TechSpot - PC Technology News and Analysis

krusty5 · #1 04-06-2008

Dear TechSpot.
I'm new to the site & would appreciate your assistance.
AVG has found 8off Trojans but I guess they are camped out in the reg & can't be removed without expertise.
The pc runs slower than me & I'm getting on.
I've also ran Spysweeper which got rid of some adaware, but it's these trojans that are corrupting the show.
When I run ATF cleaner or try & delete the browsing history, the pc shutsdown?

Can you please help wrt cleaning the reg & speed this dam thing up.

Attached is the HJT log.

Regards,

Krusty.

kritius · #2 04-06-2008

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please attach the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

Download this file to your desktop from either of the two below listed places :

HERE or HERE
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

krusty5 · #3 04-06-2008

Kritius,
Cheeres for the prompt reply.
What I'm having to do is respond to you on another pc cos the other is really poorly.
I'll d/wload as suggested, save to my pen drive then run theninstall on the other.

The other (bad one) is just sat as a paperweight at the mo & is not connected to the net.
Will do, but will have to wait till tomorrow now.

Ta again.

Krusty.

kritius · #4 04-06-2008

Ill be waiting.

krusty5 · #5 04-08-2008

Kritius,
Sorry for the delay.
Please find attached both logs.

Thanks again,

Krusty.

kritius · #6 04-08-2008

Its going to take me a while to get through this so hang tight.

kritius · #7 04-08-2008

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\pbukv2.dll

Folder::
C:\Program Files\SpywareBot

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
[HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
[HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareBot"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ATF Cleaner

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
- Windows Temp
  Current User Temp
  All Users Temp
  Temporary Internet Files
  Java Cache
  *The other boxes are optional*
  Then click the Empty Selected button.
if you use Firefox:
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program

Manually clear cache

Open an Explorer folder window (for example, double-click My Computer).
From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
If desired, reset the folder options you changed in step 1.

Next please follow these instructions. Your version of Hijackthis is out of date

First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Highjackthis Instructions

Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
After installing, the program launches automatically, select Scan now and save a log
After the scan is complete please attach the log into your reply.

Update your Java Runtime Environment

First try going to Start -> Control Panel -> double click Java
Select the Update TAb at the top
Click the Check for Updates button at the bottom
If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
After it installs the newest version Go back to Control Panel -> Add/remove programs
Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

Click the following link
Java Runtime Environment 6 Update 5
The 4th option down is the one you want (click Download)
Check the box to agree to terms of service
Check the box for your operating system and click 'Download selected'at the bottom
After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

krusty5 · #8 04-08-2008

Kritius,
I shall do this either later tonight or it will be sometime tomorrow.

Wrt ATF, as said in my first post, the pc powered down when I tried to delete all selected (apart from Re/Bin). Do you think this will work now?

I've now d/loaded Java 7 will install.
I'll also look for the latest HJT.
I do these via other pc.

Really appreciate your help.

Krusty.

kritius · #9 04-08-2008

A lot of nasty stuff was gutted out of your system so I figured that it would be worth a shot.

Ill keep an eye out for the results.

krusty5 · #10 04-09-2008

Morning Kritius,
Firstly let me explain this set up.
The pc I'm on now is not the infected one. That one is here with me as a stand alone. It belongs to my neice & I'm the uncle who's been ask to help with the fix. However, as you're aware, I too need your expertise.

I tend to use this pc to download all the stuff & the Txfer via a usb drive to the bad machine.

I've just dragged the CFscript onto the Comofix icon & the following happened.
a, The start bar began followed by a blue box, then nothing. The scan did not happen.
Task manager shows nothing.Not even not responding or running.

Should I try a manual scan? Ant hope the text has been inputted?

I've also noticed that the pc has the latest Java installed.

Please advise,

Krusty.

kritius · #11 04-09-2008

Try it again and then reboot, if not let me know and ill think of another way to get them.

krusty5 · #12 04-09-2008

Hi Kritius,

Have tried a few times & cannot get Combofix to scan.
Tried Unistall then re-installed but wont scan. Just runs the start bar then goes to C\ drive (blue box) for a few seconds then it closes.
Same with a manual start Ie double click.

However, on the bright side.
Managed to run ATF with success, aswell as the Man clear Cache, that too is now empty & should remains so, as pc is not connected to the net.

Have also attached latest copy of HJT for you, if you could be so kind to assess.

Regards,

Krusty.

kritius · #13 04-09-2008

Lets try this then,

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\pbukv2.dll
C:\Program Files\SpywareBot
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
HKEY_CLASSES_ROOT\pbukv2.PBUKV2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpywareBot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\My Web Search Bar Search Scope Monitor

Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

krusty5 · #14 04-09-2008

Back again,

Please find attached OTMoveIt results.

I see that it couldn't find some, is that a problem?

Cheers,

Krusty.

kritius · #15 04-09-2008

Not sure,

Can you run ComboFix and HJT again and post the logs back here? We'll see how it looks then, how is the computer running?

krusty5 · #16 04-09-2008

Helloa,

Combo won't scan still????
As was, goes to small 'blue screen of death' then bobs out???
What happened wrt the combo?

Herewith latest HJT. does it look clean?

Wrt the pc, after I've ammended the selective start up & removed the crape that was clogging it, it seems a lot better. Just left it with AVG running in the background.

Shall I perform AVG and Spysweeper scans now?

cheers again,

Krusty.

krusty5 · #17 04-09-2008

Dear Kritius,

Don't we need to at some time dissable restore, perform a clean, then activate restore?
Do we need to do anything in safe mode?

Otherwise won't the reg revert to corrupt when power is re-applied?

Krusty.

kritius · #18 04-09-2008

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

: Move hijackthis :

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from the desktop. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3.right click on hijackthis.exe and select send to > desktop
this will make a new shortcut

Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O4 - HKLM\..\Run: [UADC_2185716454] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm690YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis
Reboot HijackThis if necessary

Delete Files and Folders

Right Click on the start button and chose explore
Show all hidden files and folders, see how HERE
Navigate to the following files and folders and delete them(if still present)

C:\Program Files\AdvancedCleaner<---------This Folder

Empty the recycle bin.

If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

You should get a firewall as well, either, these firewalls are all free,

Rename HijackThis.exe to krusty.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> Where you saved HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to krusty.exe
When you've renamed HijackThis, Close it.

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
Attach the main.txt and the extra.txt in your reply.

krusty5 · #19 04-09-2008

Hi Kritius,
Thanks once again.

a, Combofix still won't run? Still bombs out at the blue box? Can't understand why?
b, It is my intention to install Zone Alarm once we have a fix.
c, Did the HJT move, ran & checked the 4off entries, then clicked the fix button.
d, No folders were evident, even tried in Safe Mode with all hidden folders visable.
Hopefully Advanced Cleaner has been removed.
e, Why did we rename HJT? Done so as requested.
f, Attached both txts from DSS.

Cheers again,

Krusty.

krusty5 · #20 04-09-2008

Kritius,

Have downloaded Combo again & have copied to My Docs. Put S/Cut to desktop & ran.
This time it has run.
I will post result along with a krusty HJT log tomorrow.

Regards,

Krusty.

Similar Topics
Topic	Category	Replies	Last Post
trojan horse lop.AS Trojan, Unable To Work Out.	Virus & Malware removal	9	01-18-2007 12:00 AM
plz help: Trojan.dropper,Dialer.trojan	Virus & Malware removal	3	09-17-2006 11:10 AM
Dialer.Trojan, Trojan.Dropper etc...	Virus & Malware removal	1	09-11-2006 11:11 AM
Trojan.dropper and Dialer.trojan, plz help =(	Virus & Malware removal	8	09-07-2006 04:01 PM
Greetings from Rowan in East Timor Kingdom of the Viruses	Introduce yourself	1	03-21-2006 09:28 AM

TechSpot - PC Technology News and Analysis

Trojan, trojan & more trojans. My kingdom for a fix