TechSpot

problems with viruses/trojans

By kerenza
Oct 14, 2005
  1. Hi, my sister has a problem with "downloaders" Mcafee registered downloader-acv and said it couldn't remove it, she has disabled system restore and done all the usual scans and last night it seemed ok. She booted up this morning and there were other things such as downloader-ZI and Generic Downloader.k as well as getting several pop ups and ie being launched without asking. I was pointed in the direction of this site and wondered if anyone could look at the log for me please? Many thanks *crosses fingers*
    Kerenza
     
  2. Spike

    Spike TS Evangelist Posts: 2,168

    Hi there, Welcome to techspot :)

    You've got a lot of infection in that log.

    please could you follow the instructions on removing trojans

    and then the instructions here (including the bid about not putting HJT in a temp directory. Place it in "C:\program files\hjt")

    Post back with both your ewido log and your HJT log once you've done this and we'll take a look again :)

    attached is a list of all the nasty entries I've found in your logfile...

    deit: A little googling tells me that roboform isn't a nasty. I'm still suspicious (but then I always am!). to me, it looks like a usless piece of clutter at best, but then, I don't use it. I'll leave such things to others to decide on.

    edit2: I've also accidentally copied the MSJAVA entries into the file. Ignore these.
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You run BOTH Norton/Symantec AND McAfee, that is too rich for any PC.
    My suggestion: get rid of that Norton/Symantec bloatware completely!

    C:\DOCUME~1\MARK&J~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /U/ UNinstall anything to do with this
    /R/ unRegister the xxx.DLL in that line
    The text underneath goes between the dotted lines of that post.
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/APPS/IE/offline/uk.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestoffersnetworks.com/uninstall
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
    R3 - Default URLSearchHook is missing
    O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshwdfa.dll (file missing)
    /R/ O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
    O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italrjin.dll (file missing)
    /R/ O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsl23C.dll
    O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
    /P/U/ O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    /P/ O4 - HKLM\..\Run: [psposvq] C:\WINDOWS\psposvq.exe
    /P/ O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
    /P/ O4 - HKLM\..\Run: [6ed3d6b434d7] C:\WINDOWS\system32\cmutil88.exe
    /P/U/ O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    /P/ O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
    /P/ O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
    /P/U/ O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
    Fix ALL your O16 - DPF: entries
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nxibcui.exe (file missing)
    ...................................................................................................
     
  4. kerenza

    kerenza TS Rookie Topic Starter

    Hi, this is the report from what Spike said to do. Neither of us are very technical and are struggling with the instructions on the next reply, we're not sure what text we are meant to put where :-/ I am really hoping it's all cleaned up but if not we'll have another go tomorrow. Thanks a lot for your replies :)

    Kerenza
     
  5. Spike

    Spike TS Evangelist Posts: 2,168

    Could you please post a fresh HJT log also (after your machine has been rebooted), so that we can see what's now left on your system.

    Most people find RBS's instructions quite clear, but if you are finding them difficult to follw I will write them out without the codes.
     
  6. kerenza

    kerenza TS Rookie Topic Starter

    Hi

    This is the hjt log after rebooting
     
  7. Spike

    Spike TS Evangelist Posts: 2,168

    Reboot into Safe Mode

    Disable system restore

    Open Task Manager by presseing control+alt+delete, go to the processes tab, and end any of the following processes if listed...
    clickme.exe
    psposvq.exe
    stb.exe
    pshwr.exe
    ichckupd.exe

    Click on start -> run, and type the following line into the box, and then press enter...
    regsvr32 /u C:\WINDOWS\system32\communicator.dll (Cheers RBS :) - I mistyped the command, now corrected)

    Go to start -> Control Panel -> add/remove programs. If listed, uninstall anything to do with...
    ClickMe

    Run HiJack This, and put a tick in the little square box next to each of the following entries, and when you've ticked the last one, click the 'fix' button...
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/APPS/IE/offline/uk.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestoffersnetworks.com/uninstall
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
    R3 - Default URLSearchHook is missing
    O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshwdfa.dll (file missing)
    O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
    O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italrjin.dll (file missing)
    O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsl23C.dll (file missing)
    O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    O4 - HKLM\..\Run: [psposvq] C:\WINDOWS\psposvq.exe
    O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
    O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
    O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

    ALL entries starting with 016

    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nxibcui.exe (file missing)

    delete each of the following files...
    C:\WINDOWS\system32\communicator.dll
    C:\WINDOWS\psposvq.exe
    C:\WINDOWS\system32\stb.exe
    C:\WINDOWS\system32\pshwr.exe
    C:\WINDOWS\system32\ichckupd.exe
    ...and the following folders
    C:\apps\ClickMe\
    C:\Program Files\CMSystem\

    delete all files in
    C:\Documents and Settings\MARK & JOANNE\Local Settings\Temp\ - (repeat for all usernames on the computer)
    c:\windows\prefetch
    c:\windows\temp - (EXCEPT for those with todays date)

    Finally, reboot your computer, run HJT once more, and post your new log.
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Spike, your explanation (although no doubt much appreciated by the person concerned) defeats the purpose.
    People who can not follow my instructions, should not even HAVE a PC!
     
  9. kerenza

    kerenza TS Rookie Topic Starter

    Sorry RBS but i think that comment was utterly uncalled for. I appreciate any help offered and as i said neither i or my sister are very technical and although she had a go at your instructions certain things weren't showing up. Obviously it is easy for you because you know what you're doing but please don't insult those of us who have never had to do this before.
     
  10. Spike

    Spike TS Evangelist Posts: 2,168

    wow! did you ever get out of the wrong side of bed today RBS :)

    Seriously though I felt that if karenza could follow your intructions for removing adware and trojans, then it must be that there was some confusion arising from things not working and wondering wether your instructions had been understood correctly.

    I've just had a pm from karenza and this seems to be the case...

    She also mentioned that some files couldn't be deleted (not sure which ones).

    I'm sure that your instructions will be easier to assemble and follow now that it's been done once. I certainjly didn't intend to undermine the system we have here (it's a good system!). Just a one off based on intuition really.
     
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Spike's version: regsrv32 /u
    RBS instruction: REGSVR32 /U

    Small but significant.
     
  12. Spike

    Spike TS Evangelist Posts: 2,168

    oops. You've gotta love the chaos typo's can cause. cheers RBS :)
     
  13. kerenza

    kerenza TS Rookie Topic Starter

    Hi, she is still getting an error message saying "load library(c:\windows\system32\communicator.dll(failed)-the specified module could not be found" This is the latest log which she has just done, thanks again for the help
    Kerenza
     
  14. Spike

    Spike TS Evangelist Posts: 2,168

    Was that log created before or after rebooting? If created after rebooting, then that log looks pretty clean now, except for the 016 entries.

    You REALLY should run HJT and fix ALL entries starting with 016. It may be that you'll have to download one or two browser plugins again as and when required, but the benefit in terms of decreased risk far outweighs the inconvenience.

    run HJT, and fix all entries starting with 016
     
  15. kerenza

    kerenza TS Rookie Topic Starter

    Well she has followed instructions so hopefully this might be the last 1 :)
     
  16. Spike

    Spike TS Evangelist Posts: 2,168

    As far as I can see, that's a clean log. I hope it stays that way for you :)
     
  17. kerenza

    kerenza TS Rookie Topic Starter

    Phew thank god for that! Thanks so much for all your help, from both of us :)
    Kerenza
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...