Iexplore process respawns after removing spyware. HiJackThis log included.

[parasitecbm]

Hi,

I got some malware called BraveSentry. I've removed as much as I can find but I still have a few problems.
1) I can't run task manager, it is disabled in the task bar and when I run it directly I get "Task Manager has been disabled by your administrator" (I'm the administrator - and I didn't do it
2) I can't change my desktop. The spyware changed it to a html page and locked it somehow. I have deleted the html page, so now I have a blank desktop, but I can't change it.
3) The process IExplore.exe is running with no internet explorer window. If I use taskkill to kill it, it comes back straight away. The process is continually doing some SMTP to some site...

Here is the HiJackThis log:



The BHO and artm_new.dll look suspicious, but I'm not sure what to do....

Thanks,
C

 

[N3051M]

please post it as a .txt attachment next time.

have you read this sticky here? "Follow these instructions before posting your HJT log"
https://www.techspot.com/vb/topic50981.html

then repost the hjt as a .txt file.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCMTR.EXE

Close task manager.


Click start/run and type regsvr32 /u C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O1 - Hosts: 172.20.70.16 titanlaptop02

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6664E1A-B551-4E59-B88D-3FDE5D66BAF2}: NameServer = 172.17.2.233<Only fix this, if it doesn`t belong to your ISP.

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

ALCMTR.EXE

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log as an attachment, see HERE for instructions.


Regards Howard :wave: :wave:

 

[parasitecbm]

Apologies for the log in the message.
I have done the steps you stated, here is what happened:
1) ALCMTR.exe did not exist and was not running.
2) This location: C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll did not exist and that dll is no where on my disk.
3) I checked the boxes mentioned except the NameServer 172.17.2.233 - that is the ip of my internal DNS server.

I reran HJT and got the attached log.
I still have the problem that Iexplore.exe keeps respawning and I can't access my desktop to change the background or access task manager using my normal logon. (If I log on as administrator it is fine.) I notice that the artm_new.dll entry is still in the HJT log even though I clicked fix. I shut down all I could before clicking fix, Iexplore.exe was running though, because I can't kill it.

Thanks,
C

 

[howard_hopkinso]

The nasty entry is still there in your HJT log and is probably the source of your problems.

Go HERE and follow the instructions for running the Ewido programme.

Then post a fresh HJT log, along with the Ewido scan log.

Regards Howard

 

[parasitecbm]

Hi again,

I've fixed the problem. I was wrong above when I said the file C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll did not exist. It did, I just couldn't see it even though I set the Show all files. I decided to do a search on the machine for all files modified in the last 24 hours and even though windows explorer and the command prompt could not see this directory, the search found it. From there I used HJT to delete the dll on reboot. I also deleted the directory.

To get taskmanager and the desktop back to normal I had a look at the spysheriff thread and remove some of the Policies registry entries that were blocking my access.

Now all is good, many many many thanks for your help.
C

 

[howard_hopkinso]

That`s good news.

Thanks for letting us know.

Regards Howard