Irritant Trojans

[orangewalrus]

Hi,
I've been getting various virus warnings popping up for the past couple of days, including Dialer.Generic fairly regularly and some Trojans every now and then. Norton claims to remove them every time but they continue to reappear. I've turned system restore off and tried running a full virus scan in safe mode to no avail...
Help!
I've included the Hijack This Logfile, hope it will help.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs as attachments into this thread, only after doing the above. Make sure you rename HijackThis.exe to HijackThis1991.exe

Regards Howard :wave: :wave:

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Done all that, and great fun it was too!

Hey, thank you kindly Howard.

Did all you suggested, and it certainly seemed to find and (I hope) remove a few things. I've attached the HJT and Ewido logs...yet to decide if there are any persisting symptoms or not.
Cheers.

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - Global Startup: Reg.lnk = ?

Click on the fix checked button.

Close HJT.

Delete all files in Ewido quarantine.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Trojans Again.

Howdy,

I've been getting periodic reports of Trojans (Trojan.Busky was the one in particular) culminating in about 50 reports per minute at one point. Ive done all the preliminary trojan/malware steps (most useful, thank you), but I didn't see it removed (unsurprisingly).
I've attached the Ewido and HJT logs...please help!
O.W.

 

[howard_hopkinso]

I have merged your new thread into this one.

Your HJT log is clean.

Delete all files in Ewido quarantine.

I need you to give me details of the trojan. I.E what is the filepath to the trojan?

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Tis a 'Trojan.Busky' and was has been found in C:\WINDOWS\Temp\tmp492.tmp
At least that's the one in my Norton Quarantine, I think it's appeared in a couple of other files in WINDOWS\Temp\... as well.
Cheers,
O.W.

 

[howard_hopkinso]

Ok, go HERE and follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

This time, I`d appreciate you getting back to me, unlike the last time, see post #4

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

oops...sorry

Sorry bout that...somehow managed to miss your first reply...possibly due to the wave of Virus warnings flooding my screen...
Will do the HJT and Killbox stuff now and get back to you...
Thanks again and sorry for messing you about.
O.W.

 

[howard_hopkinso]

Don`t bother with the old instructions now. Too much time has passed for them to be effective. However having said that, you can run the Killbox instructions, just in case that nasty file is still on your system.

Follow the new instructions, then post fresh HJT and AVG antispyware logs.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Confusion

Ok. Followed the instructions...the ewido log is empty, and the HJT log is attached.
When I briefly logged on out of safe mode, apart from the new virus warning I noticed that the list of infected files in the Temp folder were named tmp100, tmp101, tmp102 etc ect with occasional tmp10B or 10C's as well. Whether this is following a pattern that has been there since the trouble started I don't know...whether this is of any use, I don't know...whether this makes any sense, I don't know.
There isn't much I do know tbh.
Yours in confusion,
O.W.

 

[howard_hopkinso]

Your HJT log is clean.

Did you run the Ccleaner programme?

Delete all files in the C:\windows\Temp folder. This is best done in safe mode.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Yup, I ran CCleaner, and I just ran it again twice more to be sure.

The only file in Windows Temp was a txt file: WGAErrlog.txt, which I duly deleted. Somehow I doubt that will have made a difference though...
Any further suggestions?
O.W.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Delete all files in C:\windows\temp.

Delete all files in C:\documents and settings\your username\local settings\temp. Do this for all users including the default user.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Let me know the results please.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

So far...

So good, in that I am now at least able to reply to the thread on my normal machine, rather than the one next door which I had to use when this one was inoperable except in safe mode.
However, being a rampant pessimist I will continue to observe carefully for a while yet.
If this is sorted, then thank you once again. Even if it isn't, you're doing a very very good job having now solved out my virus issues potentially twice now. Whether or not they were particularly hard to solve, thank you nonetheless.
Yours sincerely,
O.W.

 

[howard_hopkinso]

Ok mate, I`ll keep my fingers crossed for you.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Piss.

I spoke far, far too soon (not about the thanks, they still stand) but after about 2 minutes the damn virus warnings were back up, safe mode is now very much on and I am back next door.
Bugger.
O.W.

 

[howard_hopkinso]

Down load the Pocket Killbox programme from HERE.

Extract it to your desktop.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

Enter the full filepaths to all the .tmp files you`re getting an alert for.

Once your system has rebooted, see if you still have problems.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

erm...

I should probably mention that according to the Norton quarantine, there are 2,000 .tmp files I'm getting an alert for...
this may present a problem
O.W.

 

[howard_hopkinso]

I see what you mean.

Ok, here`s what I want you to do.

Download the free AVG or Avast antivirus programmes and either the free Zonealarm or Kerio firewall programmes. You can get them HERE, HERE, HERE and HERE.

Disconnect from the net and uninstall that Symantec/Norton crapware. If you have any problems uninstalling it, see this thread HERE.

Once norton is completely uninstalled, install whichever firewall you chose, followed by whichever antivirus programme you chose. Reboot your system the required number of times. Reconnect to the net and run the antivirus updates.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a full system scan with whatever antivirus programme you chose and delete whatever it finds. This includes anything in it`s virus vault/quarantine.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Run a complete scan again and see if anything is found.

Please let me know the results.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[orangewalrus]

Sophos?

Ok, I'll get the Norton off the system tomorrow, and post again. Is Sophos any good for the Virus Scanner? cos I have a fully licenced version of that running atm as well, only it hasn't found anything as yet (If it is I'll run it again tomorrow).

 

[howard_hopkinso]

For the purposes of your problems, can we stick to either the free AVG or Avast antivirus programmes?

I`m not really that familiar with the Sophos antivirus programme, so can`t comment on it`s effectiveness.

Regards Howard

This thread is for the use of orangewalrus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.