Jump to content

Removal trojan Horse DTHTML.EXE1 (Generic Malware.co)


Recommended Posts

I'm worried about a Trojan Horse that seems to have infected my computer. It seems not possible to remove it. I've tried all the usual ways to do so (Mc Afee, Spyware Doctor, Malwarebytes Anti Malware) but after a reboot McAfee always rapports this trojan horse again. It's name is DTHTML.EXE1, a file which seems to 'replace' itself over and over again. It's a generic malware.co trojan. I don't know if there are more infections like this, so I really appreciate it if you guy's would look over it.

In the meantime strange things happen to my computer which I can't explain: internet explorer cannot be set into secure mode, McAfee-realtime scanner is constantly turned off, computer runs very slowly and crashes a lot, securitylevels are lowered, customized preferences changed etc. I tried full scans with Mc Afee, Spyware-doctor and Malwarebytes Anti Malware but they don't find anything. I followed your instructions and added some recent attachments.

Can you help me please??

Rob

ark.zip

Attach.zip

DDS.txt

mbam_log_2010_08_19__13_15_38_.txt

Link to post
Share on other sites

Hello Rob! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 9.3.2 - Nederlands
  2. Uniblue DriverScanner
  3. Uniblue PowerSuite
  4. Uniblue ProcessScanner
  5. Uniblue RegistryBooster
  6. Uniblue SpeedUpMyPC

You can read, how to do this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

Going over your logs I noticed that you have LimeWire installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smorgasbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Step 4

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s):

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites

Thanks for your quick reply Borislav.

I followed step 1 completely.

In step 2 I removed Java, downloaded JavaRa, closed all internet-windows, opened JavaRa and selected 'remove older versions'. It then says the task is completed and it has made a logfile on C. When I select 'ok' to open the log, my notepad says it can't find the log! And indeed, there is no logfile to be found in C. Is that a problem?

I removed the rest of the java-parts as you instructed in step 2, so it's only the log that seems not able to work.

I removed LimeWire (step 3). I don't use that program anyway so I won't miss it.

Before I go on to step 4 I want to know if the log-problem in step 2 is crucial.

Greetings

Rob

Link to post
Share on other sites

Please wait about Defogger.ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

McAfee always rapports the following file:

C:\\ProgramFiles\SpywareDoctor\avdb\temp\DTHTML.EXE1\sym.sdupk

The tempmap is always clean, but apparently McAfee detects the DTHTM.EXE1 file when it opens. There must be another files 'that' installs that DTHTML.EXE1 file. DTHTML.EXE is a file that belongs to the Pivot software that controls my Philips Display. DTHTML.EXE1 is a file that the trojan creates over and over again.

Greetings Rob

Link to post
Share on other sites

I performed a full scan with McAfee in Safe mode. No problems were reported.

I also performed a full scan with Spyware Doctor. Two treads were found (Trojan-Downloader.Murlo and Trojan.Generic) and were quarantained.

But still I get the McAfee DTHTML-notification.

My actions:

1. I wrote down the EXACT McAfee notification. It says:

name: Generic Malware.co

filename: C:\\Programs\SpywareDoctor\avdb\temp\DTHTML.EXE1\sym.sdupk

proces: C:\\Windows\system32\SearchProtocolHost.exe

procesdescription: Microsoft Windows Search Protocol Host

2. When busy I got a new McAfee notification which talked about a possible unwanted program called NIRCMD.CFXXE0 which came out of the SAME filemap from Spyware Doctor. So I performed a new fullscan

of SpywareDoctor and opened a second window in which I could see the exact changes in the filemap Programs\SpywareDoctor\avdb\temp. Before the scan this map was empty. During the scan the map

was filled with approximatly 23 filemaps and I could also see that several maps were created and deleted during this proces (of course they were temperary maps). At the and of the scan those 23 maps were

still there. Also a map called DTHTML.EXE1 (with nothing in it), NIRCMD.., and several other maps with familiar softwarenames and extension EXE1. Most of these filemaps were empty. I deleted them by

hand because SpywareDoctor didn't.

3. My conclusion: MCAfee labels some of these SpywareDoctor temp-files as a thread, but maybe they are not because they were just created as some sort of temporary scanfile. If that is so, how can I make

McAfee NOT to notify them as a thread? or should I accept it as a 'fact of live'..

Link to post
Share on other sites

Excuse me for my late reaction.

First of all your help so far. Thanks for your advice. But I don't agree with you to uninstall Spyware Doctor. It has been my 'lifesaver' since years and it found spyware that malwarebytes didn't mentioned at all. I'll rather use both Spyware Doctor and Malwarebytes.

Maybe I'll do it when I really really have to, but for now I want it to stay active. In the meantime I've been able to find a few new ways to clean my computer and despite of my main 'dthtml-issue' the rest of the problems are gone.

I would like to reinstall my Uniblu-software and defog again. I wait for your final words..

Greetings

Rob

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.