenced memory at "0x7c883f9c". The momory could not be "written". Other errors popped up, wanting to shut down almost any program I opened, such as wuauclt.exe, wmi.exe, windows live toolbar, notepad, cmd, etc.

I've also had trouble with Safe Mode not booting up. While connected to the internet to run the online scanners, the application error popup problems typically intesify.

I hope you guys can help. I did some work on my own removing some of the trojans but they kept coming back. Please help so I can get to back to a clean machine again.

The one problem I had with the process was the getrunkey.txt file. I fixed the 16 bit error, but when I search for the file, I couldn't find it. I'll attach the three other files it created during the process in case they help.

I'd appreciate any help with this problem. It's like I'm cutting off the branches by not pulling out the roots on this one. I need help.

Thanks

 

Adding other file attachments. The three files it created while trying to run the getrunkey.bat process were too big to attach. Let me know if there's anything else I can do to get the program to work.

When I click the getrunkey.bat file, it first tells me the key is already being used in anothe process like 10 times and just spits out this:

Note: ignore any error messages about not finding registry keys! Just wait for the program to finish running.
C:\xtmpsysccs.txt
C:\xtmpsyscs1.txt
C:\xtmpsyscs2.txt
1 file(s) copied.

But I can't find the runkeys.txt file anywhere.

Thanks.

 

Thanks for your quick response. I'm appreciate your help.

I've deleted the files from the desktop folder. Thanks for the heads up on that. Guess I'm still learning to follow all of the instructions.

First you need to re-run CounterSpy and fix everything it found.

I attached the wrong scan log. I ran the CS scan twice the other day and removed all infected items after the second scan. I accidentally sent you the log from the first scan.

I ran Counter spy tonight and everything came back clean. I'll attach the log file.

Now let's remove some left over services from Symantec:

• .....

• 
  
  Symantec service was already stopped but I disabled and deleted it with Hijack this. Live Update was stopped and I disabled it. You mentioned the "below two services" but I only saw Symantec and Live Update that needed to be diabled and modified. Since you didn't say to delete the Live Update I didn't.
  
• Now repeat the above to Stop and Disable the
  below two Services (
  
  Not sure what you meant about the below two services. You mentioned it twice but the only programs you mentioned were LU and Symantec and you only said to delete Symantec. Perhaps this was a typo.
  
  I successfully uninstalled all versions of Java.
  
  So the first time I ran Hijack This the BHO wasn't there. I had seen it before, but was surprised not to see it again. Hower I ran Hijack this again after a few of the other steps and it did show up. I selected it and clicked fix checked.
  
  I fixed the other entries with the first Hijackthis scan.
  
  O2 - BHO: (no name) - {37CA39DF-36A0-4FC9-85AB-6D1C30D64025} - C:\WINDOWS\system32\ddaya.dll
  O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
  O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
  O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
  O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
  O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
  After clicking Fix, exit HJT.
  
  Copy the bold text below to notepad. Save it as fixme.reg
  
  This stepped work perfectly.
  
  I downloaded Avenger and deleted the files and folders you outlined. I'll attach the log file.
  
  I downloaded and installed the most recent version of Java.
  
  I downloaded ATF cleaner and used to clean files for IE and Firefox as instructed.
  
  I had a little bit of trouble with MGTools program. The major error I'm getting now (not with just MGTools, but with some other programs is that drwin.exe applicaiton error. That error comes up and then errors for every program I open up. As long as I don't click oK I can still run the programs, but with the MGTools I had like 10 of the errors open up, all aiming to shut down the programs that are part of the MGTools package.
  
  Does the program take a long time to run. It's finished the Run Keys portion and has been at Scanning please Wait for the last 45 minutes or so.
  
  I'm going to attach the log files I have to this reply and when the others come up I'll have to attach them to another reply.
  
  Thanks again. I'll attach the most recent HijackThis log file I have in the next replay and then I'll reply with the zipped files once I get them.
  
  The major problems I still have with the computer are the numerous application error popups for almost every type of program I use and the mini Itunes player bar that is still showing up before the icons do by the clock when I boot up.
  
  Sure appreciate your help.

 

Here's the latest Hijack this file. I think another one comes out of the MGTools process but I'm still waiting for that to finish.

 

So once I started to close some of the application errors (which typically shut down all running programs) but this time the cmd prompt didn't close and the rest of the files were produced. :cool

Should I still uninstall Counter Spy?

I'll attach the zip file.

 

I uninstalled Counter Spy and made sure the folder you listed were gone. They all were.

Merged the FixME.reg file with the registry. Was this supposed to start up the Panda Scan on the next reboot? I rebooted and Panda didn't do anything. Please advise.

I'm still geting the Itunes player bar showing up where the icons should by the clock when I reboot. After about 15 seconds it goes away and the network, power, and other icons show up. The image is about an inch wide and 1/8 inch tall, just fitting on the bottom bar there by the clock. It's the forward, play, back and volume adjustment part of the Itunes player.

Another alert comes up from Kasperksy every time I boot denoting a Keylogger program.

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

It references the above file, which should just be my DVD player, but it says that it's going to redirect my keyboard and so I terminate the process every time.

I'm not sure if the malware is causing the application errors, but I'm still experiencing them also.

Thanks.

 

Thanks for explaining the Panda thing.

I know Itunes isn't malware. I did some searching and discovered the bar I was seeing in the system tray upon startup was related to Quicktime. It's defaulted to start up with each boot (pretty stupid if you ask me) but you can change the setting on it to not do that. Made the change and now it doesn't show up.

The reason I thought it might be infected was because the Bitdefender online scan said they found a trojan in the Itunes installer folder. It specified the qttask.exe file, which is the start up file for that lame feature in Quicktime. Anyways, that's fixed.

Thanks for the update on DVD player. I was surprised to see it say it was a keylogger, but the AV programs don't get it right every time.

Haven't had any trouble with the drwin.exe errors with the last few times I booted up and used the computer. It looks like that problem is gone now that you've helped me clean up some things.

I ran the Sophos Anti-Rootkit scan and attached the log. It came up with a couple of hidden files. Let me know what I need to do with those.

My computer is running much better. I really appreciate your help. Thanks for helping me clean things up.

All the best.