Infected with 3 trojans. Need manual instructions for cleaning them.

[daylight]

Hello everyone,

Recently I came in some sort of website and downloaded *.exe type self-extracting winrar archive. I usually don't use any antivirus software because I feel confident with my experience using internet and pc for many years. I only use kaspersky website for online file scaning if I suspect that file might be infected. But this time I made a mistake. I thought that self-extracting archive can't do any harm, just to extract files but it's wrong. There were 4 files in the archive containing 3 *.exe files and 1 readme.bat file. Archive contained a comment which is: setup=readme.bat . The bat files executes these 3 exe files which were infected with trojans. Kaspersky online file scanner identifies these as:

1) not-a-virus:AdWare.Win32.Virtumonde.jp
2) Trojan-Downloader.Win32.LoadAdv.gen
3) Trojan.Win32.Dialer.qn

I installed NOD32 but it doesn't seem to eliminate these trojans. I've noticed strange behaviour in IE and FF browsers after infection. NOD32 (IMON) detected Win32/Spy.VBStat.J and offered to terminate it. I did so but I still experience unexpected opening of some URLs in IE although I only use FF.

I need instructions for cleaning these trojans completely.

Hijackthis log attached. (Ran in safe mode).

Thank you for your help.

P.S. As I as writing I noticed that Browse button stopped working in FF so I tried uploading the log with IE and it worked but IE opened some other website and NOD32 (IMON) reported a threat which is Win32/Adware.WinFixer application.

 

[momok]

Hi daylight and welcome to techspot. =)

Somehow, I do not see your log file. In any case, please do the following.

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of daylight only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[daylight]

OK now, I scanned with AVG Anti-Spyware and deleted files (shown in attached log) on boot. Now on windows start up I got the error message from RUNDLL:

Error loading C:\WINDOWS\system32\j3201737.dll
The specified module could not be found.

Any advice?

Thank you for cooperation.

P.S. I think I'm gonna delete some autostart values in registry path HKLM\RUN which will be: "rundll32 C:\WINDOWS\system32\j3201737.dll sook" AND "rundll32.exe "C:\WINDOWS\system32\oaxualtn.dll",realset".
OK, fixed that and ran ComboFix after that (log attached).

 

[momok]

Hi,

I do not see any log files. Have you attached them properly?
Please see HERE for how to attach a log file.


Regards,
Your friendly momok =)

This thread is for the use of daylight only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[daylight]

I edited my 2 previous posts and already attached logs. It should be OK now. Please check.

 

[momok]

Hi,

I noticed that your AVG log displays 'Ignored' for all the files detected.
I suggest you run AVG again and quarantine the files. Pictorial instructions HERE. Do this after the following instructions.

You may wish to copy and paste these instructions on notepad for easier reference later.

Please download and run CCleaner via step 9 of the instructions HERE.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

j3201737
ApachInc
Microsoft ASPI Manager

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\ddcyywt.dll
O2 - BHO: (no name) - {33A8C168-3A00-4DE4-BE94-89FA0BFC2230} - C:\WINDOWS\system32\vturp.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xakqvtos.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [j3201737] rundll32 C:\WINDOWS\system32\j3201737.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\oaxualtn.dll",realset

O20 - Winlogon Notify: ddcyywt - C:\WINDOWS\SYSTEM32\ddcyywt.dll
O20 - Winlogon Notify: vturp - C:\WINDOWS\system32\vturp.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe

Close HJT.

Run your AVG scan again now. Quarantine all items before saving the log.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\j3201737.dll
C:\WINDOWS\system32\oaxualtn.dll
C:\WINDOWS\system32\xakqvtos.dll
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\jvjtbbju.exe
C:\WINDOWS\system32\psSDOr2K.exe
C:\WINDOWS\system32\LiveProtectSetup.exe
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\SYSTEM32\winrvc32.dll
C:\WINDOWS\SYSTEM32\ddcyywt.dll

Reboot into normal mode and rehide your protected OS files.


Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of daylight only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[daylight]

Seems clean to me What do you think?

Thank you for your support!

 

[momok]

Hi,

Have HijackThis fix the following entries (fix the O17 entries only if they do not belong to your ISP):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEC3DBF-B56B-44DF-A6BB-8B289D366222}: NameServer = 212.59.0.2 212.59.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEC3DBF-B56B-44DF-A6BB-8B289D366222}: NameServer = 212.59.0.2 212.59.0.1

Apart from that, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of daylight only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.