# Trojan, trojan & more trojans. My kingdom for a fix

By krusty5
Apr 6, 2008
1. Dear TechSpot.
I'm new to the site & would appreciate your assistance.
AVG has found 8off Trojans but I guess they are camped out in the reg & can't be removed without expertise.
The pc runs slower than me & I'm getting on.
I've also ran Spysweeper which got rid of some adaware, but it's these trojans that are corrupting the show.
When I run ATF cleaner or try & delete the browsing history, the pc shutsdown?

Attached is the HJT log.

Regards,

Krusty.

File size:
11.8 KB
Views:
6
2. ### kritiusTS GuruPosts: 2,084

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

HERE or HERE
• Then double click combofix.exe & follow the prompts.
WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. ### krusty5TS RookieTopic StarterPosts: 18

Kritius,
What I'm having to do is respond to you on another pc cos the other is really poorly.
I'll d/wload as suggested, save to my pen drive then run theninstall on the other.

The other (bad one) is just sat as a paperweight at the mo & is not connected to the net.
Will do, but will have to wait till tomorrow now.

Ta again.

Krusty.

4. ### kritiusTS GuruPosts: 2,084

Ill be waiting.

5. ### krusty5TS RookieTopic StarterPosts: 18

Kritius,
Sorry for the delay.

Thanks again,

Krusty.

6. ### kritiusTS GuruPosts: 2,084

Its going to take me a while to get through this so hang tight.

7. ### kritiusTS GuruPosts: 2,084

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:
File::
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\pbukv2.dll

Folder::
C:\Program Files\SpywareBot

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
[HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
[HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareBot"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ATF Cleaner

Under Main choose:

• Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:

• Click Firefox at the top and choose: Select All
Click the Empty Selected button.
if you use Opera:

• Click Opera at the top and choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program

Manually clear cache
• Open an Explorer folder window (for example, double-click My Computer).
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
• You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
• If desired, reset the folder options you changed in step 1.

First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Highjackthis Instructions
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

8. ### krusty5TS RookieTopic StarterPosts: 18

Kritius,
I shall do this either later tonight or it will be sometime tomorrow.

Wrt ATF, as said in my first post, the pc powered down when I tried to delete all selected (apart from Re/Bin). Do you think this will work now?

I've now d/loaded Java 7 will install.
I'll also look for the latest HJT.
I do these via other pc.

Krusty.

9. ### kritiusTS GuruPosts: 2,084

A lot of nasty stuff was gutted out of your system so I figured that it would be worth a shot.

Ill keep an eye out for the results.

10. ### krusty5TS RookieTopic StarterPosts: 18

Morning Kritius,
Firstly let me explain this set up.
The pc I'm on now is not the infected one. That one is here with me as a stand alone. It belongs to my neice & I'm the uncle who's been ask to help with the fix. However, as you're aware, I too need your expertise.

I tend to use this pc to download all the stuff & the Txfer via a usb drive to the bad machine.

I've just dragged the CFscript onto the Comofix icon & the following happened.
a, The start bar began followed by a blue box, then nothing. The scan did not happen.
Task manager shows nothing.Not even not responding or running.

Should I try a manual scan? Ant hope the text has been inputted?

I've also noticed that the pc has the latest Java installed.

Krusty.

11. ### kritiusTS GuruPosts: 2,084

Try it again and then reboot, if not let me know and ill think of another way to get them.

12. ### krusty5TS RookieTopic StarterPosts: 18

Hi Kritius,

Have tried a few times & cannot get Combofix to scan.
Tried Unistall then re-installed but wont scan. Just runs the start bar then goes to C\ drive (blue box) for a few seconds then it closes.
Same with a manual start Ie double click.

However, on the bright side.
Managed to run ATF with success, aswell as the Man clear Cache, that too is now empty & should remains so, as pc is not connected to the net.

Have also attached latest copy of HJT for you, if you could be so kind to assess.

Regards,

Krusty.

File size:
8 KB
Views:
5
13. ### kritiusTS GuruPosts: 2,084

Lets try this then,

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\pbukv2.dll
C:\Program Files\SpywareBot
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
HKEY_CLASSES_ROOT\pbukv2.PBUKV2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpywareBot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\My Web Search Bar Search Scope Monitor

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

14. ### krusty5TS RookieTopic StarterPosts: 18

Back again,

I see that it couldn't find some, is that a problem?

Cheers,

Krusty.

15. ### kritiusTS GuruPosts: 2,084

Not sure,

Can you run ComboFix and HJT again and post the logs back here? We'll see how it looks then, how is the computer running?

16. ### krusty5TS RookieTopic StarterPosts: 18

Helloa,

Combo won't scan still????
As was, goes to small 'blue screen of death' then bobs out???
What happened wrt the combo?

Herewith latest HJT. does it look clean?

Wrt the pc, after I've ammended the selective start up & removed the crape that was clogging it, it seems a lot better. Just left it with AVG running in the background.

Shall I perform AVG and Spysweeper scans now?

cheers again,

Krusty.

17. ### krusty5TS RookieTopic StarterPosts: 18

Dear Kritius,

Don't we need to at some time dissable restore, perform a clean, then activate restore?
Do we need to do anything in safe mode?

Otherwise won't the reg revert to corrupt when power is re-applied?

Krusty.

18. ### kritiusTS GuruPosts: 2,084

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• When shown the disclaimer, Select "2"

: Move hijackthis :

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from the desktop. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3.right click on hijackthis.exe and select send to > desktop
this will make a new shortcut

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete Files and Folders
• Right Click on the start button and chose explore
• Show all hidden files and folders, see how HERE
• Navigate to the following files and folders and delete them(if still present)
• Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

You should get a firewall as well, either, these firewalls are all free,

Rename HijackThis.exe to krusty.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> Where you saved HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to krusty.exe
• When you've renamed HijackThis, Close it.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.

19. ### krusty5TS RookieTopic StarterPosts: 18

Hi Kritius,
Thanks once again.

a, Combofix still won't run? Still bombs out at the blue box? Can't understand why?
b, It is my intention to install Zone Alarm once we have a fix.
c, Did the HJT move, ran & checked the 4off entries, then clicked the fix button.
d, No folders were evident, even tried in Safe Mode with all hidden folders visable.
Hopefully Advanced Cleaner has been removed.
e, Why did we rename HJT? Done so as requested.
f, Attached both txts from DSS.

Cheers again,

Krusty.

20. ### krusty5TS RookieTopic StarterPosts: 18

Kritius,

Have downloaded Combo again & have copied to My Docs. Put S/Cut to desktop & ran.
This time it has run.
I will post result along with a krusty HJT log tomorrow.

Regards,

Krusty.

21. ### krusty5TS RookieTopic StarterPosts: 18

Kritius,

Managed to get the logs done.

There are three.
a, Combo #1 - Scan
b, Combo #2 - Scan after CFScript dragged into. As earlier request.
c, krustyHLT latest.

Cheers,

Krusty.

22. ### BobbyeHelper on the FringePosts: 16,335   +36

kritius, I know you must be on overload, but take a look at this:

Multiple Vendor SupportSoft SmartIssue ActiveX Control Buffer Overflow Vulnerability:
Vulnerable Systems:
* tgctlsi.dll version 6.9.545.0 as included with Symantec Corp.'s Norton Internet Security 2006.
http://www.securiteam.com/windowsntfocus/5QP0L1PKKM.html

I notices the following in the Hijack logs:
(SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class

There are several other Symantec entries that might be involved.

23. ### kritiusTS GuruPosts: 2,084

Cheers for that Bobeye, it hasnt filtered down into Castlecops or SpywareBlaster about these ones.

@Krusty, the reason that we renamed HijackThis is because some Malware has gotten wuite good at hiding from HJT so we rename the .exe file to hide it from them.

Ill look over your logs and post what I find tomorrow.

25. ### krusty5TS RookieTopic StarterPosts: 18

Bobbye,
As Kritius isn't logged on as yet & hope he wouldn't mind me asking you (don't won't to tread on toes), are you familiar with ntoskrnl.exe ?
I'm currently running an AVG scan on the other pc & it has informed me of this file change.
It's path is C:\Windows\system32\ntoskrnl.exe ????

Just thought I'd ask whilst its scanning.

Cheers,

Krusty.

Topic Status:
Not open for further replies.