TechSpot

BDS/JEEM trojan + more

By VvWolverinevV
Apr 24, 2009
  1. Hi,

    I recently upgraded my girlfriend's laptop and, in the process, found that she hadn't updated Windows XP Home since SP1 :( When I tried to update to SP3, I encountered an error along the lines of "[The system volume label is invalid]". A subsequent AntiVir scan uncovered several viruses. I followed the "preliminary removal steps" and the logs are attached. Would someone please have a look and let me know if I'm clean? :)

    Thanks!
     

    Attached Files:

  2. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    Bumpity bump
     
  3. touch

    touch TS Rookie Posts: 978

    Sorry for late reply.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any


    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  4. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    Thanks for the reply, Touch. If you don't mind me asking, why do you recommend Combofix?
     
  5. touch

    touch TS Rookie Posts: 978

    Because i think you have more infections.
     
  6. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    Done and done :)
     

    Attached Files:

  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes there were about 100 or so more ! :D

    Sorry I just had to post ;)
     
  8. touch

    touch TS Rookie Posts: 978

    No problem kimsland :grinthumb


    VvWolverinevV ->> Close any open browsers.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  9. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    100 more?! :( Here's my new ComboFix log.
     
  10. touch

    touch TS Rookie Posts: 978

    No, it looks clean now ;)

    Please attach new hijackthis log, and tell how things are running ?
     
  11. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    There are no symptoms as far as I can tell. In fact, the inability to install SP3 was a folder permissions bug apparently unrelated to the infections, but obviously I'm glad I did the scan. How does my HJT log look?
     
  12. touch

    touch TS Rookie Posts: 978

    That´s good news :)

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime



    And you´re done.


    Now your computer is clean, it is time for the cleanup procedure -

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    If you have any comments or questions, feel free to post back.

    Otherwise - Keep safe :wave:
     
  13. VvWolverinevV

    VvWolverinevV TS Booster Topic Starter Posts: 111

    Great! Thanks for all your help, touch!
     
  14. touch

    touch TS Rookie Posts: 978

    I was glad to help :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...