TechSpot

Hoping you could help with Trojan/spyware problem.

By doksa
May 26, 2007
  1. Hopefully you'll be able to help with this because this is waay over my head.

    My computer started running really slow, Explorer kept sending me to Spy Doctor for a scan and other pop-ups, and avast! kept alerting me to Winn32 viruses.

    I ran the preliminary steps (1-14) a few of times to be sure I had it right before posting (this may or may not have been a good idea).

    AVG Anti-rootkit spotted C:\WINNT\system32:xpdt.sys

    The first time around AVG Anti-spyware spotted Downloader.Agent.bls, Trojan Dialer.qn, Trojan Polycrypt.b, and Virtumonde. The second time, just Ploycrypt.b, then clean.

    Now AVG comes up clean. Hopefully you can look at the HijackThis log and let me know if everything is okay now or not.

    Thank you.

    View attachment 17999

    View attachment 18000

    View attachment 18001

    View attachment 18002

    View attachment 18003
     
  2. house21

    house21 TS Rookie

    I have a similar problem with a virus called Trojan Crypt E
    SpyDoctor is just not able to clean it.
     
  3. doksa

    doksa TS Rookie Topic Starter

    To clarify: My browser just kept sending me to the SpyDoctor Web site and recommending a scan through official-looking pop-ups even though I don't have SpyDoctor on my machine.

    I think SpyDoctor is somehow tied in with the culprit.

    house21, If you haven't already you may want to try the preliminary steps (1-15) posted in this forum.

    Though scans come up clean, I'm still worried because Windows Task Manager shows PSDiagnostic.exe and I don't know (or know how to find out) what program it's associated with.

    At least after following the steps it doesn't show lsass5.exe anymore.

    Anyway, I'm afraid of screwing up my computer by removing necessary stuff so I'm hoping someone could let me know if that evil stuff is off my machine.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Heres some information of the PSDiagnostic.exe. It is perfectly safe, though optional to have running. http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=6725

    I need you to run the antirootkit scan again and fix anything related to xpdt. Let me know the results. Then do the following.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Update < note: no 's' behind update.

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    wuamgrd2.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\r6kbji2k.slt\prefs.js)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\jydqnqun.dll
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd2.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wuamgrd2.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wuamgrd2.exe (User 'Default user')

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\delrb.bat
    C:\delrb1.reg
    C:\WINNT\system32\jydqnqun.dll

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of doksa only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. doksa

    doksa TS Rookie Topic Starter

    Thank you Momok. Here are the fresh HJT and ComboFix.

    Momok,

    Thank you very much, I really appreciate your help.

    Root kit found nothing and came up clear

    A couple things:

    1) I could not find "Microsoft Update" under services.msc.

    2) I did find and delete C:\delrb.bat and C:\delrb1.reg, though I could not find C:\WINN\system32\jydqnqun.dll

    I'm not sure if these are good or bad signs.

    Anyway, thanks again and the HJT and ComboFix results are attached.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have your HijackThis fix this entry:
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

    Unhide all your files and folders like previously, and navigate to the following file.

    C:\WINNT\system32\AC94EB1E72.sys < delete this.

    Rehide your OS files and folders.

    Next, delete all files in AVG Antispyware Quarantine folder and the "C:\VundoFix Backups" folder.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of doksa only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...