trojan malware problems

[ntizzie]

i did what i was told to do by the instructions i have the win32diag txt on my destop but i dont know how to get the asquared log i made a deep skan and didnt quarantine anything but dont know where to get the asquared log from and i did the i see you scan and dont know where to get the log from that either it didnt save it anywhere

[ntizzie]

ok im saving the report from the asquared scan and i click on save and it just wont i dont know if its the virus making it or what but it wont attatch it i dont know what to do

[ntizzie]

ok im saving the report from the asquared scan and i click on save and it just wont i dont know if its the virus making it or what but it wont attatch it i dont know what to do

like im saving it everywhere my documents puplit and its not there it wont save it anywhere on my computer

[Lynx]

Hi ntizzie, and welcome to the forum

If you cannot save a-squared report after the Deep Scan was finished by pressing <<Save Report>> button and using "Save report As..." dialogue

and you cannot run ISeeYouXP and/or HiJackFree it means that the infection is preventing those Tools from running

Can you find the report by a2 in ...\My Documents\a-squared Free\Reports folder (if that is free edition)?

or what is happening precisely when you are using "Save As..." dialogue?

Please wait for the advices from malware fighter(s). They will review Win32Diag.txt and post further instructions

My regards

[ntizzie]

ok im doing the deep scan again and i will try to save it again, as of now when i clicked save the report the window would open and i would pick a folder where i want it to be saved and when i click save it is not there when i go to check the folder

[ntizzie]

ok i re did the scan and it let me save it

[ntizzie]

ok i re did the scan and it let me save it

and i cant run the hi jack free it opens but then it closes immediately

[Lynx]

As I wrote above about inability to run ISeeYouXP and/or HiJackFree - please wait for the response from malware fighter about that

My regards

[ShadowPuterDude]

Your Win32kDiag report is incomplete.

Go to start > run and copy and paste the following command in the field:

"C:\Documents and Settings\Natalia\Pulpit\win32kdiag.exe" -f -r

This should restore permissions on locked files.

It will save a report on the Desktop (Win32kDiag.txt).

Attach that report on your next reply.

[ntizzie]

ok i copied and pasted the command and then when i run it it says that its impossible because the file is infected

[ntizzie]

i am scared more and more programs wont work as the time goes by an hour ago my mozilla was working now i cant because it says its infected i dont know what to do should i just run asquared and delete the trojan or virus because it may be too late what if it infects all the programs and my compouter wont even turn on?

[ntizzie]

i am scared more and more programs wont work as the time goes by an hour ago my mozilla was working now i cant because it says its infected i dont know what to do should i just run asquared and delete the trojan or virus because it may be too late what if it infects all the programs and my compouter wont even turn on?

can somebody tell me what to do?? my stuff wont work the win32 wont open its infected like are you guys even able to help me? before my compouter is totally crushed.

[ShadowPuterDude]

Do not keep bumping your thread by continuously replying after you post. It just causes your thread to be newer than those in the Que and takes longer for me to get to.

What keeps telling you it the file is infected?

[ntizzie]

idk what it is when i want to open it there is a yellow cloud information in the right lower corner of the tab where the sound settings are and printers and update infos, it opens the cloud and says the file cant be opened because its infected.

[ShadowPuterDude]

This may not work, but we are going to try anyway.

-----------------------------------------------------------

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Post fresh logs for:

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[ntizzie]

it worked here is the log hopefully

[ShadowPuterDude]

Download -->> OTL <<-- to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    
  • Attach both logs with your next reply.
    

[ntizzie]

ok here they are, thanks for helping me so far

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :Files
  C:\WINDOWS\ywujohedum.db
  C:\WINDOWS\System32\pazubidobe.dat
  C:\Documents and Settings\Natalia\Dane aplikacji\ubojapipo.dat
  C:\Documents and Settings\Natalia\Ustawienia lokalne\Dane aplikacji\iqom.db
  C:\Documents and Settings\All Users\Dokumenty\uwunolin.dat
  C:\KSoP.exe
  C:\Documents and Settings\Natalia\Pulpit\R227558.exe
  C:\WINDOWS\wp4.dat
  C:\WINDOWS\wp3.dat
  C:\WINDOWS\System32\wwp.htm
  
  :Commands
  [emptytemp]
  [start explorer]
  [Reboot]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[ntizzie]

i dont know what happened my screen went blue and all icons from the destop vanished i dont know how to find the OTL

[ntizzie]

i dont know what happened my screen went blue and all icons from the destop vanished i dont know how to find the OTL

it was all fine till like an hour ago i cant cun the OTL.exe it says its infected like the othe rprogram WTF is this happening again?? i thought it was ok now its even worse

[ntizzie]

it was all fine till like an hour ago i cant cun the OTL.exe it says its infected like the othe rprogram WTF is this happening again?? i thought it was ok now its even worse

there is a weird program that i have never installed on my computer that is called security tool and it tell me my stuff is infected i think its bullshit im freaking out i thought it was all good what happened?

[ShadowPuterDude]

Power off your computer.

Turn the system back on and run ComboFix again and attach the resulting log.

Security Tool is a Rogue application, nothing it tells you is true.

[ntizzie]

it doesnt work every time i turn it off and on the security tool opens and my icons vanish and when i try to run combofix it wont let me it says its infected and closes it immediately

[ntizzie]

im scared i read all about the security tool and it can steal my identity information sociacl security and credit card numbers and such i need to get rid of this how?!?!?!? it wont let me run combofix. there is that website that claims if i download some spyware doctor it will remove the security tool but im not sure what if it makes it worse?

[ntizzie]

Ok right after the windows loaded i pressed alt+ctrl+delete and ended tast for security tool and ran combo fix im attatching the log please tell me what to do before something else gets in my computer like last time.

[ShadowPuterDude]

Download -->> OTL <<-- to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    
  • Attach both logs with your next reply.
    

[ntizzie]

i did it but there is only one text file that is created called OTL.text there is nothing like Extras.txt idk why and when i try to attatch the OTL.txt it says the file was too big

[ntizzie]

Ok the one OTL.text file was too big so i compressed it and there is no extras.txt no matter how many times i scan it

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
  
  :Files
  C:\WINDOWS\System32\*.tmp
  C:\WINDOWS\*.tmp
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[ntizzie]

thank you, im attatching the log

[ShadowPuterDude]

How are things running?

[ntizzie]

they are running good i dont have problems or anything. does it mean my computer is fixed now? no malware or trojans?

[ShadowPuterDude]

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

• Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  
• AvoidTDSS /u or combofix /u
  Note: The space before /u, must be there.
  This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  
• Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
  Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

[ntizzie]

i dont understand what do i type in the start -> run and then what do i type? "AvoidTDSS /u or combofix /u"?

[ShadowPuterDude]

Which command depends on whether or not I had you rename combofix during download.

[ntizzie]

so whats the u? the name is just combofix so i type AvoidTDSS /combofix /combofix? meaning u replaces the name of combofix i gave to it? i totally dont understand anything about your post

[ShadowPuterDude]

combofix /u

The u is the command line switch for uninstalling ComboFix.

[ShadowPuterDude]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread