TechSpot

Popups and dialers/trojans persist

By benjydog
Oct 20, 2006
  1. Hello

    I have been at this all day. It started with ishost.exe and i believe i have removed that problem using another post, however I cannot remove these popups and dailers/trojans that keep appearing. ALso there are other garbage apps that keep getting installed every time i restart. one of these is 888toolbar and i cant remember the others.

    I have tried, in this order: smitfraudfix, VirtumundoBeGone.exe, Look2Me-Destroyer.exe, avg anti-spyware, adaware, spybot, symantec av, trend micro's house call...and im installing f-secure to try that aswell, but nothing seems to be working.

    Maybe there are clues in my HJT log? I dont know how to read these.

    Thank you very much for your help, i am exhausted at this already.

    Ben
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. benjydog

    benjydog TS Rookie Topic Starter

    Problems still

    Hello

    Thank you for your very quick reply. I have done as the link you supplied said, but as I was creating this post, Symantec has picked up another dialer (dialer.generic) in my winspool.exe.

    Attached are teh HJT log and AVG log, even though AVG said it didnt find anything.

    Also attached are 2 screen shots, 1 showing one of my typical virus discoveries, the other showing 3 issues the CCleaner could not remove. I tried fixing them over a dozen times (both in safe and normal windows modes). I dont know if they are also causing a problem.

    THanks very much for your help.
    Ben
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket KIllbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    winspool.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {39BE6ACB-E7BA-64BB-BCA1-08FE62A3CB3E} - C:\WINDOWS\system32\fbeatzd.dll (file missing)

    O2 - BHO: (no name) - {6B7BE3D6-019A-C5F0-B642-0AE6784A44A9} - C:\WINDOWS\system32\qvinjkb.dll (file missing)

    O4 - HKCU\..\Run: [Ceeo] "C:\WINDOWS\CROSOF~1\winspool.exe" -vt yazb

    O20 - Winlogon Notify: ssqrrsr - ssqrrsr.dll (file missing)

    O20 - Winlogon Notify: winree32 - C:\WINDOWS\SYSTEM32\winree32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\CROSOF~1

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winree32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. benjydog

    benjydog TS Rookie Topic Starter

    Problem still

    Thank you again for trying to help. Sorry about the late reply, i was called out of town for the night.

    I have done as you suggested, however the problems seem to be getting worse.

    Now, when my machine boots, it sits on the Windows XP screen for a few mins and then it takes a few min after that during the loading preferences screen for my desktop to come up. This is not normal.

    Also, it appears that the auto-protect only starts noticing problems once i open I.E.

    Also, from your instructions there were a few problems:
    1. winspool.exe wasn't running
    2. C:\WINDOWS\CROSOF~1 did not exist
    3. Killbot could not kill C:\WINDOWS\SYSTEM32\winree32.dll

    I have attached a fresh HJT log

    thanks again for helping!
    ben
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Don`t worry that you couldn`t find some stuff.

    The main nasty is still there in your HJT log, so lets try this.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. benjydog

    benjydog TS Rookie Topic Starter

    Closer I hope

    Hello, and thank you for your patience!

    I had to run the avenger program twice. The first time i loaded it from safe mode and when normal windows booted, it didnt seem to do anything, so i tried it again.

    I think this has to be a related problem, but now my machine takes over 5 minutes to boot when it used to be under 1 minute. Anyway I can diagnos this too?

    here are the results from aveneger.txt

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\atnkdhfe

    *******************


    Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

    Could not open script file! Status: 0xc0000034 Abort!
    //////////////////////////////////////////


    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\bsbausla

    *******************

    Script file located at: \??\C:\Documents and Settings\qkhbklyv.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\SYSTEM32\winree32.dll deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.



    On the brightside, no auto-protect windows have appeared yet. windows has been running for 5 mins now. i had run the bitdeffender online scan prior to recieveing your instructions and have attached its log file aswell.
     
  8. benjydog

    benjydog TS Rookie Topic Starter

    Maybe I spoke too soon

    I ran another online BitDefender scan and here are the results:

    BitDefender Online Scanner



    Scan report generated at: Sun, Oct 22, 2006 - 09:06:00





    Scan path: A:\;C:\;D:\;E:\;







    Statistics

    Time
    02:43:26

    Files
    684047

    Folders
    3422

    Boot Sectors
    2

    Archives
    2871

    Packed Files
    73441




    Results

    Identified Viruses
    2

    Infected Files
    12

    Suspect Files
    0

    Warnings
    0

    Disinfected
    0

    Deleted Files
    12




    Engines Info

    Virus Definitions
    478160

    Engine build
    AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

    Scan plugins
    13

    Archive plugins
    38

    Unpack plugins
    6

    E-mail plugins
    6

    System plugins
    1




    Scan Settings

    First Action
    Disinfect

    Second Action
    Delete

    Heuristics
    Yes

    Enable Warnings
    Yes

    Scanned Extensions
    *;

    Exclude Extensions


    Scan Emails
    Yes

    Scan Archives
    Yes

    Scan Packed
    Yes

    Scan Files
    Yes

    Scan Boot
    Yes




    Scanned File
    Status

    C:\avenger\backup.zip=>avenger/winree32.dll
    Infected with: Trojan.Klone.H

    C:\avenger\backup.zip=>avenger/winree32.dll
    Disinfection failed

    C:\avenger\backup.zip=>avenger/winree32.dll
    Deleted

    C:\avenger\backup.zip
    Updated

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
    Infected with: Trojan.Dialer.RO

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
    Disinfection failed

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
    Deleted

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
    Infected with: Trojan.Dialer.RO

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
    Disinfection failed

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
    Deleted

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
    Infected with: Trojan.Dialer.RO

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
    Disinfection failed

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
    Deleted

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
    Infected with: Trojan.Dialer.RO

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
    Disinfection failed

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
    Deleted

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
    Infected with: Trojan.Dialer.RO

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
    Disinfection failed

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
    Deleted

    C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
    Infected with: Trojan.Klone.H

    C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
    Disinfection failed

    C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
    Deleted

    C:\WINDOWS\Temp\win26.tmp.exe
    Infected with: Trojan.Dialer.RO

    C:\WINDOWS\Temp\win26.tmp.exe
    Disinfection failed

    C:\WINDOWS\Temp\win26.tmp.exe
    Deleted

    C:\WINDOWS\Temp\win28.tmp.exe
    Infected with: Trojan.Dialer.RO

    C:\WINDOWS\Temp\win28.tmp.exe
    Disinfection failed

    C:\WINDOWS\Temp\win28.tmp.exe
    Deleted

    C:\WINDOWS\Temp\win29.tmp.exe
    Infected with: Trojan.Dialer.RO

    C:\WINDOWS\Temp\win29.tmp.exe
    Disinfection failed

    C:\WINDOWS\Temp\win29.tmp.exe
    Deleted

    C:\WINDOWS\Temp\win2A.tmp.exe
    Infected with: Trojan.Dialer.RO

    C:\WINDOWS\Temp\win2A.tmp.exe
    Disinfection failed

    C:\WINDOWS\Temp\win2A.tmp.exe
    Deleted

    C:\WINDOWS\Temp\win2B.tmp.exe
    Infected with: Trojan.Dialer.RO

    C:\WINDOWS\Temp\win2B.tmp.exe
    Disinfection failed

    C:\WINDOWS\Temp\win2B.tmp.exe
    Deleted







    I also included an updated HJT log to see if anthing has changed.

    I appreciate your help wth this.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Have HJT fix the following inactive entry.

    O20 - Winlogon Notify: winree32 - winree32.dll (file missing)

    If you have any further virus/spyware prioblems, please post in this thread.

    Regards Howard :)

    This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. benjydog

    benjydog TS Rookie Topic Starter

    Thank you very much for your patientce in this matter. I hope this is resolved. Right now, I haven't recieved any auto-protec notices for over an hour. I did notice I would get them after I started using I.E. to surf the web. I will restart and try I.E. to see what comes up.

    Thank you again. Much appreciated!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...