Crazy crazy spyware - HJT logs attached.

By Luna M · 7 replies
Mar 29, 2007
1. Working on a client's computer, trying to remove a buttload of spyware. I'm trying to do this without wiping/reloading if at all possible.

So far, I've run Spybot with the latest updates and cleaned everything it found, both in normal and safe mode.

AdAware finds one running module and then promptly crashes, even in safe mode. Whatever this module is, it constantly tries to connect to the internet...even in safe mode (?! but I didn't choose safe mode with networking, so how is that possible?).

Normal windows runs relatively normally, sans the consistent "work offline/try again" messages.

Safe mode fails to load explorer.exe, even if I try to manually start the process. As a result, when in safe mode I have to start all programs by using the task manager.

I've taken HiJackThis logs of both safe mode and normal windows. They're attached to this post. Some help deciphering them would be appreciated. Thanks!

2. howard_hopkinsoTS RookiePosts: 24,177   +19

That system is badly infected, it also appears theres no antivirus or firewall software being run.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of Luna M only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

3. jobeardTS AmbassadorPosts: 10,297   +788

from your safemode log, I have some recommendations, but suggest you
await confirmation from Howard
======
delete
R3 - Default URLSearchHook is missing

pm3niet.dll,etavvbgw.dll,ejfmralg.dll are unknown on the internet, therefore
delete
O2 - BHO: (no name) - {373E45F2-4727-4B7C-8E77-9CD7B90DF856} - C:\WINDOWS\pm3niet.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\etavvbgw.dll
O2 - BHO: (no name) - {F9E97B67-8E92-469D-906A-1DD8D64A1FC7} - C:\WINDOWS\system32\ejfmralg.dll

O20 - Winlogon Notify: dangxxwe - C:\WINDOWS\SYSTEM32\dangxxwe.dll
O20 - Winlogon Notify: pm3niet - C:\WINDOWS\pm3niet.dll​

4. howard_hopkinsoTS RookiePosts: 24,177   +19

Youre quite right joebeard, those entries are bad. However, simply fixing them with HJT wont get rid of the infection thats causing them(probably the Vundo trojan, typically characterised by randomly named .dll files in 02 BHO and 020 Winlogon Notify: entries in a HJT log). Thats why its important to follow the instructions. If that doesnt get rid of those entries, Ill manually remove them, using various tools, including but not exclusively Killbox/The Avenger/Vundo fixs manual removal method.

Regards Howard

This thread is for the use of Luna M only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

5. jobeardTS AmbassadorPosts: 10,297   +788

>Thats why its important to follow the instructions.
Precisely why I suggested awaiting your inputs! :angel:

You do an amazing and thorough job here Howard -- You might consider
a tutorial on the HOW-TO of your analysis and removal techniques to empower
other other to knock some of these down too

6. howard_hopkinsoTS RookiePosts: 24,177   +19

There are potential problems with writing a tutorial on how to get rid of specific infections, here are just two. One is the fact that malware is constantly changing and new variants are surfacing all the time. This would require the individual to correctly recognise and identify a particular infection.

Another problem is people might follow some specific tutorial and then find their symptoms disappear. They then think their system is clean, when it isnt. Then, they dont seek any further help and go away thinking their system is clean, oblivious to the rest of the infections on their systems.

You might find this link of interest. I use it myself from time to time. I would caution anyone, not to follow instructions for specific infections, unless directed to do so.

Regards Howard

This thread is for the use of Luna M only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

7. Luna MTS RookieTopic StarterPosts: 19

Sorry it took so long to get back to you.

I've done all you requested, but still can't seem to get rid of everything. Specifically, Smitfraud is being a nuisance. Even the SmitfraudFix doesn't seem to kill it...

AVG anti-rootkit found no rootkits, amazingly enough.

Safe mode works properly again, though.

HJT logs attached.

8. howard_hopkinsoTS RookiePosts: 24,177   +19

You havent posted AVG Antispyware or Combofix logs as requested. Please do so in your next reply.

Download the Pocket Killbox programme from HERE. Extract it but dont run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\etavvbgw.dll

O2 - BHO: (no name) - {9A530234-2F36-4F7C-BEB8-7CD009F7FA6A} - C:\WINDOWS\pm3niet.dll (file missing)

O2 - BHO: (no name) - {F9E97B67-8E92-469D-906A-1DD8D64A1FC7} - C:\WINDOWS\system32\ejfmralg.dll (file missing)

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uarteycg.dll",setvm

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

O20 - Winlogon Notify: dangxxwe - dangxxwe.dll (file missing)

O20 - Winlogon Notify: pm3niet - C:\WINDOWS\pm3niet.dll (file missing)

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesnt automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\uarteycg.dll
C:\WINDOWS\pm3niet.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log as well as Combofix and AVG Antispyware logs.

Regards Howard

This thread is for the use of Luna M only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Topic Status:
Not open for further replies.