Trojan Horse - Zheltaya Hernya

[cartera]

I have picked up a trojan virus, the one is called Zheltaya Hernya. It was embedded within a program i downloaded of the net! Norton Antivirus hasnt picked it up. It at first disabled Task Manager by editing registry keys which i have re-enabled using registry editor. It seems to be a well known virus on the net since their are plenty of forum links to it, however i dont seem to be able to remove this thing completely. It seems to be attacking the computer when ever the computer goes online, at this point norton kicks and blocks it. Any help on removing this virus would be greatly appreciated!
Thanks in advance

 

[kritius]

Download HighjackThis

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete attach the log into your reply.

Do not attempt to fix any item yet.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

 

[cartera]

I have done what you have said and here is the log attachment.

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - C:\Windows\lgmxvpatfbo.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljjHXqOe.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Heather\AppData\Local\Temp\ddcYronK.dll,c
O4 - HKCU\..\Run: [d8a85e24] rundll32.exe "C:\Users\Heather\AppData\Local\Temp\nlnxsatm.dll",b

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Please download ATF Cleaner by Atribune.

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Windows\lgmxvpatfbo.dll
C:\Windows\PLFSet.dll
C:\Windows\system32\ljjHXqOe.dll
C:\Users\Heather\AppData\Local\Temp\ddcYronK.dll
C:\Users\Heather\AppData\Local\Temp\nlnxsatm.dll


After that, Reboot.

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
• Attach the main.txt and the extra.txt in your reply.

 

[cartera]

i can not use the ATF cleaner since the operating system i am fixing is windows vista (I am fixing my girlfriends laptop) Thanks very much for the help so far!

 

[kritius]

Try it now, I edited the link for the new version which is vista compatable.

 

[cartera]

On the second reboot after running it in safe mode, it tried to run
C:\Users\Heather\AppData\Local\Temp\ddcYronK.dll
C:\Users\Heather\AppData\Local\Temp\nlnxsatm.dll
and came up with an error message, i am running dss now, but i am presuming that the virus isnt fully removed yet because it tried to run those on start up!
Thanks very much!

 

[cartera]

Just finished dss now here is the logs, and also just in case you have to deal with this virus again, i believe it attacked the hijack this program since to get it to work i had to un-install it and re-install it! It wasnt being allowed to access the windows host file!
Thanks again

 

[cartera]

Also can this virus be transferred by pen drive? Since i have been downloading the programs on my laptop and transferring them and the logs etc. across!
Thanks

 

[kritius]

P2P Warning!

• IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
  
  LimeWire
  
  Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
  Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
  
  I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  
  References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
  http://www.techweb.com/wire/160500554
  http://www.internetworldstats.com/articles/art053.htm
  See Clean/Infected P2P Programs here
  
  I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
  
  If you wish to keep it, please do not use it until your computer is cleaned.

Please also let me know if you installed this,

NoAdware5.0


Download SDFix and save it to your Desktop.

• Run the SDFix.exe by double clicking on it.
• Allow it to install into the default location which is normally c:\SDFix
• Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode )
• When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Attach the Report.txt file to your next message.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Windows\omlbpkaw.dll
  C:\Windows\npqtsrak.exe
  C:\Windows\pmsoarbf.dll
  C:\Users\Heather\AppData\Local\Temp\khfDusPI.dll
  C:\Users\Heather\AppData\Local\Temp\ddcYronK.dll
  C:\Program Files\NoAdware5.0

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Also post a fresh HijackThis log.

 

[cartera]

I did install no adware 5.0, it was my first attempt at removing the virus. As about limewire i will read the information you have given me, thanks very much! However the rest of the steps i will have to do tomorrow since i do not have the time now i must go out. Thanks very much for the help and i will talk to you tomorrow about the results of the next set of instructions!
Kind Regards

 

[kritius]

Thats ok, ill edit the post above to include the NoAdware5.0, its not a great program and can cause more problems that it helps.

 

[cartera]

Runthis.bat will not run, it opens cmd and immediately closes! Shall i continue with the rest of the steps or not? thanks

 

[kritius]

Sorry, my mistake forgot that SDFix wasnt compable with Vista yet, carry on with the rest of the steps.

 

[cartera]

Error loading C:\Users\Heather\AppData\Local\Temp\ddcYronk.dll
Error Loading C:\Users\Heather\AppData\Local\Temp\khfDusPI.dll

The specified module could not be found, comes up everytime the computer is restarted and the error comes up under the title RunDLL.

Here is the log you wanted from 02Moveit2 attached.

Will this virus cross via memory stick?
thanks

 

[kritius]

You should be all right as long as thats all that your transferring,

going to try this now,

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[cartera]

combo fix's log. thanks again

 

[kritius]

ill look over it now for you.