D_Trojanator

Volunteer Security Advisor
  • Content Count

    53
  • Joined

  • Last visited

Everything posted by D_Trojanator

  1. Hi there TukTuk, Sorry for the delay in the reply, I've been a bit busy recently. There is one more thing I need you to do, but it's quite small. The AVG log you posted is very promising, and I would happily declare this computer to be clean after completing the following. You should have no problems at all going online now, I'd be confident to say this computer is clean. One thing I want you to do, is as follows. Firstly make sure your system can view all hidden files as per previous instructions. Open HJT, and check the following entry: O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273 Hit "Fix Checked", then reboot the PC into safe mode. Find and delete this folder if you can find it: C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031} Now reboot back into normal mode. Let me know how the system is running, I think you are good to go now!
  2. Ok, good. Run the ADSspy again, and find and check the following entry: C:\WINDOWS\system32\svchost.exe : exe.exe (35840 bytes) Then press the "Remove Selected" selected button, then reboot. Then let me know how the system is running. I see clean logs now!
  3. Hi there, good work! It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. Please find and delete this file: C:\WINDOWS\system32\lnwin.exe Run HijackThis, click on Open the Misc Tools Section Click on Open ADS Spy uncheck the "Quick Scan" uncheck the "Ignore safe system info data streams" Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system. Click Save log. I will need that later on. I want you to clean your cache and cookies from your internet explorer. There are a few infected files which need to be removed from your system. ° Close all instances of Internet Explorer . ° Go to your control panel and open "Internet Options". ° Click on the "General" tab. ° Click the "Delete Cookies" button, then the "Delete Files" button. ° When prompted, place a tick in the "Delete all offline content" box and click OK. Also, please clean other Temporary files and Empty the Recycle Bin ° Go to start and click on the "run" button. ° Type the following in the fox --> cleanmgr and click ok. ° Let it scan your system for files to remove. ° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked. ° Press OK to remove them. We need to purge your infected system restore points. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. More information on how to disable your system restore can be found here. We want to create a new, clean restore point. Please first reboot your computer. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Uncheck "Turn off System Restore", click Apply, and then click OK. Click Start > All Programs > Accessories > System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point - Something like "After trojan/spyware cleanup". Click Create, and after it has created the restore point, click "Close". Further instructions on creating a restore point can be found here Please post the ADS spy log in your next reply.. David
  4. Glad to here it was sorted out, after a reformat of the hard-drive I have no doubt that you've cleaned the PC of the malware you had. A reformat is often the best option with an infected PC. Follow this list and your potential for being infected again will be reduced dramatically. Use an Anti Virus Software - * It is very important that your computer has an anti-virus software running on your machine. * This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: * Click here for more information on -> Computer Safety On line - Anti-Virus * I would recommend Grisoft's AVG or AVAST. * These are the more secure and better ones. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - * I can not stress how important it is that you use a Firewall on your computer. * Without a firewall your computer is susceptible to being hacked and taken over. * Simply using a Firewall in its default configuration can lower your risk greatly. * For an article on Firewalls and a listing of some available ones see the link below: * Click here for more information on -> Computer Safety On line - Software Firewalls * I would recommend ZoneAlarm as a firewall as it's easy to use. Visit Microsoft's Windows Update Site Frequently - * It is important that you visit http://www.windowsupdate.com regularly. * This will ensure your computer has always the latest security updates available installed on your computer. * If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option. * This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. * You should also scan your computer with program on a regular basis just as you would an anti virus software. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Lavasofts© Ad-Aware - Install and download Ad-Aware. * You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Javacools© SpywareBlaster - * SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. * A article on anti-malware products with links for this program and others can be found here: * Click here for more info -->Computer Safety on line - Anti-Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If you have any addition questions just ask... David
  5. No that's fine, just as expected. Please perform this online scan: Kaspersky Webscan Read the Requirements and Privacy statement, then select "Accept" A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab Select "Install" to download the ActiveX controls that allows ActiveScan to run. When the download is complete it will say ready, click "Next" Select a target to scan: Click on "My Computer" When the scan is complete choose to save the results as "Save as Text" Post the Kaspersky scan results in your next reply, along with a new Hijackthis log. David
  6. Ok, good work! Please download, install, and update AVG antispyware Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine. Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Close AVG antispyware and reboot!! Please post the log in your next reply. David
  7. Your welcome Jacksaar! Thanks for the feedback, I have updated a few of my canned speeches. I now use this for the system restore points: "We need to purge your infected system restore points. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. More information on how to disable your system restore can be found here. We want to create a new, clean restore point. Please first reboot your computer. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Uncheck "Turn off System Restore", click Apply, and then click OK. Click Start > All Programs > Accessories > System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point - Something like "After trojan/spyware cleanup". Click Create, and after it has created the restore point, click "Close". Further instructions on creating a restore point can be found here" I know use this canned speech for emptying Norton Quarantine: I want you to remove a few infected quarantined files from your Norton Antivirus. The instructions depend on the version of Norton that you are running Please visit the following link, and follow the instructions by clicking the on the appropriate version: http://service1.symantec.com/SUPPORT/nav.n...000041213443506 You can go ahead now and remove anything that you've downloaded in the clean-up process. It's been a real pleasure helping you, you've repaid me by fixing my speeches! The latest log is looking clean! Follow this list and your potential for being infected again will be reduced dramatically. Use an Anti Virus Software - * It is very important that your computer has an anti-virus software running on your machine. * This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: * Click here for more information on -> Computer Safety On line - Anti-Virus * I would recommend Grisoft's AVG or AVAST. * These are the more secure and better ones. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - * I can not stress how important it is that you use a Firewall on your computer. * Without a firewall your computer is susceptible to being hacked and taken over. * Simply using a Firewall in its default configuration can lower your risk greatly. * For an article on Firewalls and a listing of some available ones see the link below: * Click here for more information on -> Computer Safety On line - Software Firewalls * I would recommend ZoneAlarm as a firewall as it's easy to use. Visit Microsoft's Windows Update Site Frequently - * It is important that you visit http://www.windowsupdate.com regularly. * This will ensure your computer has always the latest security updates available installed on your computer. * If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option. * This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. * You should also scan your computer with program on a regular basis just as you would an anti virus software. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Lavasofts© Ad-Aware - Install and download Ad-Aware. * You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Javacools© SpywareBlaster - * SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. * A article on anti-malware products with links for this program and others can be found here: * Click here for more info -->Computer Safety on line - Anti-Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If you have any addition questions just ask... David
  8. Sorry tuk-tuk, that was an error on my part. Please replace step 1, with the following: Open notepad and copy and paste the following text in the quote box into the window: Save this as fix3.bat Choose to save as all files. This is how the batch must look afterwards: Doubleclick fix3.bat and let the program run. A small black dos window will flash, this is normal.
  9. Glad I could help Aaron! The latest log is looking clean! Follow this list and your potential for being infected again will be reduced dramatically. Use an Anti Virus Software - * It is very important that your computer has an anti-virus software running on your machine. * This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: * Click here for more information on -> Computer Safety On line - Anti-Virus * I would recommend Grisoft's AVG or AVAST. * These are the more secure and better ones. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - * I can not stress how important it is that you use a Firewall on your computer. * Without a firewall your computer is susceptible to being hacked and taken over. * Simply using a Firewall in its default configuration can lower your risk greatly. * For an article on Firewalls and a listing of some available ones see the link below: * Click here for more information on -> Computer Safety On line - Software Firewalls * I would recommend ZoneAlarm as a firewall as it's easy to use. Visit Microsoft's Windows Update Site Frequently - * It is important that you visit http://www.windowsupdate.com regularly. * This will ensure your computer has always the latest security updates available installed on your computer. * If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option. * This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. * You should also scan your computer with program on a regular basis just as you would an anti virus software. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Lavasofts© Ad-Aware - Install and download Ad-Aware. * You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Javacools© SpywareBlaster - * SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. * A article on anti-malware products with links for this program and others can be found here: * Click here for more info -->Computer Safety on line - Anti-Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If you have any addition questions just ask... David
  10. Good work! We've just got a couple of things left to do. 1) Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen. Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents. Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder. Select the item you wish to remove and click on RED 'X' icon to delete it. This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer. Repeat for any other quarantined files you want to remove. When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window. 2) Please open notepad and and copy and paste next bold in it: (don't forget to copy and paste REGEDIT4) Save this as "fix.reg" Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok. 3) We need to purge your infected system restore points. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. We want to create a new, clean restore point. Please first reboot your computer. You will be asked to turn system restore on again, click "yes". On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. Click Start > All Programs > Accessories > System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point - Something like "After trojan/spyware cleanup". Click Create, and after it has created the restore point, click "Close". Reboot a final time, how is the computer running now?
  11. You are welcome Lauren! The steps in my last post are all recommended ways of increasing your protection and security on the PC. If you follow these steps then your computer should be well on the way to being protected against a whole host of threats that could infect your computer. Also, I see that you are running yahoo antivirus. Now, this may be your antivirus of choice, but it is not as reputable as most of the others on the market. There are various free antivirus programs such as AVG and Avast which I can promise you will do a much better job of protecting your computer. It might be an idea to install one of the above and run a full scan; if you do, note that you must uninstall Yahoo Antivirus, as I do not recommend that you have more than one anti virus product installed and running on your computer at a time. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. You might also like to read here In the mean time http://www.bleepingcomputer.com/forums/topic2520.html; it's excellent info that's not too time consuming to read. Some of it is replicated in my own all-clean speech, but there are specific instructions for securing internet explorer. It is up to you whether or not you wish to switch to Firefox or not, most will say that Firefox is more secure. However, I've been using internet explorer for years without a single problem. Also have a read here: http://users.telenet.be/bluepatchy/miekiem...prevention.html I hope this helps... David
  12. Good work online! It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. Please download SmitfraudFix (by S!Ri) Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - I:\Program Files\Video ActiveX Object\isaddon.dll (file missing) O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - I:\WINDOWS\system32\nbbrhbd.dll Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support. Once in Safe Mode, open the SmitfraudFix folder again. Double-click smitfraudfix.cmd. Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. Also post a new Hijackthis log. David
  13. Great work! Things are looking a lot better! I want to run a scanner of the whole PC, looking for any leftover infected files. Also I want to export the contents of your msconfig entries to look for anything suspcious. Please perform this online scan: Kaspersky Webscan Read the Requirements and Privacy statement, then select "Accept" A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab Select "Install" to download the ActiveX controls that allows ActiveScan to run. When the download is complete it will say ready, click "Next" Select a target to scan: Click on "My Computer" When the scan is complete choose to save the results as "Save as Text" Post the Kaspersky scan results in your next reply. Please download Combofix to your desktop. Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. Also post the Kaspersky log. You may need several replies, as the logs can be quite long...
  14. Okay, good work! Basically you've uncovered a lot more things that need to be done, and I have to break the news that you have quite a nasty rootkit infection. However, don't be put off by the word, most are fixable, it is just going to take a bit more work on both our parts. I can see from the reg log that you have windows firewall allows a few malware files to access the internet, although those files should now be deleted, I think it's best to remove these left over entries with a simple regedit. I've a got few things I want you to do, then we'll run the rootkit remover tool. Oh, and the system errors that you received about the "mistake" is possibly something to do with the rootkit you have installed - Rootkits often can cause a system to become unstable. 1) Firstly, click start > run and copy and paste the following, then hit enter: attrib -a -h -r -s "C:\WINDOWS\system32\sdmvdlxe.exe" Do the same for the following, after doing the first command: del /q "C:\WINDOWS\system32\sdmvdlxe.exe" 2) Please open notepad and and copy and paste next bold in it: (don't forget to copy and paste REGEDIT4) Save this as "fix.reg" Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok. 3) Download the Rustock.b removal tool from the link below...and save it to your desktop: http://www.uploads.ejvindh.net/rustbfix.exe Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt). 4) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273 Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! 5) Exit and reopen Hijackthis, and run a scan and save its log. Post the C\avenger.txt & C\rustbfix\pelog.txt along with a new Hijackthis log. David
  15. Glad I could help! The latest log is looking clean! Follow this list and your potential for being infected again will be reduced dramatically. Use an Anti Virus Software - * It is very important that your computer has an anti-virus software running on your machine. * This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: * Click here for more information on -> Computer Safety On line - Anti-Virus * I would recommend Grisoft's AVG or AVAST. * These are the more secure and better ones. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - * I can not stress how important it is that you use a Firewall on your computer. * Without a firewall your computer is susceptible to being hacked and taken over. * Simply using a Firewall in its default configuration can lower your risk greatly. * For an article on Firewalls and a listing of some available ones see the link below: * Click here for more information on -> Computer Safety On line - Software Firewalls * I would recommend ZoneAlarm as a firewall as it's easy to use. Visit Microsoft's Windows Update Site Frequently - * It is important that you visit http://www.windowsupdate.com regularly. * This will ensure your computer has always the latest security updates available installed on your computer. * If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option. * This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. * You should also scan your computer with program on a regular basis just as you would an anti virus software. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Lavasofts© Ad-Aware - Install and download Ad-Aware. * You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. * A tutorial on installing & using this product can be found here: * Click here for more info -->Instructions for - Spybot S & D and Ad-aware Install Javacools© SpywareBlaster - * SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. * A article on anti-malware products with links for this program and others can be found here: * Click here for more info -->Computer Safety on line - Anti-Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If you have any addition questions just ask... David
  16. Hello tuk-tuk, my name is David, welcome to Lavasoft! My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. I've research the entries, and found this information, in case you find it useful: Troj/Spamsrv-E contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. Troj/Spamsrv-E spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. So, that's the first thing, I recommend you change your passwords. Here are two useful links, in case you wish to read more on the infection you have: http://www.sophos.com/security/analyses/trojspamsrve.html http://www.bleepingcomputer.com/startups/aDir-16272.html Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps. Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top. Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below. Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. When asked if you want to reboot now, say No.: C:\WINDOWS\system32\adirss.exe Please do the same for this file, say no when asked to reboot: C:\WINDOWS\system32\clcbt.exe Then finally do the same for this file: C:\WINDOWS\system32\svchosts.exe When asked to reboot, please choose Yes. Your system will reboot now. Please click on start > run > and type: sc delete COM+ Messages Hit enter and let the DOS windows open and close. This is normal. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: O4 - HKLM\..\Run: [{E0BC8662-0710-1031-0225-050412060031}] "C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031}\Update.exe" te-110-12-0000273 O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing) Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support. Please find and delete this folder if it's present: C:\Programme\Gemeinsame Dateien\{E0BC8662-0710-1031-0225-050412060031} <--folder Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum in your next reply. Download Bobbi Flekman's RegSearch from http://www.bleepingcomputer.com/files/regsearch.php Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder. Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program. Copy / Paste the following line into the top Search Box: clcbt then on the second line down paste the following: adirss Now hit OK. After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe Download and save Blacklight to your desktop. Double-click blbeta.exe then accept the agreement. Click on scan then click next, You'll see a list of all items found. Do not choose for rename yet! I want to see the log first; legitimate items can also be present. There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers) Post the contents of the log in your next reply. In your next reply I need 4 logs: 1) New Hijackthis log 2) Sdfix log 3) The Blacklight log 4) The regsearch log You may need to split them up, sometimes there is a restriction on the quantity of writing you can post at a time. After that, if everything goes to plan, I want to give the AVG program you have installed a run in safe mode. If you have any questions, please don't hesitate to ask at any time.
  17. Great stuff Lauren! The file you uploaded is indeed bad. Please navigate to the following file and delete it: C:\44180766.exe We need to purge your infected system restore points. On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. We want to create a new, clean restore point. Please first reboot your computer. You will be asked to turn system restore on again, click "yes". On the Desktop, right-click My Computer, then click Properties. Click the System Restore tab near the top of the window. Check Turn off System Restore, click Apply, and then click OK. Click Start > All Programs > Accessories > System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point - Something like "After trojan/spyware cleanup". Click Create, and after it has created the restore point, click "Close". You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following: Go to Start | Control Panel | Add/Remove Programs Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) It should have this icon next to it: Select it and click Remove. Then download and install the newest version from here (scroll down to find it): Java Runtime Environment (JRE) 6 Reboot a final time and let me know how the PC is running...
  18. Good work! It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. Please download SmitfraudFix (by S!Ri) Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - C:\WINDOWS\system32\nbbrhbd.dll (file missing) Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support. Once in Safe Mode, open the SmitfraudFix folder again. Double-click smitfraudfix.cmd. Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. Also post a new Hijackthis log. David
  19. Good work Lauren! Things are looking much better. However, I still need the research log from you, it doesn't appear as though you posted it. Go to this page. Where it says, browse to the file that you want to submit, copy and paste the filepath at the bottom in the field: Then click the Send File button below: C:\44180766.exe Please perform this online scan: Kaspersky Webscan Read the Requirements and Privacy statement, then select "Accept" A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab Select "Install" to download the ActiveX controls that allows ActiveScan to run. When the download is complete it will say ready, click "Next" Select a target to scan: Click on "My Computer" When the scan is complete choose to save the results as "Save as Text" Post the Kaspersky scan results in your next reply, along with a new Hijackthis log. Don't forget the regsearch log too.. David
  20. Hello Glasscock84, my name is David, welcome to Lavasoft! My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you have been infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. I've research the entries, and found this information, in case you find it useful: W32/Sdbot-LM is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Sdbot-LM spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. So, that's the first thing, I recommend you change your passwords. Here are two useful links, in case you wish to read more on the infection you have: http://www.sophos.com/virusinfo/analyses/w32sdbotlm.html http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=46981 Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps. Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top. Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below. Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. When asked if you want to reboot now, say No.: C:\WINDOWS\system32\svchosts.exe Please do the same for this file: C:\WINDOWS\system32\emhxjc.dll When asked if you want to reboot now, say Yes. After the reboot, click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries: MyWaySA Ipwindows <--also anything that is related to myway. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll R3 - URLSearchHook: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: (no name) - {FBDEFD83-146F-49BC-1931-39C62F483398} - C:\WINDOWS\system32\emhxjc.dll O4 - HKLM\..\Run: [{544E5FC5-063C-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063C-1033-0627-051114200001}\Update.exe" te-110-12-0000213 O4 - HKLM\..\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKLM\..\Run: [{544E5FC5-063D-1033-0627-051114200001}] "C:\Program Files\Common Files\{544E5FC5-063D-1033-0627-051114200001}\Update.exe" te-110-12-0000213 O4 - HKCU\..\Run: [sen] "C:\PROGRA~1\ECURIT~1\spoolsv.exe" -vt yazb O4 - HKCU\..\Run: [Huuozco] C:\WINDOWS\system32\?ystem\??ool32.exe O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll (file missing) O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing) Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Please click on start > run > and type: sc delete COM+ Messages Hit enter and let the DOS windows open and close. This is normal. Download Bobbi Flekman's RegSearch from http://www.bleepingcomputer.com/files/regsearch.php Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder. Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program. Copy / Paste the following line into the top Search Box: svchosts Now hit OK. After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe Please download Combofix to your desktop. Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. In the next reply, we should have a few folders/files to delete. I want to see the combofix log first though.. David
  21. Since this issue appears resolved, this Topic is now closed. If you need this topic reopened, please request this by sending me a PM with the address of the thread using the link here. This applies only to the original topic starter. Everyone else please begin a New Topic.
  22. Hello there and welcome to Lavasoft's security forum. My name is David, I will be helping you with your problem today. Please start by running a full scan with Ad-aware and posting the log. When you finish the scan click "show logfile", then right click on it and choose "copy to clipboard". Then, click here to download HijackThis. Save HJTsetup.exe to your Desktop. Double click on the HJTsetup.exe icon to start the program. By default it will install to C:\Program Files\HijackThis. Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue. Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there. At the final dialogue box click Finish and it will launch HijackThis. Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log. Save the log, and post me it in your next reply. So post back with the Hijackthis log, and the adaware log. You are infected with a smitfraud trojan, which should be easy to remove.
  23. Hello there and welcome to Lavasoft's security forum. My name is David, I will be helping you with your problem today. Please start by running a full scan with Ad-aware and posting the log. When you finish the scan click "show logfile", then right click on it and choose "copy to clipboard". Then, click here to download HijackThis. Save HJTsetup.exe to your Desktop. Double click on the HJTsetup.exe icon to start the program. By default it will install to C:\Program Files\HijackThis. Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue. Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there. At the final dialogue box click Finish and it will launch HijackThis. Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log. Save the log, and post me it in your next reply. So post back with the Hijackthis log, and the adaware log. You have a smitfraud infection, which should be simple to remove.
  24. Hi Aaron! You may be right, but I don't feel that an "end program" error message is something I would classify as normal activity. A guy who lives down my road has Norton installed on his PC, and I remembered he had a similar problem with ccapp.exe crashing when he was shutting down. He couldn't remember exactly, but it was something to do with Norton scanning the floppy disk drive on shutdown. I searched for a while and found a possible solution. Now, I'm not 100% sure if this feature is installed on 2007 or not, this guy was using the 06 version, but I think it's worth a try anyway. I don't really just want to dismiss it. Start Norton AntiVirus. Click Options. If you see a menu, click Norton AntiVirus. In the Norton AntiVirus Options dialog box, in the left pane, double-click Auto-Protect. Click Advanced. In the right pane, uncheck Scan floppy disk in A: for boot viruses when shutting down. Click OK and restart the computer. Let me know if that helps. I have a feeling that ccapp.exe will sometimes crash whilst trying to find out if there is actually a floppy disk in the drive. I assume that you probably don't use floppy disks anymore, so it could be a possible cause of the problem. If that doesn't work, as you recently installed the program, I would reinstall the security suite altogether. It may have been a slight problem in the installation itself that caused the problem, so reinstalling might fix it. One the best ways to fix software problems is by a reinstallation. If, even after the reinstallation, the problem still persists, then as Ai_Tak suggested , you might just have to live with it. I sent Norton an email over the issue, and I got this reply: "This message does not indicate a problem. The main Norton AntiVirus (NAV) host file, ccApp.exe, is in the process of closing all running services. The ccApp.exe file can take some time to close, especially if the computer was shut down before it finished its last startup process. Be patient. If Windows does not close the application in a few seconds, then click End Now to close the program and allow the restart/shut down process to continue." If it really is something that bugs you, you could switch to an alternative antivirus program. Some free programs are highly rated, I've listed a few below, just in case you find it helpful: http://free.grisoft.com/freeweb.php/doc/2/ http://www.avast.com/eng/avast_4_home.html Let me know how you get on!