Jump to content

trojan/malware problems


magpielou
 Share

Recommended Posts

Hi,

I got virus'd via an email a week or so back and though I've tried a couple of times to find and delete the cause (I think a Trojan - I certainly found one in a previous search) I'm having the same trouble with my email system. I followed the instructions elsewhere, downloaded and ran the stuff, and I hope I've attached the logs etc correctly!

Cheers for your help,

Louise

PS I'm not hugely computer-literate, so any replies/advice in words of one syllable with babysteps-instructions would be appreciated...

Link to comment
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hiya,

Thanks for the idiot-proof instructions! Logs are attached.

Running the ComboFix it said it found rootkit issues and rebooted itself. Then I reran the CF and got the log as attached. When I turned the Avast back on, it popped up with an alert that it had found spyware (C:\winnt_\winnR1.exe) but I hit 'no action' in case quarantining it hid it... It hadn't alerted me like this before, so I guess it either found something new or found something it had missed previously?

Everything seems to be is running fine other than hotmail - after the last set of scans, it closed itself several times and reran the virus meaning I spammed a few (long-suffering) friends. I haven't tried it yet tonight, I'll do so after logging this message and add a PS. Other than the hotmail issues (only from my home computer, nowhere else), all was and is (ok, seems to be) well.

Thanks for your help,

Louise

Link to comment
Share on other sites

PS

I've just tried my hotmail and it seems to be behaving - though I hesitate to say it's ok since it's hard to tell in just a quick login. It also tells me my default browser is no longer Internet Explorer, which I find disconcerting! Tho not necessarily a bad thing if it makes my mail a little safer...

Cheers,

L

Link to comment
Share on other sites

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u16 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java 6 Update 2

Java 6 Update 5

-----------------------------------------------------------

We need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    KILLALL::
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winntR1"=-
    
    File::
    c:\winnt_\winntR1.exe
    
    Folder::
    C:\winnt_


  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

CAUTION: do NOT mouseclick combofix's window while it is running. That may cause it to stall.

Note: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

The ComboFix folder should NOT be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hiya,

Right, I've done all the latest scans, logs attached. Things seem to be running ok - though the Avast warning of spyware which I was getting on startup has vanished despite me not having done anything about the things it discovered. The latest scan turned up a Trojan though.

One thing: when running ComboFix, it updated before running, then on rebooting I got the following message - not sure it's important but thought I'd mention it:

MarketingTools.exe - Application error

Process ID 0xfc0(4032), Thread ID 0xfbc(4028)

OK to terminate, CANCEL to debug - I OK'd and CF carried on as usual.

Once again, thanks for your help,

Louise

Link to comment
Share on other sites

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /u or combofix /u
    Note: The space before /u, must be there.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  • Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
    Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Hiya,

I uninstalled ComboFix ok, but can't find C:\!KillBox to delete whatever was in it.

Of the list of things, I didn't have many, but deleted what I could find. Ran ATF Cleaner ok.

I only seem to have ISeeYou as a single program, not a folder, so not sure what to do about the HideIT.bat part - nor about the system restore part, as I can't find a 'system restore' tab...

Sorry - perhaps I'm just a particularly rubbish computer user!

Oh, and although I had no notification of it in my hotmail, I apparently spammed one of my pals with the same virus yet again last night. It's always turned up in my sent mail before, so this is a bit weird (not to mention annoying).

Cheers for your patience...

Louise

Link to comment
Share on other sites

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Attach the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post.

Link to comment
Share on other sites

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

File::
C:\Users\LouiseF\AppData\Local\temp\B644.tmp\evP.exe

Folder::
C:\Users\LouiseF\AppData\Local\temp\B644.tmp

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • DDS

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hello,

Things seem to be running ok, other than losing a few internet settings (which I'm assuming was supposed to happen, and frankly is no bother at all). Logs attached - I hope I'm able to leave you alone again soon! I added the Attach.txt as though you didn't ask it seemed to come as part of the package with DDS...

Cheers,

Louise

Link to comment
Share on other sites

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"SetupExecute"=-

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Attach fresh logs for:

  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Other then the above, your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /u or combofix /u or Combo-Fix /u
    Note: The space before /u, must be there. Which command you use depends on if I had you rename ComboFix during download.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  • Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
    Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Hiya,

OK, this is where I had problems before and I have the same again. I uninstalled ComboFix fine and deleted the other stuff OK, but I don't have/can't find the C:\AvoidTDSS or C:\ComboFix folder you mention, or the C:\!KillBox file/folder/whatever. I have only ISeeYouXP as a program to run, not as a folder with "HideIT.bat" to find. And I can't find an option to turn off system restore, only to create a system restore point. In the meantime, I'm going to update Windows and see what happens.

Sorry if this makes me sound like an idiot, but I'm doing my best, I'm just a person who uses a computer, not a person withknowledge about them...

Louise

Link to comment
Share on other sites

...I can't find an option to turn off system restore, only to create a system restore point...
...about the system restore stuff? No idea what I'm doing with that, either

magpielou,

"Creating the System Restore" you are talking about, as I understand, is the dialogue that is displayed when you go Start > All Programs > Accessories > System Tools > System Restore

Is that what you mean? If so - that is different.

SysProperties.jpg If you follow the instruction regarding the System Restore as in #1

You should get the following "System Properties" dialogue:

SysRestore.jpg where you will find the System Restore Tab (#2) and the requited Check Box (#3)

My regards

Link to comment
Share on other sites

Hi again,

OK, here's what happens:

>1. Click Start, right-click My Computer, and then click Properties.

Start - rightclick on 'Computer' - click 'Properties' = all fine.

>2. Click the System Restore tab.

I don't have one. I have 'Device Manager', 'Remote settings', 'System protection' and 'Advanced system settings' in a list on the left and the panel on the right is the basic info about 'you are using Windows Vista' etcetc. That image in the last reply is nothing like the image I see - maybe this is a Vista thing??

In 'System properties' there is a 'System protection' tab which offers the option to create restore points, but I'm guessing that's not the right place?

Sorry to be a pain...

Louise

Link to comment
Share on other sites

... In 'System properties' there is a 'System protection' tab which offers the option to create restore points, but I'm guessing that's not the right place?
Louise,

Yes, creating restore points is not the right one as it was said before

“System Protection Tab” on Vista should look like:

SystemProtectionTab.jpg

under “Automatic restore points”

- uncheck box(es) next to disk(s) letters;

- confirm the message “Are you sure you want to turn System Restore off?” by clicking on <<Turn System Restore Off>> button

In order to turn System Restore On – check box(es) back

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...