Popups and dialers/trojans persist

[benjydog]

Hello

I have been at this all day. It started with ishost.exe and i believe i have removed that problem using another post, however I cannot remove these popups and dailers/trojans that keep appearing. ALso there are other garbage apps that keep getting installed every time i restart. one of these is 888toolbar and i cant remember the others.

I have tried, in this order: smitfraudfix, VirtumundoBeGone.exe, Look2Me-Destroyer.exe, avg anti-spyware, adaware, spybot, symantec av, trend micro's house call...and im installing f-secure to try that aswell, but nothing seems to be working.

Maybe there are clues in my HJT log? I dont know how to read these.

Thank you very much for your help, i am exhausted at this already.

Ben

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[benjydog]

Problems still

Hello

Thank you for your very quick reply. I have done as the link you supplied said, but as I was creating this post, Symantec has picked up another dialer (dialer.generic) in my winspool.exe.

Attached are teh HJT log and AVG log, even though AVG said it didnt find anything.

Also attached are 2 screen shots, 1 showing one of my typical virus discoveries, the other showing 3 issues the CCleaner could not remove. I tried fixing them over a dozen times (both in safe and normal windows modes). I dont know if they are also causing a problem.

THanks very much for your help.
Ben

 

[howard_hopkinso]

Download the Pocket KIllbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

winspool.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {39BE6ACB-E7BA-64BB-BCA1-08FE62A3CB3E} - C:\WINDOWS\system32\fbeatzd.dll (file missing)

O2 - BHO: (no name) - {6B7BE3D6-019A-C5F0-B642-0AE6784A44A9} - C:\WINDOWS\system32\qvinjkb.dll (file missing)

O4 - HKCU\..\Run: [Ceeo] "C:\WINDOWS\CROSOF~1\winspool.exe" -vt yazb

O20 - Winlogon Notify: ssqrrsr - ssqrrsr.dll (file missing)

O20 - Winlogon Notify: winree32 - C:\WINDOWS\SYSTEM32\winree32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\CROSOF~1

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winree32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[benjydog]

Problem still

Thank you again for trying to help. Sorry about the late reply, i was called out of town for the night.

I have done as you suggested, however the problems seem to be getting worse.

Now, when my machine boots, it sits on the Windows XP screen for a few mins and then it takes a few min after that during the loading preferences screen for my desktop to come up. This is not normal.

Also, it appears that the auto-protect only starts noticing problems once i open I.E.

Also, from your instructions there were a few problems:
1. winspool.exe wasn't running
2. C:\WINDOWS\CROSOF~1 did not exist
3. Killbot could not kill C:\WINDOWS\SYSTEM32\winree32.dll

I have attached a fresh HJT log

thanks again for helping!
ben

 

[howard_hopkinso]

Don`t worry that you couldn`t find some stuff.

The main nasty is still there in your HJT log, so lets try this.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

Regards Howard

This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[benjydog]

Closer I hope

Hello, and thank you for your patience!

I had to run the avenger program twice. The first time i loaded it from safe mode and when normal windows booted, it didnt seem to do anything, so i tried it again.

I think this has to be a related problem, but now my machine takes over 5 minutes to boot when it used to be under 1 minute. Anyway I can diagnos this too?

here are the results from aveneger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\atnkdhfe

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bsbausla

*******************

Script file located at: \??\C:\Documents and Settings\qkhbklyv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\winree32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



On the brightside, no auto-protect windows have appeared yet. windows has been running for 5 mins now. i had run the bitdeffender online scan prior to recieveing your instructions and have attached its log file aswell.

 

[benjydog]

Maybe I spoke too soon

I ran another online BitDefender scan and here are the results:

BitDefender Online Scanner



Scan report generated at: Sun, Oct 22, 2006 - 09:06:00





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
02:43:26

Files
684047

Folders
3422

Boot Sectors
2

Archives
2871

Packed Files
73441




Results

Identified Viruses
2

Infected Files
12

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
12




Engines Info

Virus Definitions
478160

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\avenger\backup.zip=>avenger/winree32.dll
Infected with: Trojan.Klone.H

C:\avenger\backup.zip=>avenger/winree32.dll
Disinfection failed

C:\avenger\backup.zip=>avenger/winree32.dll
Deleted

C:\avenger\backup.zip
Updated

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
Infected with: Trojan.Dialer.RO

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvfch[1].exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
Infected with: Trojan.Dialer.RO

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\168FX8MT\srvtsj[1].exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
Infected with: Trojan.Dialer.RO

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvdce[1].exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
Infected with: Trojan.Dialer.RO

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H8ADGTR7\srvjzk[1].exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
Infected with: Trojan.Dialer.RO

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O1C3INZ4\srvuza[1].exe
Deleted

C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
Infected with: Trojan.Klone.H

C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
Disinfection failed

C:\System Volume Information\_restore{E6CAC8CF-813F-4B0A-8EFA-5ADFACB6945A}\RP2\A0000041.dll
Deleted

C:\WINDOWS\Temp\win26.tmp.exe
Infected with: Trojan.Dialer.RO

C:\WINDOWS\Temp\win26.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\win26.tmp.exe
Deleted

C:\WINDOWS\Temp\win28.tmp.exe
Infected with: Trojan.Dialer.RO

C:\WINDOWS\Temp\win28.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\win28.tmp.exe
Deleted

C:\WINDOWS\Temp\win29.tmp.exe
Infected with: Trojan.Dialer.RO

C:\WINDOWS\Temp\win29.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\win29.tmp.exe
Deleted

C:\WINDOWS\Temp\win2A.tmp.exe
Infected with: Trojan.Dialer.RO

C:\WINDOWS\Temp\win2A.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\win2A.tmp.exe
Deleted

C:\WINDOWS\Temp\win2B.tmp.exe
Infected with: Trojan.Dialer.RO

C:\WINDOWS\Temp\win2B.tmp.exe
Disinfection failed

C:\WINDOWS\Temp\win2B.tmp.exe
Deleted







I also included an updated HJT log to see if anthing has changed.

I appreciate your help wth this.

 

[howard_hopkinso]

Your HJT log is now clean.

Have HJT fix the following inactive entry.

O20 - Winlogon Notify: winree32 - winree32.dll (file missing)

If you have any further virus/spyware prioblems, please post in this thread.

Regards Howard

This thread is for the use of benjydog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[benjydog]

Thank you very much for your patientce in this matter. I hope this is resolved. Right now, I haven't recieved any auto-protec notices for over an hour. I did notice I would get them after I started using I.E. to surf the web. I will restart and try I.E. to see what comes up.

Thank you again. Much appreciated!