Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic?


  • Please log in to reply
3 replies to this topic

#1 Morgaine

Morgaine

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 19 July 2009 - 01:46 AM

Hi,

I hope this is the right place for this post. I've been having progressively more problems with windows vista on my laptop. A couple of days ago I started being misdirected on links from search engines. Then I started getting warnings from AVG stating that I've been infected with this "Trojan horse Generic 14.DYJ" found in "Windows\System32\ESQULnvrnxynnmtpdenpeswtcoeriipjdmgxt.dll"

And now I cannot run anti-mal/spyware programs ("program has stopped working, windows checking for solution"), nor can I download any others, and I actually cannot access some websites offering these programs (connection fails for these websites). Ditto for trying to get logs. DDS doesn't work (command prompt opens and displays: 'FINDSTR.EXE' is not recognized as an internal or external command, operable program or batch file.). HijackThis worked but only after I renamed the program to skanneri.exe (something I read recommended somewhere). I don't want to add to the overwhelming quantity of posted logs unless necessary, so I'm just hoping that someone has any recommendations for me at all.

I have Spybot, AVG8.5, windows firewall, ccleaner, not sure what is relevant. I'm really tired and ignorant at this point. I attempted uninstalling spybot when I had first discovered that I couldn't run it, but I received a bunch of error messages during the uninstall (I'm sorry, I didn't really explicitly record any of the error messages initially). I can still find Spybot and TeaTimer folders in program files.

Any help would be greatly appreciated whenever anyone has some time.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:50 AM

Posted 19 July 2009 - 04:54 PM

Please disable Spybot/s Teatimer for now
Can you get into safe mode w/networking?
Try Dr. Web Cureit


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Then run Root Repeal


Please download
HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Morgaine

Morgaine
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 20 July 2009 - 08:31 PM

Hi,

I could get into safe mode, and I tried running Dr. Web Cureit scan twice. The scan never finished both times; it would get very close to the end in a couple of hours and then stall at D:\Windows\System32\config\SOFTWARE both times, even though I left it running for over 12 hours both times. When I would try exiting the program at that point, it wouldn't respond. It did however find an infected file in the location that I mentioned previously.

I also ran Root Repeal which kept having an error message pop up: "Could not read the boot sector. Try adjusting the Disk Access Level in the options dialog." I also received the error message: "Could not read system registry! please contact the author!"

Root Repeal did however scan and create a log that I saved:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/20 21:16
Program Version: Version 1.3.2.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8DCF4000 Size: 778240 File Visible: No Signed: -
Status: -

Name: dwshd.sys
Image Path: C:\Windows\System32\drivers\dwshd.sys
Address: 0x8807C000 Size: 183424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAB18B000 Size: 49152 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1488 Status: Locked to the Windows API!

SSDT
-------------------
#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\myfolder\SASKUTIL.sys" at address 0x8dc12df0

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULeyxbeadycqfphfiprasnsxdanuqbcidb.dll]
Process: svchost.exe (PID: 1052) Address: 0x10000000 Address: 57344

Object: Hidden Module [Name: msgsres.dll]
Process: msnmsgr.exe (PID: 2652) Address: 0x6da40000 Address: 11403264

Object: Hidden Module [Name: msgslang.14.0.8064.0206.dll]
Process: msnmsgr.exe (PID: 2652) Address: 0x6f020000 Address: 315392

Object: Hidden Module [Name: msgrvsta.thm]
Process: msnmsgr.exe (PID: 2652) Address: 0x6fa50000 Address: 20480

==EOF==

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:50 AM

Posted 21 July 2009 - 04:29 PM

Did you try Malwarebytes?
http://www.malwarebytes.org/mbam.php


Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
-------------------------------------------


If that's a no-go then I would have to suggest submitting a log in the HJT forum

Since you cannot run DDS, please try this:


Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users