Thread: Some Sort of Trojan (I am computer savvy)
View Single Post
Old 10-14-2005, 07:11 AM   #8 (permalink)
Vikesrock8411
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Make sure you can keep your computer on before you continue on with the below. I need you to keep it on until I reply with a fix and when you actually do the fix because the filenames may change if you restart or shutdown your computer. So if you can't keep the computer on today, don't run the below steps until you can keep it on. I also need to know if you can access the Task Manager(ctrl+alt+del) and/or Regedit(Start->Run->Regedit). Please check to see if you can access both of these and let me know whether or not you can in your next post.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
WinPFind-Unzip it to the desktop, but do not run it yet

Track qoo-Unzip it to the desktop, but do not run it yet

Hoster-Run Hoster and choose the 'Restore Original Hosts' button and press OK.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\system32\apguu.dat
    C:\WINDOWS\system32\MediaGateway.exe
    C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
    C:\WINDOWS\system32\nbxaarx.exe
    C:\WINDOWS\system32\njraa.dll
    C:\WINDOWS\system32\pagttr.exe
    C:\WINDOWS\system32\rixcctx.dll
    C:\Documents and Settings\Caroline\Application Data\Sskcwrd.dll
    C:\Program Files\Cas\Client\Uninstall.exe
    C:\Program Files\Common Files\system32.dll
    C:\Program Files\DNS\cwebpage.dll
    C:\WINDOWS\io2uns.exe
    C:\WINDOWS\system32\bho.dll
    C:\WINDOWS\system32\efqmm.dll
    C:\WINDOWS\system32\ide21201.vxd
    C:\WINDOWS\unstall.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if listed):
DNS OR Shorty
Internet Optimizer
Casino Client OR Cas OR Casino (something)

Deleting a Service
Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - ygvamukkpdsk
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O23 - Service: ygvamukkpdsk - Unknown owner - C:\WINDOWS\system32\ukkpdsk\ygvam.exe (file missing)
Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\Cas
C:\Program Files\DNS
C:\Program Files\Internet Optimizer
C:\WINDOWS\system32\ukkpdsk

Restart your computer in Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).

Tools
Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

Reboot your system in Normal Mode.

Double click on Track qoo.vbs

**Note - If you have an anti-virus program that has script blocking features, you will get a pop up window asking you what to do. Allow this entire script to run. It's harmless.

Wait a few seconds and Notepad will pop up. Save this file to your desktop as Trackqoo.txt. Copy & Paste the results and place them in the next post along with the results of WinPFind! Remember to keep your computer on now until you do the fix that I will give you.

Online Scans
Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:
  • Kaspersky Log
  • A new Hijackthis! Log
  • WinPFind.txt
  • Trackqoo Log
Vikesrock8411 is offline