Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32 trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32 trojan

Unread postby formulaten » September 27th, 2005, 1:37 pm

Avast tells me I have win32 trojan. I've tried all i know to remove without success. Here's my hijackthis log, any assistance would be very much appreciated. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 18:29:04, on 27/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\javapanel.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\telecoms.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\AR\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telecoms.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telecoms.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telecoms.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/296e160e9b8 ... xIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
formulaten
Active Member
 
Posts: 7
Joined: May 30th, 2005, 4:50 pm
Advertisement
Register to Remove

Unread postby dobhar » September 27th, 2005, 1:45 pm

Hi...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Please do not start another Thread\Topic.

Thank You,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » September 27th, 2005, 2:01 pm

*** IMPORTANT ***

You are running HijackThis from a zip file within a Temp folder. Two strikes!. HijackThis for one needs to run in a folder on it's own...not in the temp directory as one of the fixes we get you to run is to clean out the Temp folders so by you runnng the program from Temp it would get deleted along with any backup files that were created. Secondly your running HJT from the zip file and by doing than we cannot create backups.

Lets get HijackThis into it's own folder...
- Please Create a folder called HJT...
1. Open "My Computer"
2. Double-click "C:" or "Local Disk (C: )"
3. Right-click in an open area in that window
4. Select/left-click on "New" from the drop-down
5. Select/left-click on "Folder"
6. A folder will appear with the cursor blinking and the words "New Folder" will be highlighted
7. Name the folder HJT
8. Extract\unzip the HijackThis.zip file into this new folder

Alternately you can download a self extracting copy of HijackThis from here and save it to your desktop. Double-click on the file hijackthis_sfx.exe file and it will self extract into it's own folder in C:\Program Files\HijackThis.

Pls post a new HJT log from the new location.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby formulaten » September 27th, 2005, 4:09 pm

Dobhar, new log as requested

Logfile of HijackThis v1.99.1
Scan saved at 21:07:52, on 27/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\javapanel.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\telecoms.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\taskcntr.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telecoms.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telecoms.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telecoms.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/296e160e9b8 ... xIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E32760F8-852E-4BB9-B527-EA319AE50FE8}: NameServer = 62.6.40.162 194.72.0.98
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
formulaten
Active Member
 
Posts: 7
Joined: May 30th, 2005, 4:50 pm

Unread postby dobhar » September 27th, 2005, 11:00 pm

Hi formulaten...

So very sorry for the delay...I got tied up at work...

Anyways...let's get to it...
__________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
__________________________________________

Step 1.
==========

We need to stop a couple Services...
- Click "Start" button then select "Run"
- Type "services.msc" (without quotes) then hit OK
- Scroll down and find the service called.

ECA
TASKESV


- One at a time, right-click on a Service and choose "Properties"
- On the "General" tab under "Service Status" click the "Stop" button to stop the service
- Beside "Startup Type" in the dropdown menu select "Disabled"
- Click Apply then OK. Do the same to the other Service
- When done exit the Services utility
(Note: If the service isn't listed go ahead with the rest of the instructions)

Step 2.
==========

Let's delete those 2 Services
- Start HijackThis...
- Click "Config" button
- Click "Misc Tools" button
- click "Delete an NT Service" button
- One at a time, copy and Paste the bold text below in the "Delete an NT Service" window

cpanel
TESV


- Click "OK"
- Do the same to the other Service
- When done...exit HijackThis

Step 3.
==========

Please download and install CCleaner from here
(Note: DO NOT run this program yet)

Step 4.
==========

Please download Ewido Security Suite, it is a free version of the program.
  1. Install ewido security suite
  2. When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should now be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  8. Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Step 5.
==========

- Reboot computer into "Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - here)

Step 6.
==========

We need to make sure all hidden files are showing...
  • Open "My Computer".
  • Click on "Tools" and from the drop down menu select "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
  • UNCHECK the "Hide file extensions for known types option".
  • UNCHECK the "Hide protected operating system files (recommended) option".
  • Click "Yes" to confirm.
  • Click "OK".
Step 7.
==========
- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked.

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telecoms.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telecoms.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telecoms.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/296e160e9b8 ... xIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe


- Click the "Fix checked" button.

Step 8.
==========

Delete the following files(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
File(s)...
C:\WINDOWS\SYSTEM32\telecoms.exe <<<= Delete This File
C:\WINDOWS\javapanel.exe <<<= Delete This File
C:\WINDOWS\taskcntr.exe <<<= Delete This File

Step 9.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the "Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure Recycle Bin is empty

Step 10.
==========

- Start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
Step 11.
==========

- Reboot computer into "Normal Mode"
- Post back a new fresh "HijackThis" log
- Post back Ewido log :)
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby formulaten » September 28th, 2005, 1:36 pm

Dobhar, many thanks for your help! No problems now. Here are the logs

Logfile of HijackThis v1.99.1
Scan saved at 18:31:57, on 28/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c11.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:27:01, 28/09/2005
+ Report-Checksum: 17C5EDED

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll\\.Owner -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll\\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\WINDOWS\system32\eid.exe -> TrojanDownloader.Mediket.ay : Cleaned with backup
C:\WINDOWS\system32\remon.sys -> Trojan.Rootkit.Agent.ab : Cleaned with backup
C:\WINDOWS\taskcntr.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\javapanel.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{2E0D4B1D-4577-40DE-ABA6-DA92912F73C3}\RP56\A0012969.SYS -> Trojan.Rootkit.Agent.ab : Cleaned with backup
C:\System Volume Information\_restore{2E0D4B1D-4577-40DE-ABA6-DA92912F73C3}\RP56\A0013972.sys -> Trojan.Rootkit.Agent.ab : Cleaned with backup
C:\System Volume Information\_restore{2E0D4B1D-4577-40DE-ABA6-DA92912F73C3}\RP56\A0013985.sys -> Trojan.Rootkit.Agent.ab : Cleaned with backup
C:\System Volume Information\_restore{2E0D4B1D-4577-40DE-ABA6-DA92912F73C3}\RP56\A0014009.exe -> Backdoor.SdBot.xm : Cleaned with backup


::Report End
formulaten
Active Member
 
Posts: 7
Joined: May 30th, 2005, 4:50 pm

Unread postby dobhar » September 29th, 2005, 7:28 am

Hi formulaten...

Nice job...you are looking much, much better. :)

Sorry for the delay but I am checking with some of my colleague's on one minor item so if you could bear with me for a bit I will reply soon.

Thanks, :)
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » September 30th, 2005, 8:23 am

Hi...

- Can you please download from RootKitRevealer to your Desktop.
- Extract\Unzip it to a folder on the desktop
- Double-click the RootkitRevealer.exe to run it, and click Scan. Make sure no programs or open windows are running
(Note: Please be patient...it is scanning your Hard Drive)
- This will generate a log file; please post the entire contents of the log file here for me to see.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby formulaten » October 3rd, 2005, 3:17 pm

Dobhar

First run produced this;

C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 03/10/2005 19:48 7.46 KB Hidden from Windows API.
D: 01/01/1601 01:00 0 bytes Error mounting volume

The second scan just this;

D: 01/01/1601 01:00 0 bytes Error mounting volume
formulaten
Active Member
 
Posts: 7
Joined: May 30th, 2005, 4:50 pm

Unread postby dobhar » October 3rd, 2005, 7:12 pm

Hi formulaten...

The log looks good...Let's run one last Ewido Scan and post a new HJT log just to make sure nothing left behind.
_______________________________________

Step 1.
==========

- Please make sure Ewido has the latest updates per previous instructions...

Step 2.
==========

- Reboot computer into "Safe Mode" per previous instructions...

Step 3.
==========

Make sure all hidden files are showing...

Step 4.
==========

Delete the following files(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
File(s)...
C:\WINDOWS\SYSTEM32\remon.sys <<<= Delete This File

Step 5.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the "Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure Recycle Bin is empty

Step 6.
==========

- Start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
Step 7.
==========

- Reboot computer into "Normal Mode"
- Post back a new fresh "HijackThis" log
- Post back Ewido log :)
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby NonSuch » October 18th, 2005, 4:49 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware