Author Topic: trojan horse in captivity (Read 12649 times)

nocolonleft · « **on:** January 23, 2008, 08:54:52 PM »

Hi, and let me first apologize ahead of time for any and all seemingly stoopid questions i might have. I'm running a Lenovo 3000, 80GB with windows XP and i've recently managed to download a trojan horse virus. I have AVG7.5free anti-virus running and the virus has been locked up in the "virus vault", however the details say that it is a system file, it is not healable, the source is a back-up copy and the status is infected. My question is will this pose any other problems for my operating system?...i guess another question would be,..is it really "unhealable"? Thanks in advance for any and all help,... i'm pretty new at this

Broni · « **Reply #1 on:** January 23, 2008, 08:57:05 PM »

1. Run free ESET Online Scanner at: http://www.eset.com/onlinescan/
Note: This Scanner is for Internet Explorer Only
1. You will notice that the "Start" button is grayed out. Place a check mark at "Yes, I accept the Terms of use". The "Start" button will become visible. Click on it.
2. If it wants to install an ActiveX component allow it
3. You will be asked to install an ActiveX, click the "Install" button (Note: If you have a Firewall install you may have to approve the installation)
4. Once ActiveX control is installed click on the "Start" button to initialize the scanner
5. After initialization is complete uncheck\untick "Remove found threats"
6. Check\tick "Scan unwanted applications"
7. Click the "Scan" button
8. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt
Post ESET's log.

2. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

nocolonleft · « **Reply #2 on:** January 24, 2008, 06:00:17 PM »

o.k. thanks,.. next question,... your reply says to download ESET online scanner but the note below says that it is for internet Explorer only,.. i don't use internet explorer, i use Firefox,.. should i still download this scanner?

Broni · « **Reply #3 on:** January 24, 2008, 07:59:39 PM »

Well, I don't use IE, either, but ESET is pretty good scanner, so if you don't mind using IE just for this scan purpose, that would be great. If not, you can use Firefox, and TrendMicro HouseCall: http://housecall.trendmicro.com/

nocolonleft · « **Reply #4 on:** January 27, 2008, 09:27:15 PM »

Thanks Broni, and, like i said before about the stoopid questions,.. how do i post a log?

Broni · « **Reply #5 on:** January 27, 2008, 09:33:12 PM »

Just paste it into your reply.
In case of longer logs, you may need to split them into couple of replies.

nocolonleft · « **Reply #6 on:** January 27, 2008, 09:41:26 PM »

sorry.. i don't know how to do that

Broni · « **Reply #7 on:** January 27, 2008, 09:46:34 PM »

Try different way, then. Attach .log file to your reply.
Look below:

[file cleanup - saving space - attachment deleted by admin]

nocolonleft · « **Reply #8 on:** January 27, 2008, 09:53:07 PM »

like this?

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #9 on:** January 27, 2008, 09:57:10 PM »

Perfect!

nocolonleft · « **Reply #10 on:** January 28, 2008, 04:27:01 PM »

thanks Broni,... here's the log from superantispyware,.. i'm still working on downloading hijack this

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #11 on:** January 28, 2008, 04:46:09 PM »

Did you run ESET, by any chance?
If you don't want to use IE, you may run Trend's HouseCall, using Firefox: http://housecall.trendmicro.com/

nocolonleft · « **Reply #12 on:** January 28, 2008, 04:52:34 PM »

Hi Broni,.. yes, i ran ESET,.. posted the log a couple of replies ago,.. did you want me to post them together?

Broni · « **Reply #13 on:** January 28, 2008, 04:59:08 PM »

You mean, your post #8? I though, it was your try to attach something, because it contains some audio drivers tests.

nocolonleft · « **Reply #14 on:** January 28, 2008, 05:03:40 PM »

yes, post #8, i think that was the log from ESET. Is that not right?

Broni · « **Reply #15 on:** January 28, 2008, 05:11:57 PM »

I t doesn't look like. See for yourself

nocolonleft · « **Reply #16 on:** February 20, 2008, 06:19:52 PM »

Hi Broni,... sorry i've been away for a few weeks,... i've been in the hospital, but i'm home now and i would like to continue trying to get rid of the trojans. I think i posted the log for superantispyware, but i haven't been able to download "hijackthis",... any other suggestions? Thanks

Broni · « **Reply #17 on:** February 20, 2008, 07:06:44 PM »

I'm sorry for your hospital visit. I hope, everything is fine...

Quote

i haven't been able to download "hijackthis"

What happens?

nocolonleft · « **Reply #18 on:** February 20, 2008, 09:08:13 PM »

hi Broni,.. i think i got it this time

[file cleanup - saving space - attachment deleted by admin]

nocolonleft · « **Reply #19 on:** February 20, 2008, 09:14:50 PM »

i'll just go ahead and post the other two logs here too,... hope this is right

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #20 on:** February 20, 2008, 09:19:42 PM »

OK. You have few "guys" there.
Couple of things...
What's the story with Symantec/Norton? I can see quiet few services running...
If you had it installed, run Norton Removal Tool: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Next, go Start>Control Panel, and uninstall MyWebSearch

Next...
Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log, as well.

nocolonleft · « **Reply #21 on:** February 21, 2008, 11:48:05 AM »

thanks Broni,... here are the logs from malwarebytes and the new one from HJT. i tried to uninstall mywebsearch, but a box kept popping up saying there was an error loading the file c:\progra~1\mywebs~1\bar\4.bin\mwsbar.dll ,.... module could not be found,.. however after i ran the anti-malware scan i tried again to remove the mywebsearch program,.. and it was no longer there. hopefully that means that it's now gone. i also have another thing going on here that i have questions about. all your help is greatly appreciated

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #22 on:** February 21, 2008, 06:35:53 PM »

Some stuff is gone, but I can't proceed without your answer to this:

Quote

What's the story with Symantec/Norton? I can see quiet few services running...
If you had it installed, run Norton Removal Tool: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

nocolonleft · « **Reply #23 on:** February 21, 2008, 09:11:13 PM »

Hi Broni,. i bought the computer last year and bought and installed Norton anti-virus with it,.. now it doesn't seem to want to work together, so i installed and ran the removal tool like you said,... what next?

Broni · « **Reply #24 on:** February 21, 2008, 09:18:40 PM »

Is the latest HJT log from AFTER running Norton uninstall tool?

nocolonleft · « **Reply #25 on:** February 21, 2008, 09:23:10 PM »

not sure if it was or not,.. but this one is

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #26 on:** February 21, 2008, 09:24:13 PM »

OK. Let me check it out.

Broni · « **Reply #27 on:** February 21, 2008, 09:45:53 PM »

Judging from HJT log, you either didn't run Norton Removal Tool, or you gave me old HJT log.

nocolonleft · « **Reply #28 on:** February 21, 2008, 10:06:48 PM »

i thought i had it right,.. but i guess not,. anyway, i've just re-run the removal tool and did another scan,. let's see if this is right

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #29 on:** February 21, 2008, 10:09:14 PM »

It looks right this time, but I'll analyze it tomorrow....bed time

nocolonleft · « **Reply #30 on:** February 21, 2008, 10:14:39 PM »

... for me too,.. thanks Broni

Broni · « **Reply #31 on:** February 22, 2008, 05:09:49 PM »

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- *O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- *O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
- *O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- *O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
- O4 - HKLM\..\Run: [EarthLink Installer] " /C
- *O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
- O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S
- *O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
- *O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- O4 - HKCU\..\RunOnce: [SpybotDeletingB6312] command /c del "C:\Documents and Settings\Richard\Local Settings\Temp\laf1.exe_old"
- O4 - HKCU\..\RunOnce: [SpybotDeletingD8742] cmd /c del "C:\Documents and Settings\Richard\Local Settings\Temp\laf1.exe_old"
- O4 - HKCU\..\RunOnce: [SpybotDeletingB3511] command /c del "C:\Program Files\Online Add-on\ictun.exe"
- O4 - HKCU\..\RunOnce: [SpybotDeletingD1541] cmd /c del "C:\Program Files\Online Add-on\ictun.exe"
- O4 - HKCU\..\RunOnce: [SpybotDeletingB8255] command /c del "C:\Program Files\Online Add-on\ictmdl.dll_old"
- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
- *O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
- O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
- O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- MyWebSearch folder from C:\Program Files

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.
   6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Post new HijackThis log.

nocolonleft · « **Reply #32 on:** February 22, 2008, 10:00:41 PM »

hey Broni,.. well,.. when i opened up hijackthis to "fix" the selected files,.. i couldn't find all the files you wanted me to fix. there were 6 files i couldn't find ,... 5 were " -04 - HKCU\..\runonce: [spybotdeletingB6312, D8742, B3511, D1541, and B8255,] ,.. and one was -08 - extra context menu item & search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000,.. i checked and fixed all the others,.. but i'm guessing these "missing " files need to be fixed too,. so here's a new HJT log

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #33 on:** February 23, 2008, 08:59:42 AM »

It looks much better...
Open HJT one more timr, and checkmark:
- O8 - Extra context menu item: &Search - ?p=ZRfox000
Click "Fix checked".
Restart computer, and post new HJT log.

nocolonleft · « **Reply #34 on:** February 23, 2008, 01:30:27 PM »

hi Broni,... here's the newest hjt log

[file cleanup - saving space - attachment deleted by admin]

Broni · « **Reply #35 on:** February 23, 2008, 01:35:29 PM »

The log is clean.

Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

How is your computer doing?

nocolonleft · « **Reply #36 on:** February 26, 2008, 01:42:16 PM »

Hi Broni,.. the computer seems to be doing much better ,.. thanks very much to you. I do still have a question or two. Since i've deleted my Norton Anti-virus, what protection do i have now? Is the AVG a good anti-virus/malware protection?... and is my Windows firewall sufficient?
Thanks again for all your help,.. it's GREATLY appreciated

Broni · « **Reply #37 on:** February 26, 2008, 02:31:39 PM »

Good...
AVG is very good AV program. As for malware real time protection, you may want to download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

Windows firewall has pretty poor ratings, so I recommend, you download free Comodo firewall: http://www.personalfirewall.comodo.com/, turn off Windows Firewall, and install Comodo.

Computer Hope Forum

News:

Author Topic: trojan horse in captivity (Read 12649 times)

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni

nocolonleft

Broni