TechSpot

Another Trojan Downloader problem

By generalataris
Apr 7, 2008
  1. OK folks, I'm at my wit's end.

    I have the notorious virus that causes all kinds of warnings against Spyware and tries to get me to buy all kinds of software. I also have had my background changed on the desktop.

    I have been reading this board as much as I can and run as many of the scans as I could get my hands on.

    I've run the Malwarebyte's, I've run the ComboFix, I've run SmitFraud Fix, and several others.

    I have yet to get rid of the problem. In fact, just out of curiosity, after using Malwarebyte's and removing all the infected files, I ran it again, and instantaneously there were dozens of more infections.

    What can I do folks? A little background here... I'm not exactly computer savvy, so try and be a simple as you can!

    thank you SO MUCH for whomever can help me.
     
  2. generalataris

    generalataris TS Rookie Topic Starter

    Bringing this to the top

    I know that this has probably been overplayed on this board lately, but could anybody help me?
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    we need the logs please attach the following into this thread using the attach icon above your reply.

    1)C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2)C:\Combofix.txt
    3)A Hijackthis log ran after the others
     
  4. generalataris

    generalataris TS Rookie Topic Starter

    OK, here we go

    Blind Dragon, thanks for your help, first off.

    OK, I first ran MBAM, then tried Combo and Combo would NOT run, despite multiple tries. I then ran HJT.

    Here are the logs for BMAM and HJT.

    THANKS FOR HELPING ME OUT
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    K, please run MBAM again, as when there are this many infections it will sometimes pick up more on a second run.

    Here is the substitute for Combofix:

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

    Close all other windows before proceeding.

    This means TURN OFF ALL other security programmes.
    Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

    Double-click on dss.exe and follow the prompts.
    When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

    Re-enable your security programmes and reconnect to the net.
     
  6. generalataris

    generalataris TS Rookie Topic Starter

    Alright

    here is the second MBAM log and then the DSS log
     
  7. generalataris

    generalataris TS Rookie Topic Starter

    Anybody?

    Bump.........
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Please don't bump your thread unless you go 24 hours without response, I get an email every time you post, as you may have noticed these forums are extremely busy, I literally get over 100 emails a day, and I am volunteering my time, so please be patient with me.

    Your heavily infected and it will take me a little bit of time to go through the logs. Especially since combofix wont work, it is going to take a little long.

    Thank you for understanding. I am not ignoring you.
     
  9. generalataris

    generalataris TS Rookie Topic Starter

    I apologize

    Wasn't aware of that.

    Wasn't trying to be impatient. This is my work computer, so I got a little ancy.

    Again, I'm sorry, and I appreciate your help.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    While you are here, what can you tell me about greenville county schools?
     
  11. generalataris

    generalataris TS Rookie Topic Starter

    Greenville

    Greenville is a lovely place to live, although there are some things with this district that do bother me.

    The district office and administration tends not to be very big on discipline, which causes some problems. It's also a huge district...one of the 50 biggest in the country I believe.

    All in all though, I like working here.

    Why? Are you from the area? Looking to relocate?
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Haha, no. I saw in your log that you had a proxy override pointing there, and that you connect through them. Just wanted to be 100% sure that you knew of it.

    Go ahead and follow these, then attach the requested logs

    OK. First of all only use internet explorer if you absolutely have to: Here are 2 more secure browsers to choose from
    1)Firefox -> http://www.mozilla.com/en-US/firefox/
    2)Opera -> http://www.opera.com/


    Next, these people who write malware love to exploit old versions of Java

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder



    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\fqzqhcba.dll
    O4 - HKLM\..\Run: [wnqnofst] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wnqnofst.dll"
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\mdmoore\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [oxayylla] C:\WINDOWS\system32\ujwzcfkn.exe
    O4 - HKLM\..\Policies\Explorer\Run: [B3p53h54g3] C:\Documents and Settings\All Users\Application Data\abcjivyx\ezaxydkh.exe
    O4 - HKCU\..\Policies\Explorer\Run: [B3p53h54g3] C:\Documents and Settings\All Users\Application Data\abcjivyx\ezaxydkh.exe


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\wmsdkns.exe <-This file only
    C:\WINDOWS\fqzqhcba.dll<-This file only
    C:\Documents and Settings\All Users\Application Data\wnqnofst.dll<-This file only
    C:\Documents and Settings\mdmoore\LOCALS~1\Temp\ie.exe<-This file only
    C:\WINDOWS\system32\ujwzcfkn.exe<-This file only

    Folders:
    C:\Documents and Settings\All Users\Application Data\abcjivyx<-This folder only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log




    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...