TechSpot

Crazy crazy spyware - HJT logs attached.

By Luna M
Mar 29, 2007
  1. Working on a client's computer, trying to remove a buttload of spyware. I'm trying to do this without wiping/reloading if at all possible.

    So far, I've run Spybot with the latest updates and cleaned everything it found, both in normal and safe mode.

    AdAware finds one running module and then promptly crashes, even in safe mode. Whatever this module is, it constantly tries to connect to the internet...even in safe mode (?! but I didn't choose safe mode with networking, so how is that possible?).

    Normal windows runs relatively normally, sans the consistent "work offline/try again" messages.

    Safe mode fails to load explorer.exe, even if I try to manually start the process. As a result, when in safe mode I have to start all programs by using the task manager.

    I've taken HiJackThis logs of both safe mode and normal windows. They're attached to this post. Some help deciphering them would be appreciated. Thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That system is badly infected, it also appears there`s no antivirus or firewall software being run.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Luna M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. jobeard

    jobeard TS Ambassador Posts: 9,330   +622

    from your safemode log, I have some recommendations, but suggest you
    await confirmation from Howard :)
    ======
    delete
    R3 - Default URLSearchHook is missing

    pm3niet.dll,etavvbgw.dll,ejfmralg.dll are unknown on the internet, therefore
    delete
    O2 - BHO: (no name) - {373E45F2-4727-4B7C-8E77-9CD7B90DF856} - C:\WINDOWS\pm3niet.dll
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\etavvbgw.dll
    O2 - BHO: (no name) - {F9E97B67-8E92-469D-906A-1DD8D64A1FC7} - C:\WINDOWS\system32\ejfmralg.dll

    O20 - Winlogon Notify: dangxxwe - C:\WINDOWS\SYSTEM32\dangxxwe.dll
    O20 - Winlogon Notify: pm3niet - C:\WINDOWS\pm3niet.dll​
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re quite right joebeard, those entries are bad. However, simply fixing them with HJT won`t get rid of the infection that`s causing them(probably the Vundo trojan, typically characterised by randomly named .dll files in 02 BHO and 020 Winlogon Notify: entries in a HJT log). That`s why it`s important to follow the instructions. If that doesn`t get rid of those entries, I`ll manually remove them, using various tools, including but not exclusively Killbox/The Avenger/Vundo fix`s manual removal method.

    Regards Howard :)

    This thread is for the use of Luna M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. jobeard

    jobeard TS Ambassador Posts: 9,330   +622

    >That`s why it`s important to follow the instructions.
    Precisely why I suggested awaiting your inputs! :) :angel:

    You do an amazing and thorough job here Howard -- You might consider
    a tutorial on the HOW-TO of your analysis and removal techniques to empower
    other other to knock some of these down too :)
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There are potential problems with writing a tutorial on how to get rid of specific infections, here are just two. One is the fact that malware is constantly changing and new variants are surfacing all the time. This would require the individual to correctly recognise and identify a particular infection.

    Another problem is people might follow some specific tutorial and then find their symptoms disappear. They then think their system is clean, when it isn`t. Then, they don`t seek any further help and go away thinking their system is clean, oblivious to the rest of the infections on their systems.

    You might find this link of interest. I use it myself from time to time. I would caution anyone, not to follow instructions for specific infections, unless directed to do so.

    Regards Howard :)

    This thread is for the use of Luna M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Luna M

    Luna M TS Rookie Topic Starter Posts: 19

    Sorry it took so long to get back to you.

    I've done all you requested, but still can't seem to get rid of everything. Specifically, Smitfraud is being a nuisance. Even the SmitfraudFix doesn't seem to kill it...

    AVG anti-rootkit found no rootkits, amazingly enough.

    Safe mode works properly again, though.

    HJT logs attached.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You haven`t posted AVG Antispyware or Combofix logs as requested. Please do so in your next reply.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\etavvbgw.dll

    O2 - BHO: (no name) - {9A530234-2F36-4F7C-BEB8-7CD009F7FA6A} - C:\WINDOWS\pm3niet.dll (file missing)

    O2 - BHO: (no name) - {F9E97B67-8E92-469D-906A-1DD8D64A1FC7} - C:\WINDOWS\system32\ejfmralg.dll (file missing)

    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uarteycg.dll",setvm

    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

    O20 - Winlogon Notify: dangxxwe - dangxxwe.dll (file missing)

    O20 - Winlogon Notify: pm3niet - C:\WINDOWS\pm3niet.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\uarteycg.dll
    C:\WINDOWS\pm3niet.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log as well as Combofix and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of Luna M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...