trojan

Welcome to Majorgeeks!

That message is a little vague. What comes back? The way written, it sounds like you are complaining about the scanners coming back.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

That tool sometime works and sometimes it does not. Give it a try.

 

Please follow the directions I gave you in message number 2. You did not run ALL of the READ ME first. Also HJT is not installed as per the instrucions and logs must not be posted inline. Read the directions again and please follow them. Also you were not supposed to turn off system restore until we removed all of the malware problems.

 

What about the log from PandaActive scan? You did not run it. You must run it and attach the log.

It also looks like your did not do step 0 of the READ & RUN ME. I still see a load of programs mentioned in that step running. BitDefender eaven found WeatherBug.

First run the BestOffers uninstaller found here online and allow it to do its work: http://www.bestoffersnetworks.com/uninstall/

Also look in Add/Remove programs for the below and uninstall:
BestOffers <--- just incase the above did not work
BullsEye Network
NaviSearch
SurfSideKick 3
WeatherBug

These were all in step 0 of the READ & RUN ME. Did you do this step??

Is you MS Antispyware the current version number. Check what version it is and what definitions version you have.

Also to get things started and cleanup you HJT log a little, run HJT and select all the O18 lines with Logitech Desktop Messenger on them and then fix them. Lines like the below:

O18 - Protocol: bw+0 - {F63E78E1-B77C-4151-A73E-000A14A0FB6A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

After doing all of the above, attach the PandaActiveScan log and a new HJT log. Also answer my question about MS Antispyware.

 

But what definitions version for MS Antispyware do you have? It should be detecting some of the stuff you have and also cleaning it. Did you run a full scan with MS Antispyware from safe mode and have it clean all that it finds?

Let's get an installed programs list from HijackThis.
Run HijackThis, click Open the Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment too.

 

Please answer my question and give the version number and the definitions file version numbers. You may not have the correct ones. As I can see from the Uninstall list you did not follow our directions in the READ & RUN ME. You neglected to verify that you are using the same versions that we specify in out links and did not get all updates.

For one example: Spybot - Search & Destroy 1.3
This is very old and out of date.

This Viewpoint Media Player was recommended to be uninstalled in step 0 of the READ & RUN ME.

Get the proper version of Spybot installed and get all updates. Then do a new scan.
Do the same for any other programs that you may not have checked for new versions. Autoupdates of programs do not always check for version number changes. They may only look for detections/reference file changes.

Then after doing the above, attach a new HJT log.

 

You mean you now updated Spybot to version 1.4. It was not 1.4 previously.

But you still neglect to give complete info. Version number of the program is only one piece. Reference/detection file version number and dates are the second part. I would not have been asking for this constantly if previously the info was given when requested and if your logs did not show information that indicated out of date scanners were run. We see it all the time! We have many people insisting they are up to date only to find out they are not. Case in point: your Spybot version.

I still see Viewpoint Manager in your log. You said you uninstalled Viewpoint. What about Viewpoint Manager?

I see the below are now gone:
BullsEye Network
NaviSearch
SurfSideKick 3

What finally removed them? Was it repeating the scans with a current update?

 

Download Download Nail FIX to a folder that you can locate. Then extract the files from the ZIP files into the folder you downloaded to. This should create a subfolder call NailFix with two files in it.

Now exit all browser windows and use Windows Explorer to locate the folder and double click on nailfix.cmd. DO NOT BE ALARMED when your desktop blanks out and your Win Explorer window will close.

Now continue with the below.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\cgumfjh.exe <--- this one may rename itself at each reboot. Try to find the new one.
C:\DOCUME~1\user\LOCALS~1\Temp\aurareco.exe
C:\DOCUME~1\user\LOCALS~1\Temp\dinst.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Program Files\TBONAS\BarLcher.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - (no file)
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: Best Offers - {3D782BB3-F2A5-11D3-BF4C-000000000000} - C:\Program Files\TBONAS\BarLcher.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [homap] C:\WINDOWS\System32\homap.exe
O4 - HKLM\..\Run: [rerzoo] C:\WINDOWS\system32\cgumfjh.exe r <--- this one may rename itself at each reboot. Try to find the new one.
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.neededware.com

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (tell me what you find and do not find):
C:\Program Files\TBONAS <--- the whole folder
C:\Program Files\Viewpoint <--- the whole folder
C:\Program Files\AWS
C:\WINDOWS\Nail.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\System32\homap.exe
C:\WINDOWS\system32\cgumfjh.exe <--- this one may rename itself at each reboot. Try to find the new one.
C:\Documents and Settings\user\Local Settings\Temp\aurareco.exe <-- it would be best to delete all files in this temp folder it allows you to delete.
C:\Documents and Settings\user\Local Settings\Temp\dinst.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Try to delete it now because it is no longer running at startup.


That process that I said the following for:

Did rename itself. It may do this each time you reboot. So it may have already changed to something else. If it did you will not find what I give you below so look for the new process name and O4 line in HJT and substitute into my instructions.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\tojzhzk.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [vxdeuqb] C:\WINDOWS\system32\tojzhzk.exe r

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (tell me what you find and do not find):
C:\WINDOWS\system32\tojzhzk.exe

also look for any other files that begin with tojzhzk and end with any other extension. Like tojzhzk.dat, tojzhzk.dll, tojzhzk.ini .... etc. and delete all of them. Please tell me what you find.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder. Then empty your Recycle Bin.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. Do not power down or reboot at this point if one of these infected files has respawned!

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You have now become reinfected with nail.exe and the process we have been trying to remove renamed itself. Didn't you notice this? I said to look for a possible different name. It should be easy to find it now that you have seen it multiple times. It will be the only thing in your log changing or that is new.

C:\WINDOWS\system32\pydffk.exe
O4 - HKLM\..\Run: [twwxogh] C:\WINDOWS\system32\pydffk.exe r

You did not answer my questions where I said:

Without feedback it is difficult for us to help you.

Earlier you said you could not find nail.exe. Can you see C:\WINDOWS\Nail.exe now?

 

You still have the infection.
O4 - HKLM\..\Run: [ykfqdnq] C:\WINDOWS\system32\opkushh.exe r

You need to answer my questions. I previously asked

Now since the process has renamed, you will look for anything beginning with opkushh

Also add another thing to look for: check for other new files with approximately the same date as opkushh.exe. Do you see any other new files?

 

What is the full path to the file?

Is it:

c:\Windows\PChealth\HelpCtr\Binaries\opkushh.exe

What name appears right now in an O4 HJT line? Does it appear anywhere else on your PC?

 

I did not ask for that. I ask what it is now and does it appear anywhere else.

So since you said the file is now named azjpaiu.exe , does it appear anywhere else. In fact do the below:

Click Search and the Select "All files and folders"
Enter azjpaiu (leave of the extension just enter it as given to the left) in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button. When it finishes tell me all the places (full path information) where a match is found.

Also download WinPFind

• Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
• Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
• When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.

 

I would expect by now that you understand the logic of what we are looking for.

Why didn't you do the search I requested on the new name.

Click Search and the Select "All files and folders"
Enter rtogqxv (leave of the extension just enter it as given to the left) in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button. When it finishes tell me all the places (full path information) where a match is found.

If the name has changed again then use the new name in the search and you must not power down or reboot after posting. It will keep renaming otherwise.

 

Okay! Sorry about that! I expected it to be found in other places too.

The Winpfind log shows another strange file that may be related and could be part of the reason for this spreading.

Do you see each of the below (don't do anything with these, just tell me if you see them):
C:\WINDOWS\qohquuytcl.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\rtogqxv.exe
C:\WINDOWS\system32\lyn.exe
C:\WINDOWS\system32\hswob.exe

Also if the below folder exists, delete it:
C:\Program Files\TBONAS

Now please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\rtogqxv.exe

Then exit HJT. Do not try to delete this file. We are going to do this in a couple messages a little differently.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now run WinPfind again and attach the new log.

Tell me what you find while looking for the above files! Again, make sure you do not power down or reboot.

 

Are you sure you have enabled viewing of hidden & system files per the READ ME? These all show in WinPfind and one showed in HJT.

Did the bad file rename again? Your last message said the file was there:

Did you add the registry patch?

 

Then something is not configure right. WinPfind shows: C:\WINDOWS\qohquuytcl.exe
But you say it is not there.

This is there too: C:\WINDOWS\Nail.exe

And according to WinPfind they are not even hidden. Can you see any files at all in the C:\windows and system32 folders

What is the bad file named right now?

 

Please download and install the below tool:

ExplorerXP

It is much better at locating ALL files than Windows Explorer.

Use it to look for the files and see if you find any of them.

 

Looks like the new baddie may be named: C:\WINDOWS\system32\zmyygyv.exe

Do you see it? DO NOT TRY TO KILL THE PROCESS. Look for it and the others using ExplorerXP and tell me what you find.

Then Download, install and run BlackLight by F-Secure. Post the log once finished.

 

Just to get prepared for the next steps I want you to download install and get updates for Ewido Security Suite BUT DO NOT RUN A SCAN WITH IT YET. We need to do that in safe mode later.

Also make sure you still have nailfix ready to use in safe mode. I had you download nailfix in message # 15.

What we will probably be doing (don't do it yet - I'm just informing you where we are headed. I want answers to other questions first).
- adding a registry patch
- booting in safe mode with no internet connection (unplug cable to be sure)
- no applications open accept what are indicated. Especially browsers need to be closed
- we will run Ewido to scan and fix
- run nailfix to fix
- run HJT to fix the random.exe r line
- empty recycle and prefetch
- run Ccleaner

 

Try this: Updates for the ewido security suite

Please respond to messages 35, 36, & 37.

 

How come I do not see the baddie now?

Did something in the last steps actually remove it?

 

Looks like Ewido removed those hidden files I kept asking about. I bet if we do WinPfind now, that they will no longer show.
Didn't Ewido tell you what the infection was and in which filenames?

What steps in safe mode are you referring too? Do you mean msg # 38?

Maybe an Ewido scan would be useful but it seems your problem is fixed.

 

Have you rebooted yet? If not, please do so and verify you are still clean.

Ewido and AVG are two different type of applications. You need an antivirus like AVG.
If you have MS Antispyware still install you can uninstall Ewido to save the system resources.

 

You should attach the log from Ewido!

I would also like to see one more log from WinPfind to make sure all the hidden malware files are gone.

Then disable system restore and then enable system restore to dump the old restore points.