Trojan.Duntek

[Chivas]

Hi! I just registered on here.

Ok, so my problem is this trojan that won't get removed from my PC. I have already used Norton, AVG, Spybot, AdAware and SuperANTISpyware to get rid of it and yet I have failed. Of course, during the process those programs removed other viruses, and so far it seems that this "Trojan.Duntek" is the only remaining one.

It is encripted or stored in a dll file, it's called extdat.dll or something alike, Norton detects it... but it can't delete it, not even in safe mode... I have tried deleting it manually, it doesn't work either, it says that the file is on use. So, it seems that the file gets active when Windows starts, making it a real pain. Also, I can't use the TaskManager it seems that the trojan blocked it, so I can't point which program uses it in order to disable the file.

So, I searched on the web for removal instructions, but they are always the same: run an anti-virus, anti-spyware, do the same under safe mode and it should be done. Well, it doesn't work.

I have even looked on symantec page for virus removal instructions and it says to delete all infected files first, but that's the problem, not even in safe mode can't delete those files. Erasing the registry values seems to be useless as well (I guess that the dll file just rewrites them again)...

And well... that's all... I don't know what to do anymore... Symantec says it's a low risk trojan, but I guess it really isn't because if I open Internet Explorer it opens other windows as well...

So, well, what should I do... or what should I use... I really need help for this.

Thanks!!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

Good! I'll do that tonight (I'm posting from another PC, I don't have the infected one here)...

I just have a question on Step 3... which requires an online scan... isn't there any risk with that? ... you know, since the trojan opens IE explorer windows...

 

[howard_hopkinso]

No, I don`t think there is much of a risk. If you have any problems with the online scanner, skip it and move on to the next step in the instructions.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

I'm posting this from the infected PC. I followed all 13 steps, except step 3... the virus wouldn't allow the internet browser to work properly.

Anyway, I just couldn't get a proper AVG AntiSpyware Log... I'm sure I changed the setting to Quarantine, but at the end of the scan it put that it deleted all the 50 files of spyware found... the files had names like paypal, ebay, etc... maybe they were tracking cookies or something alike...

Still, here are the HijackThis and ComboFix's logs... along with reports of two of the tools used in Step 9...


As for symptoms... well, I guess that my PC takes a little more to log on Windows... but I guess that's partly because I have been installing several programs.

Also, I installed something called Anti-Trojan Shield.. or something... then I uninstalled it, I wonder if I have to take any more steps to completely uninstall it.

 

[howard_hopkinso]

You have posted the Combofix quarantine log, instead of the Combofix log itself.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Symantec

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Symantec Network Drivers Service (SNDSrvc)<Disable the service name and/or the name in brackets.
Automatic LiveUpdate Scheduler

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SNDSrvc.exe
supervisor.exe
SNDMon.exe
ALUSchedulerSvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe

Fix all O18 - Protocol: entries.

O20 - AppInit_DLLs:

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Common Files\Symantec Shared<Delete the entire folder.
C:\Program Files\Symantec<Delete the entire folder.
C:\WINDOWS\supervisor.exe
C:\WINDOWS\WinSecurity<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as a Combofix log. Alos, post a fresh AVG Antispyware log, if it finds anything. I also want to know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

You have posted the Combofix quarantine log, instead of the Combofix log itself.

Oops, sorry for that.

Anyway, I followed the instructions and here are the logs. AVG Anti-rootkit didn't find anywhing, by the way. Also, on the logs, I just changed the real username to "[user]"... for privacy reasons...

AVG Anti-Spyware just found 2 tracking cookies.

And well, here's the rest...

I ran HijackThis under safe mode and then under normal mode.

Finally, I ran Windows Update after reconnecting... hope it doesn't affects...

Thanks in advance.

 

[howard_hopkinso]

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {84432882-0610-4c66-856d-8e0c7db0490b} - (no file)

O4 - HKCU\..\Run: [LDM] \Program\

O20 - Winlogon Notify: extdak - C:\WINDOWS\

O20 - Winlogon Notify: __c003809E - C:\WINDOWS\system32\__c003809E.dat

Click on the fix checked button.

Close HJT and reboot your system.

Unless you`re still having problems, you should be good to go.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

I deleted those 4 entries... being disconnected from the Internet... yet, when I restarted the computer and ran another HJT scan, those entries reappeared...

seems that the virus may be hidden somewhere else...

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

It worked, but still that line:

O20 - Winlogon Notify: __c003809E - C:\WINDOWS\system32\__c003809E.dat

appears... I run HJT on Normal Mode and Fix It... then I run HJT again, and it doesn't appear... however, once I restart and run HJT it will appear again...

Also, WinPatrol detects a startup program... it doesn't say anything, it just says: "/Program/"...

I attached images of those windows... as well as the logs of HJT and Avenger...

 

[howard_hopkinso]

Have HJT fix this inactive entry.

O20 - Winlogon Notify: __c003809E - C:\WINDOWS\system32\__c003809E.dat (file missing)

Other than that, your HJT log is now clean.

The programme in your pics is disabled in msconfig, so there shouldn`t be a problem with it.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

Well,I restarted and it appears again... but this time without "(no file) found" text

Win Patrol still detects that program that popups... and the TeaTimer identifies it as LDM...

I checked the registry on My Computer/HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify and there are elements called:

!SASWinLogon
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
wlballon




the thing seems to be almost deleted, however, is still very stubborn...

I hope that I'm not bothering you with this...

 

[howard_hopkinso]

!SASWinLogon is part of the Superantispyware programme. I don`t know what the __c003809E entry is as I can`t find any info for it. For all I know, it could also be part of the same programme.

Uninstall Superantispyware and reboot your computer, then run HJT and see if the __c003809E entry is still there. If it is, please do the following.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

The funny thing is (actually, it's not so funny) is that I have SuperAntiSpyware uninstalled already. Anyway, I deleted that entry manually...

 

[howard_hopkinso]

Does that mean the __c003809E entry is no longer in your HJT log?

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

Lemme check, gotta restart the machine... I just downloaded the Microsoft Program just to follow that instruction...

Upon restart, I ran HJT, and both entries appeared as well... is there a tool to definitely remove SuperAntiSpyware... never thought that the program could be annoyance...

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Also, please attach the Autoruns log as per the instructions in my post #14

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

done! interestingly enough, the avenger reported that it didn't find the files...but for some reason HijackThis keeps detecting them...

 

[howard_hopkinso]

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALUNotify.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

O20 - Winlogon Notify: __c003809E - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Symantec<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please re-run Autoruns and make sure you hide the Microsoft entries as per the instructions in post#14.

Post a fresh HJT log as well as another Autoruns log.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

done...

the entries SAS and c0038etc... did not appear this time

 

[howard_hopkinso]

Your HJT log is now clean.

You can now re-enable Spybot`s Teatimer.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

Well, for those 2 entries on HJT, well they are gone! Thanks for helping with that!!

Anyway, the last problem is that WinPatrol and TeaTimer still detect that program on the startup... WinPatrol just detects it as "/Program/" while TeaTimer detects it as "LDM"...

sorry for making this too long...

 

[howard_hopkinso]

The LDM is your Logitech Desktop messenger programme. If you don`t use it, you can uninstall it from add remove programmes.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chivas]

The LDM is your Logitech Desktop messenger programme. If you don`t use it, you can uninstall it from add remove programmes.

Regards Howard

This thread is for the use of Chivas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I see. Well then, thanks for everything. I was really in need for help, viruses nowadays are quite hard to remove these days...

Anyway, thanks again.