BDS/JEEM trojan + more

[VvWolverinevV]

Hi,

I recently upgraded my girlfriend's laptop and, in the process, found that she hadn't updated Windows XP Home since SP1 When I tried to update to SP3, I encountered an error along the lines of "[The system volume label is invalid]". A subsequent AntiVir scan uncovered several viruses. I followed the "preliminary removal steps" and the logs are attached. Would someone please have a look and let me know if I'm clean?

Thanks!

 

[VvWolverinevV]

Bumpity bump

 

[touch]

Sorry for late reply.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

 

[VvWolverinevV]

Thanks for the reply, Touch. If you don't mind me asking, why do you recommend Combofix?

 

[touch]

Because i think you have more infections.

 

[VvWolverinevV]

Done and done

 

[kimsland]

Because i think you have more infections.

Yes there were about 100 or so more !

Sorry I just had to post

 

[touch]

No problem kimsland :grinthumb


VvWolverinevV ->> Close any open browsers.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\drivers\_003343_.tmp.dll
c:\windows\system32\drivers\_003335_.tmp.dll
c:\windows\Java\Packages\Data\1bl3b9bf.dat
c:\windows\Java\Packages\Data\9rbfzfz7.dat
c:\windows\Java\Packages\Data\a9j75jvn.dat
c:\windows\Java\Packages\Data\zz1r3pv3.dat
c:\windows\Java\Packages\Data\c1b9f7tn.dat
DirLook::
C:\fe6599f27bd16e07ce8a0c7494e30c

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[VvWolverinevV]

100 more?! Here's my new ComboFix log.

 

[touch]

No, it looks clean now

Please attach new hijackthis log, and tell how things are running ?

 

[VvWolverinevV]

There are no symptoms as far as I can tell. In fact, the inability to install SP3 was a folder permissions bug apparently unrelated to the infections, but obviously I'm glad I did the scan. How does my HJT log look?

 

[touch]

That´s good news

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime


And you´re done.


Now your computer is clean, it is time for the cleanup procedure -

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

If you have any comments or questions, feel free to post back.

Otherwise - Keep safe :wave:

 

[VvWolverinevV]

Great! Thanks for all your help, touch!

 

[touch]

I was glad to help