Hijack This! Trojan Horse please help!

[robert_harper]

Help!
My Antivir Personal Edition6 says TR/Agent.cs Trojan horse and says links to c:\windows\system32\bits\splay.dll . I used Hiajck This! and read all about it and tried to go to safe mode ( Safe mode wouldn'd load properly so had to go through domain main controllers - a version of safe mode? ) then opened Hijack checked all everything i think i should have but it won't delete splay.dll as its a locked system file? anyway heres the log

Please help thanks!
Robert Harper

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
ee.exe

Next, try to UNinstall anything to do with:
C:\Program Files\Evidence Eliminator\ee.exe
C:\WINDOWS\system32\bits\splay.dll

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\bits\splay.dll
OO4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O15 - Trusted IP range: 213.159.117.202 ===>>>(Russian Mafia in St.Petersburg!)
O15 - Trusted IP range: 213.159.117.202 (HKLM) ===>>>(Russian Mafia in St.Petersburg!)
O20 - Winlogon Notify: splay - C:\WINDOWS\system32\bits\splay.dll
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted bold files.
When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

 

[robert_harper]

Thanks for replying so fast! However I tried putting a check against as you said and i uninstalled macromedia thingy as well. However whenever i try and delete this splay.dll or the folder bits its says its a locked system file??
Is it because i'm not going into safe mode properly?? ( ie im restarting pressing F8 then selecting domain controllers? it says it is starting in safe mode ). but if i select safe mode it start but freezes!

Cheers
Attached is another log

 

[RealBlackStuff]

Get Dr.Delete here
http://www.docsdownloads.com/Tier1/dr-delete.htm
Use that on splay.dll, following the instructions on that web-page.
Afterwards, delete the \bits\ directory itself with all contents.

 

[robert_harper]

one last problem ... ??

Hey.. not sure why but that file won't delete... could it be cause i'm using windows xp and dr delete works for 9x/me ???

if so what works for windows xp??

Cheers

 

[robert_harper]

another thing

one other thing that might help help us figure it out is that each time i select the file for dr to delete my antivir immediatley points out its a virus.

Robert

 

[RealBlackStuff]

Dr. Delete:
Works on NT/2k/XP/2003 by calling the MoveFileEx() API function.
Works on 9x/ME by appending/creating the WinInit.ini file.

Switch off your virus-pgm when you do this.
If you follow instructions correctly, it will reboot and then delete it.

 

[robert_harper]

ok. I've uninstalled my antivirus now and rebooted into safe mode, then opened dr delete and tried again. I restarted and still the virus still there!!

I could send another hijack this log i guess. Would that help?

Thanks for all your help by the way, it's nice of you to take the time for my constant questions lol

Cheers
Rob

 

[RealBlackStuff]

Here is another one to try: http://www.softwarepatch.com/software/moveonboot.html

If still no luck, post another HJT log.

 

[robert_harper]

No luck!

Afraid no luck so far! Sorry to keep on but please keep trying... this is so annoying i will be soo soooo much more careful inthe future!
Cheers
Rob

Please find log attached

 

[RealBlackStuff]

Go to this link and follow the advise from 'Oldtimer'.
http://www.bleepingcomputer.com/for...ease_Help_Anaylize-tx18521-0.html#entry113819

Where they talk about wnet.dll substitute your splay.dll

These are your HJT lines to worry about (forget about the other lines):
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\bits\splay.dll
O20 - Winlogon Notify: splay - C:\WINDOWS\system32\bits\splay.dll


Make sure you do the fixvundo.reg as well, that is the main-bummer!

 

[robert_harper]

Thank you THANK YOU!!

YES! This has worked! Thanks sooo much. I don't know how you knew to do all that but it worked!! I really appreciate all your help! Very good of you.

Here's isa log to show you.
Robert Harper

If you need any pet stuff or need advice i run a pet shop, so just email me. Or anyone else!

 

[RealBlackStuff]

Glad you got sorted.