A-squared Cannot Remove Trojan

[Ninja Asassyn 0]

Okay so a-squared ran into a file that it was not able to delete. The first scan picked it up and the second scan it did not appear again. I believe I may have clicked quarantine before I came onto this forum.

I followed the steps in the start here thread, so I attached the files asked, The first file shows the scan results which had the trojan in it, the second scan did not pick up anything.

I just started step 3 and am getting ready to run it with the log file attached.. How do i do that?

Thanks in advance for any help.

[Ninja Asassyn 0]

It wouldn't let me attach any other files through the editor, so here are the rest of the logs asked for.

[Kevin Zoll 309]

Your logs show no malware. You may of had a-squared quarantine the detections.

[Ninja Asassyn 0]

Okay, how do I delete the quarantined malware?

Also, My administration account is severly messed up.. I got a virus through yahoo messenger, and it spread through my system.. I was able to use CTRL ALT DELETE and went through help to get to my control panel and create the guest profile I am currently using. However, my main account is a black screen when i log onto it.. There is No Taskbar, No Start Menu, and no Icons whatsoever..

I downloaded several items from download.com as well as my AVG, I ran several programs before using yours. However, yours found 19 more viruses that the others didnt catch. i deleted 18 of them and i guess I quarantined this one.

However my system still is not correct.

[Kevin Zoll 309]

Log into your "Administration Account" press CTRL+ALT+DEL. When Task Manger opens, click on the "New Task..." button. Type "explorer.exe" in the box and click "OK".

You should now have a desktop. Scan with a-squared and attach the log.

You should never delete or quarantine anything a security application says is infected, without first investigating the detection. Sometimes security applications will identify Windows components as infected and delete/quarantine the file rendering your system inoperable.

[Ninja Asassyn 0]

heres the scan file you asked for.

Also I logged in and out of the account several times and had to go through the task manager and type explorer.exe to get my desktop running.

I have not deleted/quarantined anything as of yet, as I wanted to see what you think I should do.

Also I am attaching a Hi Jack free log as I believe it may be a service/process thats stopping windows from running properly.

[Kevin Zoll 309]

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Reboot

-----------------------------------------------------------

Attach fresh logs for:

• a-squared Free/Anti-Malware
  
• ISeeYouXP
  
• HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Ninja Asassyn 0]

After running the FixReg.reg i still had to CTRL ALT DELETE to task manager and start the explorer.exe to get my windows going.

Also I still have not deleted the Trace file that a squared found.. should i go ahead and delete it?

regardless here are the files u asked for.

thanks for the help thus far, I appreciate it.

[Ninja Asassyn 0]

Didnt wanna edit and mess something up..

just to let you know I logged on and I did NOT have to use task manager this time...

assuming everything checks out ok my computer seems fine.

Thanks again for all the help it is truly appreciated

[Kevin Zoll 309]

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u17 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java 6 Update 16

Java 6 Update 6

-----------------------------------------------------------

Download Avenger from HERE and unzip to your desktop.

• Run Avenger
  
• Read the prompt that appears, and press OK
  
• Copy & paste the following text in Input script Box:
  

  Folders to delete:
  c:\users\ninja asassyn\appdata\roaming\weatherdpa
  
  Registry values to delete:
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run | AdobeBridge

  
  Then click "Execute".
  

• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Attach fresh logs for:

• Avenger (C:\avenger.txt)
  
• a-squared Free/Anti-Malware
  
• ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Ninja Asassyn 0]

Ok so first time I logged on today I had to use task manager to start windows again, however the rest of the times i logged on today it started in the correct fashion.

Anyways here's the files that you asked for.

[Kevin Zoll 309]

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

• Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  
• AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall
  Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.
  This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present)

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

CFscript.txt

dds.scr

dds.pif

DisableAutoRuns.reg

fixes.bat

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Win32kDiag.exe

Win32kDiag.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\Avenger.txt

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\Avenger

C:\AvoidTDSSS

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run CCleaner

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4. Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

[Ninja Asassyn 0]

Okay I do not have a My Computer File on my computer lol. All i have is computer.

I am running Windows Vista Home Premium, 32 bit.

I have done most of the other steps but cannot figure out how to turn sytem restore off and back on.

thanks for the help.

[Kevin Zoll 309]

http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

Then Turn System Restore back on after a Reboot.

[Ninja Asassyn 0]

okay so i logged off my guest account after deleting files as u said to and It screwed up my computer, After Running the CCleaner and logging off to go back to my administration account to check for more files, everything messed up. It wouldnt let me do task manager when i tried to log in, (because explorer did not load) and i had to restart my computer to be able to run task manager, so that i could type explorer.exe to get it running, then when it loaded my desktop background image wasn't set and it wont let me add a new one.

[Kevin Zoll 309]

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

Attach the report to your reply.

[Ninja Asassyn 0]

here is the file u asked for...

[Kevin Zoll 309]

There are no visible RootKits. If explorer refuses to start, though the registry patch should have fixed that, a reinstall of the Operating System may be in order.