problems with viruses/trojans

[kerenza]

Hi, my sister has a problem with "downloaders" Mcafee registered downloader-acv and said it couldn't remove it, she has disabled system restore and done all the usual scans and last night it seemed ok. She booted up this morning and there were other things such as downloader-ZI and Generic Downloader.k as well as getting several pop ups and ie being launched without asking. I was pointed in the direction of this site and wondered if anyone could look at the log for me please? Many thanks *crosses fingers*
Kerenza

 

[Spike]

Hi there, Welcome to techspot

You've got a lot of infection in that log.

please could you follow the instructions on removing trojans

and then the instructions here (including the bid about not putting HJT in a temp directory. Place it in "C:\program files\hjt")

Post back with both your ewido log and your HJT log once you've done this and we'll take a look again

attached is a list of all the nasty entries I've found in your logfile...

deit: A little googling tells me that roboform isn't a nasty. I'm still suspicious (but then I always am!). to me, it looks like a usless piece of clutter at best, but then, I don't use it. I'll leave such things to others to decide on.

edit2: I've also accidentally copied the MSJAVA entries into the file. Ignore these.

 

[RealBlackStuff]

You run BOTH Norton/Symantec AND McAfee, that is too rich for any PC.
My suggestion: get rid of that Norton/Symantec bloatware completely!

C:\DOCUME~1\MARK&J~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/U/ UNinstall anything to do with this
/R/ unRegister the xxx.DLL in that line
The text underneath goes between the dotted lines of that post.
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/APPS/IE/offline/uk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestoffersnetworks.com/uninstall
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshwdfa.dll (file missing)
/R/ O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italrjin.dll (file missing)
/R/ O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsl23C.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
/P/U/ O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
/P/ O4 - HKLM\..\Run: [psposvq] C:\WINDOWS\psposvq.exe
/P/ O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
/P/ O4 - HKLM\..\Run: [6ed3d6b434d7] C:\WINDOWS\system32\cmutil88.exe
/P/U/ O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
/P/ O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
/P/ O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
/P/U/ O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
Fix ALL your O16 - DPF: entries
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nxibcui.exe (file missing)
...................................................................................................

 

[kerenza]

Hi, this is the report from what Spike said to do. Neither of us are very technical and are struggling with the instructions on the next reply, we're not sure what text we are meant to put where :-/ I am really hoping it's all cleaned up but if not we'll have another go tomorrow. Thanks a lot for your replies

Kerenza

 

[Spike]

Could you please post a fresh HJT log also (after your machine has been rebooted), so that we can see what's now left on your system.

Most people find RBS's instructions quite clear, but if you are finding them difficult to follw I will write them out without the codes.

 

[kerenza]

Hi

This is the hjt log after rebooting

 

[Spike]

Reboot into Safe Mode

Disable system restore

Open Task Manager by presseing control+alt+delete, go to the processes tab, and end any of the following processes if listed...
clickme.exe
psposvq.exe
stb.exe
pshwr.exe
ichckupd.exe

Click on start -> run, and type the following line into the box, and then press enter...
regsvr32 /u C:\WINDOWS\system32\communicator.dll (Cheers RBS - I mistyped the command, now corrected)

Go to start -> Control Panel -> add/remove programs. If listed, uninstall anything to do with...
ClickMe

Run HiJack This, and put a tick in the little square box next to each of the following entries, and when you've ticked the last one, click the 'fix' button...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/APPS/IE/offline/uk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestoffersnetworks.com/uninstall
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshwdfa.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italrjin.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsl23C.dll (file missing)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [psposvq] C:\WINDOWS\psposvq.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

ALL entries starting with 016

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nxibcui.exe (file missing)

delete each of the following files...
C:\WINDOWS\system32\communicator.dll
C:\WINDOWS\psposvq.exe
C:\WINDOWS\system32\stb.exe
C:\WINDOWS\system32\pshwr.exe
C:\WINDOWS\system32\ichckupd.exe
...and the following folders
C:\apps\ClickMe\
C:\Program Files\CMSystem\

delete all files in
C:\Documents and Settings\MARK & JOANNE\Local Settings\Temp\ - (repeat for all usernames on the computer)
c:\windows\prefetch
c:\windows\temp - (EXCEPT for those with todays date)

Finally, reboot your computer, run HJT once more, and post your new log.

 

[RealBlackStuff]

Spike, your explanation (although no doubt much appreciated by the person concerned) defeats the purpose.
People who can not follow my instructions, should not even HAVE a PC!

 

[kerenza]

Sorry RBS but i think that comment was utterly uncalled for. I appreciate any help offered and as i said neither i or my sister are very technical and although she had a go at your instructions certain things weren't showing up. Obviously it is easy for you because you know what you're doing but please don't insult those of us who have never had to do this before.

 

[Spike]

wow! did you ever get out of the wrong side of bed today RBS

Seriously though I felt that if karenza could follow your intructions for removing adware and trojans, then it must be that there was some confusion arising from things not working and wondering wether your instructions had been understood correctly.

I've just had a pm from karenza and this seems to be the case...

Open Task Manager by presseing control+alt+delete, go to the processes tab, and end any of the following processes if listed...
None of the processes listed appeared

regsrv32 /u C:\WINDOWS\system32\communicator.dll
This came up with an error message "WINDOWS CANNOT RENF REGSRV. MAKE SURE YOU TYPED NAME CORRECTLEY "

She also mentioned that some files couldn't be deleted (not sure which ones).

I'm sure that your instructions will be easier to assemble and follow now that it's been done once. I certainjly didn't intend to undermine the system we have here (it's a good system!). Just a one off based on intuition really.

 

[RealBlackStuff]

Spike's version: regsrv32 /u
RBS instruction: REGSVR32 /U

Small but significant.

 

[Spike]

oops. You've gotta love the chaos typo's can cause. cheers RBS

 

[kerenza]

Hi, she is still getting an error message saying "load library(c:\windows\system32\communicator.dll(failed)-the specified module could not be found" This is the latest log which she has just done, thanks again for the help
Kerenza

 

[Spike]

Was that log created before or after rebooting? If created after rebooting, then that log looks pretty clean now, except for the 016 entries.

You REALLY should run HJT and fix ALL entries starting with 016. It may be that you'll have to download one or two browser plugins again as and when required, but the benefit in terms of decreased risk far outweighs the inconvenience.

run HJT, and fix all entries starting with 016

 

[kerenza]

Well she has followed instructions so hopefully this might be the last 1

 

[Spike]

As far as I can see, that's a clean log. I hope it stays that way for you

 

[kerenza]

Phew thank god for that! Thanks so much for all your help, from both of us
Kerenza