« previous next »
Pages: [1]   Go Down

Author Topic: Need help removing trojan  (Read 4091 times)

0 Members and 1 Guest are viewing this topic.

amywwd

  • Guest
Need help removing trojan
« on: March 02, 2008, 05:59:30 AM »
Hi,
I have a trojan that I cannot delete or move to chest, splash screen says ACCESS IS DENIED, cannot process "c\windows\system32\dmstyl.dll"
The Malware name is Win32:Pakes-AKM though the other day it said it was Win32:Agent-OUX in the same file. 
I did the boot-time scan, disabled system restore as other posts suggested and tried to unlock with a download that another post suggested but nothing has worked.

Here is Hijackthis info that I have tried to fix but none of them will go away:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {85168A35-7651-4691-BC91-EF17845FA98C} - C:\WINDOWS\system32\dmstyl.dll

Any help would be appreciated.
Thanks,
Amy
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Need help removing trojan
« Reply #1 on: March 02, 2008, 06:35:11 AM »
Hi Amy, I think we can get this guy for you.

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logged

amywwd

  • Guest
Re: Need help removing trojan
« Reply #2 on: March 03, 2008, 05:06:58 PM »
Hi,
I tried to follow instructions to disable real time antispyware protection but I couldn't find the option so I thought maybe I didn't have that.  Anyway here is my log, thanks so much:

ComboFix 08-03-03.12 -  2008-03-03 10:36:05.1 - NTFSx86
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\DriveCleaner Manual.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\DriveCleaner on the Web.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\DriveCleaner.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\Feedback on Support Quality.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\Report Software Defect.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\Request for Instructions.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\Share Your Suggestions.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\DriveCleaner\Uninstall DriveCleaner.lnk
C:\Documents and Settings\Application Data\DriveCleaner
C:\Documents and Settings\Application Data\DriveCleaner\activator_info.txt
C:\Documents and Settings\Application Data\DriveCleaner\Logs\Activate.log
C:\Documents and Settings\Application Data\DriveCleaner\Logs\update.log
C:\Documents and Settings\Application Data\searchtoolbarcorp
C:\Documents and Settings\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Desktop\DriveCleaner.lnk
C:\Documents and Settings\err.log
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\mediapipe
C:\Program Files\mediapipe\Agent.dll
C:\Program Files\mediapipe\altpayments_terms.txt
C:\Program Files\mediapipe\api.exe
C:\Program Files\mediapipe\insdl.dll
C:\Program Files\mediapipe\install.log
C:\Program Files\mediapipe\MediaPipe.ini
C:\Program Files\mediapipe\p2pinst.exe
C:\Program Files\mediapipe\p2pl.exe
C:\Program Files\mediapipe\register.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\AlConfig.xml
C:\Program Files\p2pnetworks\alp2plib.log
C:\Program Files\p2pnetworks\install.log
C:\Program Files\p2pnetworks\mpp2pl.exe
C:\Program Files\p2pnetworks\p2pnetworks.exe
C:\Program Files\p2pnetworks\sp2p.cache
C:\Program Files\p2pnetworks\uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mcrh.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2008-02-03 to 2008-03-03  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 21:12   ---------   d-----w   C:\Program Files\NCH Software
2008-02-02 20:41   ---------   d-----w   C:\Program Files\NCH Swift Sound
2008-02-02 20:41   ---------   d-----w   C:\Documents and Settings Wayne\Application Data\NCH Swift Sound
2005-12-16 04:21   26,958   ----a-w   C:\Program Files\Movieland Terms.html
2007-09-28 00:38   2,111,112   --sh--w   C:\WINDOWS\system\vbxfa.bak1
2007-11-23 19:31   457,500   --sh--w   C:\WINDOWS\system\vbxfa.bak2
2007-01-11 23:46   848   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85168A35-7651-4691-BC91-EF17845FA98C}]
2004-08-04 06:00   100864   --a------   C:\WINDOWS\system32\dmstyl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 12:03 135168]
"combofix"="C:\WINDOWS\system32\CF12131.exe" [2004-08-04 06:00 388608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Spssys;Toshiba SPS Service;C:\WINDOWS\system32\drivers\spssys.sys [2004-05-07 20:56]
R0 uqvvudjb;uqvvudjb;C:\WINDOWS\system32\drivers\gjyxibyp.dat []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 10:43:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-03 10:47:56 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-03 15:47:50
.
2008-02-24 06:24:22   --- E O F --- 

Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Need help removing trojan
« Reply #3 on: March 03, 2008, 09:32:27 PM »
Hi, a hijackthis log was also asked for, but no matter we can start with out it. You can also attach your logs by using the additional options button on the reply page. You may have to scroll down to see the browse button.

You have a driver we have to disable and remove.

Please copy and paste this section into a notepad as you will be in safe mode.

Step #1

Start in Safe Mode Using the F8 method:


Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.

Use the arrow keys to select the Safe Mode menu item.

Press the Enter key.

Step #2

Now we will need to disable the driver for this thing. Please do the following:

Click Start, click Control Panel, click Performance and Maintenance, and then click System.

(Please note, that depending on how you have your computer set up, the path to the system icon may be

start, control panel, system.)

On the Hardware tab, click Device Manager.

Click the View menu and if there is no checkmark in front of Show hidden devices then click on it to activate it.

Scroll down the list of devices and double-click Non-Plug and Play Drivers.

Locate uqvvudjb and right click it and then click the Properties option.

Click the Driver tab.

In the Startup section select Disable from the drop-down list.

Click General tab.

In the Device Usage drop-down list select Do not use this device (disable).

Click the Ok button and you should be prompted to reboot. You can reboot normally.


Back in normal windows.

Please download The Avenger by Swandog46 to your Desktop.


    1.
  • Click on Avenger.zip to open the file
  • Extract avenger2.exe to your desktop
Quote
Drivers to delete:
uqvvudjb

Files to delete:
C:\WINDOWS\system32\drivers\gjyxibyp.dat
C:\WINDOWS\system32\dmstyl.dll

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.[/b]

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Copy/Paste all the text  in the above quote box into the main window
  • MAKE SURE THE TEXT MATCHES EXACTLY
  • Click Execute

    The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt


      We will also need to look at this with a different scanner.

      Please download Deckard's System Scanner (DSS) and save it to your Desktop.
      • Close all other windows before proceeding.
      • Double-click on dss.exe and follow the prompts.
      • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
      Please post in your next reply, the avenger results and the DSS logs.

      Please don't hesitate if you have any problems or questions.

      Thanks.
« Last Edit: March 03, 2008, 09:34:45 PM by oldman »
Logged

amywwd

  • Guest
Re: Need help removing trojan
« Reply #4 on: March 04, 2008, 03:15:11 AM »
Hi,
Followed your steps.  I really appreciate your help!
Thanks,
Amy
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Need help removing trojan
« Reply #5 on: March 04, 2008, 06:39:53 AM »
Open HJT, run a system scan only, check mark these lines if present


O2 - BHO: (no name) - {85168A35-7651-4691-BC91-EF17845FA98C} - C:\WINDOWS\system32\dmstyl.dll (file missing)

Close all other browsers/windows, click fix, close HJT.


We'll use combofix again, but first please rename it to bugout.exe by right clicking the combofix icon on your desktop and typing the new name. Do not double click it to run it, we will run it a little diferently this time.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\system\vbxfa.bak1
C:\WINDOWS\system\vbxfa.bak2

Registy::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000000


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
« Last Edit: March 04, 2008, 08:27:05 PM by oldman »
Logged

ravendawson

  • Guest
Re: Need help removing trojan
« Reply #6 on: November 19, 2010, 04:45:14 AM »
Had this same problem before, there is this media pipe thing that keeps showing up on my computer. It shows a lady mentioning how we have to pay money for an expired free trial version of a software or service called MOVIELAND. Says we need to pay them money to make it go away. They have my ip and say I'm legally obligated to subscribe and this can go on my credit report. I don't remember ever going to that website nor downloaded anything with such name so I made a few research about it.

I also tried various ways to fix it like scanning with an antivirus, the LavaSoft adaware , spybot, etc .. and unfortunately we failed. After a quick search in the web, I just found some threads and articles related to such issue and came to this useful post talking about mediapipe virus. So to cut the story short, our computer has been infected by that bad virus. I've learned that it is part of the family of badware with an unacceptable and deceptive installation process--meaning, it does not completely disclose all of its components to the user. Nor does it remove all of its features upon use of the uninstall process. The article suggested two ways to remove it, either manually remove all of its components or using a certain security software. I rather chose the second one, because I do not want to risk damaging my computer if I've done a wrong move deleting the components through regedit.
Logged
Pages: [1]   Go Up
« previous next »