Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan horse found on computer(Scotty's thread)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » October 27th, 2008, 6:15 am

Hi there.I am to start a new topic as I was being helped by scotty and he's not got access to the internet at the moment.Since my last post spybot s&d found a few red entries and registry changes and my spywareblaster protection has been disabled.Here is a fresh hijack this log and a link to the original thread.Thankyou. viewtopic.php?f=12&t=34696

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:50, on 27/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Default\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4241 bytes
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm
Advertisement
Register to Remove

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 1st, 2008, 8:14 am

Hi Hiwatt,
Sorry for the delay you have had.


Spybot Report
Please retrieve the last scan that you did with Spybot
  1. Open Spybot S&D
  2. Click Mode (on the top bar)
  3. Put a check next to Advanced. Click Yes at the prompt.
  4. Click Tools (left hand column near the bottom)
  5. Click View Report (left hand column near the top)
  6. Put a tick next to
    • Include results of last check in report
    (make sure that the rest are unchecked)
  7. Click View Report (top of page)
  8. Click Export (top of page)
  9. Save the report to your desktop

Please post this report in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 2nd, 2008, 8:15 am

Hi.Thank you for replying.I'll not be at my own computer 'till tomorrow.I'll do this first thing tomorrow morning.Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 3rd, 2008, 7:00 am

Hi there
I've actually scanned with spybot since and it came back clean.Is there another way I can show you the malware that spybot found without going into spybot's recovery?I included screenshots of the stuff that spybot found in the original post if that helps?Thank you.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 3rd, 2008, 7:10 am

If it scanning clean, you don't need to worry :)
Are there any other problems ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 3rd, 2008, 8:55 am

Hi there aren't any visable problems just now.Comodo boclean found a trojan and after this I scanned with spybot s&d and it found loads of stuff(included screenshot)but it seems to have "fixed it" I was just worried because there was hijackers and stuff in there and I was wondering if I had to cancel all bank details etc?If you're happy and think I'm clean?Then I'm happy 8) Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 3rd, 2008, 9:22 am

Looking at your thread with Scotty, the items Spybot found are just adware dross and nothing serious.
They may even have just been cookies.

There doesn't appear to have been any serious infection present, so I doubt you have anything to worry about.

" hijackers" just means that it diverts your search results to the site that pays them :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 3rd, 2008, 11:21 am

Thank you.That's good then.I still have a combo fix folder and a folder called cmdcons on my c drive,is it ok to delete them?Looking at the screencaps I provided from spybot's recovery did spybot really fix all those things and is all ok now?Thank you.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 3rd, 2008, 1:27 pm

You should not delete cmdcons it is part of the recovery console that Combofix installed.

If you have deleted Combofix.exe then please download a fresh copy from here
Combofix.exe

Now do the following ..

  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image



Regarding the items that Spybot found, I have no idea how they were removed as the images you posted are not shown in the archive section.
If they are no longer being detected then I can only assume that they have been removed.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 5th, 2008, 6:23 am

Hi there
Wnen I type Combofix /u it says windows cannot find combo fix make sure I typed the name correctly?I did.Also Comodo boclean is saying that a trojan has been found when I downloaded combofix and is asking if I want to delete the file?I choose no.What should I do next?Thank you.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 5th, 2008, 6:42 am

Disable Comodo for the moment.

Download ComboFix.exe to your Desktop

Click Start >> Run then copy/paste the following in the Run box

"%userprofile%\desktop\combofix.exe" /u

Now you can re-enable Comodo
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 5th, 2008, 8:23 am

Hi there.
I done that and it said combofix was uninstalled but the folder is still there.It only contains 1 file named "nircmd" MS-DOS application.I've took another couple of screenshots from spybot's recovery section just to show you the red entries it found incase it helps.Thank you.
You do not have the required permissions to view the files attached to this post.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 5th, 2008, 5:45 pm

You can delete the Combofix folder.

Looking at those files, you can remove all those from Spybot history.
They all look to be adware dross and not serious infections.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Hiwatt » November 6th, 2008, 6:20 am

Hi,Ok thanks that's great.Is that me done then?
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Trojan horse found on computer(Scotty's thread)

Unread postby Katana » November 6th, 2008, 6:47 am

Congratulations your logs look clean :)

Let's see if I can help you keep it that way


The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware