Please Help With Removal Of Many Trojans

[DavidR]

If you use IE as your browser of choice, e.g. that is what you use then I would say get IE7. Me I avoid IE like the plague (I use Firefox as my primary browser), but because it is fully integrated into OS I keep it (IE6) up to date.

[polonus]

Hi Eddy,

Have to agree with you here, there is a whole action online to deliver us from the obsolete archaic IE6 browser, I guess that not even DavidR is going around now in shoes dating back from 2001 or these must have been several times in at the repair man's. Everyone whose OS enables it should upgrade to IE7, because it is better and more secure, the same as SP3 is better than SP2, no matter what the arguments against it may sound. Only lousy thing with good old MS is that when you have migrated from IE6 to IE7 you have no way to go back. But "ergo conclusio" IE has had its days and should stay in the previous century together with all the other software that belongs there. Or you should use an alternate browser of a more recent type, date and development,

polonus

[DavidR]

Funny that one of the latest security updates for IE, effected software listed IE7 and IE8, guess what was listed under software not affected, yes IE6.

Life is never as simple as that, just because there is another version doesn't mean you should jump all over it. IE6 might be your 2001 pair of shoes but IE6 SP1, IE6 SP2, IE6 SP3 were effectively new shoes with continued support for security updates for IE6 SP3 there is more mileage left in those shoes in the form of security updates to patch them.

I have many pairs of comfortable shoes

[polonus]

Hi DavidR,

Tend to believe you here, and if that is the truth, and I have no way of doubting this one bit, it is not very flattering for the developers of IE7. I hope that IE8 will not come out with some hidden new skeletons in the cupboard. Because IE and explorer.exe are interwoven with the operational system for now (no matter what EU regulators may think of this, this will be until Windows7 gets launched), it is of the utmost importance for every user of the Windows OS to update and patch their IE browser fully, no matter what their browser by default is, even if they only use it to update their OS,

pol

[micky77]

DebbieR you say " I know the Trojans are still there because they make very loud clicking noises and sometimes they shut off my coumputer." I think this is very unlikely.More probable that your hard drive is dying a fast death. I would make it a priority to remove any important data asap

http://www.google.co.uk/search?q=computer+makes+loud+CLICKING+noise&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

[DebbieR]

Yes my hrad drive has been dying for 3 years now. I have kept it running by daily using Ccleaner, Spybot S & D, Disk Clean Up, and Disk Defrag, and running Disk Check once a week. The loud clicking noises have only been happening since the trojans appeared on my computer. I don't think we have removed the dialer trojan or the on that shuts down the computer. (I had a few mini strokes several years ago and today is one of those days when it is very hard to think.) I don't know were the trojans are located I just have the names. I'll check back tomorrow to see if you have any suggestions.

[micky77]

Sorry to hear your feeling under the weather.I would start from the begining,scan with one program at a time and report the findings.All programs produce logs.You could copy/paste them if any malware is found.There is no need to run programs that have found nothing, and your HJT log produced nothing.

Kaspersky online  http://www.kaspersky.co.uk/virusscanner

Run a full scan of MalwareBytes Antimalware

Drweb Cureit latest download http://www.freedrweb.com/

Nod 32 Online http://www.eset.co.uk/ThreatCenter/OnlineScanner

Avira anti roorkit ( second from the bottom, of downloads )  http://www.avira.com/en/support/support_downloads.html

If any files are infected post there names and loctions. Best of luck 

[DebbieR]

Thank you micky77. I turned on System Restore. I will run all the scans again. I have everything I want to keep the the external hard drive. I am thinking of buying a new/used (new to me) computer in the next few months and I don't want to take and trojans with me. So, I have to make sure there aren't any on the external hard drive.

[DebbieR]

Yesterday, Kaspersky released a new anti-virus scanner and removal tool. I found it while looking for something else on majorgeeks.com.
http://majorgeeks.com/Kaspersky_Virus_Removal_Tool_d4515.html
The scan took 5 hours. Whe it found the trpjan it made a noise. When it tried it disinfect the trojan, the trojan squealed like a pig(the sound effects are cute). It was unable able to disinfeat or move the traojan or move it so it deleted it. The log is too large to paste here. Is there a way to attach the log? I think my problem is solved but I thought you may want to see the log. Anyway, thank you one and all for your help.

[CharleyO]

***

You can post the log here by using the "copy & paste" method over 2 or more posts

OR

you can attach it to one post as I have done by clicking on "Additional Options" below the posting box.
Click the image below to enlarge.


***

[DebbieR]

My computer is telling me this file is 93 mb. I attached a screen shot.

[DebbieR]

There isn't any way to post that log. Here is a log from Arovax Antispyware:

Scan log. Started at 03.21.2009 11:55:47
------------------------------------------

Start Processes scan
Completed Processes scan
Total items scanned: 39
Items found: 0
------------------------------------------

Start Registry scan
Name: Adware.Emusic
Software\Microsoft\Internet Explorer\Toolbar

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.Skin

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.Skin.1

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.SkinLabel

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.SkinLabel.1

Name: Spyware.WALogger
SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}

Name: Spyware.SnoopStick
SYSTEM\ControlSet001\Services\WS2IFSL

Name: Spyware.EmailSpy
SYSTEM\CurrentControlSet\Services\VxD

Name: Spyware.SnoopStick
SYSTEM\CurrentControlSet\Services\WS2IFSL

Name: UNKNOWN - ehTray [ c:\windows\ehome\ehtray.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - dldtmon.exe [ "c:\program files\dell v305\dldtmon.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - dldtamon [ "c:\program files\dell v305\dldtamon.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - a-squared [ "c:\program files\a-squared anti-dialer\a2adguard.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - a-squared Anti-Dialer [ "c:\program files\a-squared anti-dialer\a2adguard.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - DllName [ %systemroot%\system32\dimsntfy.dll ]
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy

Completed Registry scan
Total items scanned: 25139
Items found: 15
------------------------------------------

Start Hosts file scan
Completed Hosts file scan
Total items scanned: 1
Items found: 0
------------------------------------------

Start Cookies scan
Completed Cookies scan
Total items scanned: 441
Items found: 0
------------------------------------------

Start File system scan
Name: Email-Worm.Win32.Kipis.u
C:\WINDOWS\REGEDIT.COM

Completed File system scan
Total items scanned: 5014
Items found: 1
------------------------------------------

Scanning Finished. 03.21.2009 11:57:15


I have installed an anti-dialer which I hope will help, my phone bill had an extra $100.00 added to it, I'll call the phone company Monday to find out why. I think I will go down the list on majorgeeks.com until I feel I have finally removed all the trojans. These things seems to be a master of disguise.

[DavidR]

Well everything related to ActiveSkin4 to put it bluntly is rubbish as that is the skinning software used by avast for the skins in the simple user interface, etc.

I'm none to familiar with Arovax Antispyware I tend to stick with the known and what I consider to be the main contenders, SAS and MBAM. So I can't say how accurate the results are other than the ones relating to ActiveSkin4 a\s I mentioned.

However, the c:\windows\regedit.com is suspect as the normal file in that location would be regedit.exe so it could quite easily be malware.

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

[micky77]

Well everything related to ActiveSkin4 to put it bluntly is rubbish as that is the skinning software used by avast for the skins in the simple user interface, etc.

Is it ?

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112917-4626-99&tabid=2

Have you installed a commercial keylogger?

[DavidR]

I believe so yes.

It is on my system and since the security response mentions this in relationship to File Names: Winrsm.exe,getyahoo.dll and that would be the key to a correct detection and neither of those were found by arovax antispyware in DebbieR's scan.

Neither of those files mentioned are on my system either but the legitimate use of the activeskin4 software by avast are in my registry and both SAS and MBAM haven't batted an eyelid.