Trojan, trojan & more trojans. My kingdom for a fix

[krusty5]

Dear TechSpot.
I'm new to the site & would appreciate your assistance.
AVG has found 8off Trojans but I guess they are camped out in the reg & can't be removed without expertise.
The pc runs slower than me & I'm getting on.
I've also ran Spysweeper which got rid of some adaware, but it's these trojans that are corrupting the show.
When I run ATF cleaner or try & delete the browsing history, the pc shutsdown?

Can you please help wrt cleaning the reg & speed this dam thing up.

Attached is the HJT log.

Regards,

Krusty.

 

[kritius]

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[krusty5]

Kritius,
Cheeres for the prompt reply.
What I'm having to do is respond to you on another pc cos the other is really poorly.
I'll d/wload as suggested, save to my pen drive then run theninstall on the other.

The other (bad one) is just sat as a paperweight at the mo & is not connected to the net.
Will do, but will have to wait till tomorrow now.

Ta again.

Krusty.

 

[kritius]

Ill be waiting.

 

[krusty5]

Kritius,
Sorry for the delay.
Please find attached both logs.

Thanks again,

Krusty.

 

[kritius]

Its going to take me a while to get through this so hang tight.

 

[kritius]

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
  C:\WINDOWS\system32\pbukv2.dll
  
  Folder::
  C:\Program Files\SpywareBot
  
  Registry::
  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
  [HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
  [HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
  "{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}"=-
  [HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}]
  [HKEY_CLASSES_ROOT\pbukv2.PBUKV2]
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpywareBot"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "My Web Search Bar Search Scope Monitor"=-

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ATF Cleaner

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

Manually clear cache

• Open an Explorer folder window (for example, double-click My Computer).
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
• You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
• If desired, reset the folder options you changed in step 1.

Next please follow these instructions. Your version of Hijackthis is out of date

First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach the log into your reply.

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

 

[krusty5]

Kritius,
I shall do this either later tonight or it will be sometime tomorrow.

Wrt ATF, as said in my first post, the pc powered down when I tried to delete all selected (apart from Re/Bin). Do you think this will work now?

I've now d/loaded Java 7 will install.
I'll also look for the latest HJT.
I do these via other pc.

Really appreciate your help.

Krusty.

 

[kritius]

A lot of nasty stuff was gutted out of your system so I figured that it would be worth a shot.

Ill keep an eye out for the results.

 

[krusty5]

Morning Kritius,
Firstly let me explain this set up.
The pc I'm on now is not the infected one. That one is here with me as a stand alone. It belongs to my neice & I'm the uncle who's been ask to help with the fix. However, as you're aware, I too need your expertise.

I tend to use this pc to download all the stuff & the Txfer via a usb drive to the bad machine.

I've just dragged the CFscript onto the Comofix icon & the following happened.
a, The start bar began followed by a blue box, then nothing. The scan did not happen.
Task manager shows nothing.Not even not responding or running.

Should I try a manual scan? Ant hope the text has been inputted?

I've also noticed that the pc has the latest Java installed.

Please advise,

Krusty.

 

[kritius]

Try it again and then reboot, if not let me know and ill think of another way to get them.

 

[krusty5]

Hi Kritius,

Have tried a few times & cannot get Combofix to scan.
Tried Unistall then re-installed but wont scan. Just runs the start bar then goes to C\ drive (blue box) for a few seconds then it closes.
Same with a manual start Ie double click.

However, on the bright side.
Managed to run ATF with success, aswell as the Man clear Cache, that too is now empty & should remains so, as pc is not connected to the net.

Have also attached latest copy of HJT for you, if you could be so kind to assess.

Regards,

Krusty.

 

[kritius]

Lets try this then,

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
  C:\WINDOWS\system32\pbukv2.dll
  C:\Program Files\SpywareBot
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
  HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
  HKEY_CLASSES_ROOT\pbukv2.PBUKV2
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
  HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-f479b685fa7d}
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpywareBot
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\My Web Search Bar Search Scope Monitor

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[krusty5]

Back again,

Please find attached OTMoveIt results.

I see that it couldn't find some, is that a problem?

Cheers,

Krusty.

 

[kritius]

Not sure,

Can you run ComboFix and HJT again and post the logs back here? We'll see how it looks then, how is the computer running?

 

[krusty5]

Helloa,

Combo won't scan still????
As was, goes to small 'blue screen of death' then bobs out???
What happened wrt the combo?


Herewith latest HJT. does it look clean?

Wrt the pc, after I've ammended the selective start up & removed the crape that was clogging it, it seems a lot better. Just left it with AVG running in the background.

Shall I perform AVG and Spysweeper scans now?

cheers again,

Krusty.

 

[krusty5]

Dear Kritius,

Don't we need to at some time dissable restore, perform a clean, then activate restore?
Do we need to do anything in safe mode?

Otherwise won't the reg revert to corrupt when power is re-applied?

Krusty.

 

[kritius]

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

: Move hijackthis :

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from the desktop. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3.right click on hijackthis.exe and select send to > desktop
this will make a new shortcut

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O4 - HKLM\..\Run: [UADC_2185716454] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm690YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete Files and Folders

• Right Click on the start button and chose explore
• Show all hidden files and folders, see how HERE
• Navigate to the following files and folders and delete them(if still present)

C:\Program Files\AdvancedCleaner<---------This Folder

• Empty the recycle bin.

If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

You should get a firewall as well, either, these firewalls are all free,

• Comodo
• Kerio
• Online Armor
• Zonealarm

Rename HijackThis.exe to krusty.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> Where you saved HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to krusty.exe
• When you've renamed HijackThis, Close it.

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
• Attach the main.txt and the extra.txt in your reply.

 

[krusty5]

Hi Kritius,
Thanks once again.

a, Combofix still won't run? Still bombs out at the blue box? Can't understand why?
b, It is my intention to install Zone Alarm once we have a fix.
c, Did the HJT move, ran & checked the 4off entries, then clicked the fix button.
d, No folders were evident, even tried in Safe Mode with all hidden folders visable.
Hopefully Advanced Cleaner has been removed.
e, Why did we rename HJT? Done so as requested.
f, Attached both txts from DSS.

Cheers again,

Krusty.

 

[krusty5]

Kritius,

Have downloaded Combo again & have copied to My Docs. Put S/Cut to desktop & ran.
This time it has run.
I will post result along with a krusty HJT log tomorrow.

Regards,

Krusty.

 

[krusty5]

Kritius,

Managed to get the logs done.

There are three.
a, Combo #1 - Scan
b, Combo #2 - Scan after CFScript dragged into. As earlier request.
c, krustyHLT latest.

Cheers,

Krusty.

 

[Bobbye]

kritius, I know you must be on overload, but take a look at this:

Multiple Vendor SupportSoft SmartIssue ActiveX Control Buffer Overflow Vulnerability:
Vulnerable Systems:
* tgctlsi.dll version 6.9.545.0 as included with Symantec Corp.'s Norton Internet Security 2006.
http://www.securiteam.com/windowsntfocus/5QP0L1PKKM.html

I notices the following in the Hijack logs:
(SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class

There are several other Symantec entries that might be involved.

 

[kritius]

Cheers for that Bobeye, it hasnt filtered down into Castlecops or SpywareBlaster about these ones.

@Krusty, the reason that we renamed HijackThis is because some Malware has gotten wuite good at hiding from HJT so we rename the .exe file to hide it from them.

Ill look over your logs and post what I find tomorrow.

 

[Bobbye]

Glad to help!

 

[krusty5]

Bobbye,
As Kritius isn't logged on as yet & hope he wouldn't mind me asking you (don't won't to tread on toes), are you familiar with ntoskrnl.exe ?
I'm currently running an AVG scan on the other pc & it has informed me of this file change.
It's path is C:\Windows\system32\ntoskrnl.exe ????

Just thought I'd ask whilst its scanning.

Cheers,

Krusty.