TechSpot

Have Trojans...need major help...

By Khemic81
Apr 24, 2007
Topic Status:
Not open for further replies.
  1. I first noticed my explorer.exe was spiking to 100% every 5 or so seconds, and I have been getting Internet Explorer starting up all by itself.

    I have an infected file called netdde.exe with Downloader.Generic3.QFH in my documents folder in a folder called \?asks\ which doesn't show up when I go to the folder or run search. I found this with AVG Anti Virus, which also found a change to my boot sector of disk C which it only listed as a change but not a threat. Don't know if that is a problem.

    I've run Spybot a few times, which keeps detecting Smitfraud-C.Toolbar888 (1 tracking cookie and 1 HKEY_USERS). Also found the following...

    Altnet (1 HKEY_LOCAL_MACHINE)
    win32.small.ddx (2 tracking cookies)
    Zedo (tracking cookies)
    Doubleclick (tracking cookies)
    Advertising.com (tracking cookies)

    After running Spybot I wasn't able to delete Altnet, and like I said Smitfraud keeps popping up.

    Ran Ad-Aware which didn't show up anything major.

    Here is my Hijackthis log...
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with the Vundo trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Khemic81 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Khemic81

    Khemic81 TS Rookie Topic Starter

    Wow that took a long time.

    Nothing showed up on the rootkit search.

    Combofix would start up but never finish. It'd just stop doing anything for some reason.

    Here is my HJT log and AVG Anti-Spyware log which was pretty frightening how much it picked up.

    EDIT: Oh and my explorer.exe is no longer spiking.
  4. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Surprisingly, your log looks clean already.

    However, I noticed in your AVG log:
    HKLM\SOFTWARE\Altnet -> Adware.Altnet : Error during cleaning.
    HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Error during cleaning.
    HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Error during cleaning.

    May I suggest you run the AVG scan in safe mode and see if it can be cleaned.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Run your AVG scan, quarantine, then save a logfile.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post the fresh AVG Antispyware log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Altnet.

    Close control panel.

    Locate and delete the following bold files and/or directories(if there).

    C:\program files\Altnet

    Click start/run and type regedit into the run box and press the enter key.

    Navigate to the following registry key and right click on the Altnet folder, choose delete. Close regedit.

    HKEY_LOCAL_MACHINE\SOFTWARE\Altnet<delete the entire folder.

    It appears you`re not running any antivirus software at all. This is a huge security risk. You should download, install and run an antivirus programme as per step2 of these instructions.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run a full system scan with your antivirus programme and delete whatever it finds, including anything in the virus vault.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh AVG Antispyware log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of Khemic81 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. Khemic81

    Khemic81 TS Rookie Topic Starter

    Okay, got combofix to work, attached log.

    Can't seem to get rid of Altnet though. Every program I run detects it but always get an error when I try to delete it whether it be going to regedit and trying to delete it manually or through a program. No folders on my computer listing Altnet just registry keys. One of the logs lists it as a point or points manager or something.

    I've got AVG anti-virus ready to run but I've got it turned off at the moment. Thats guard.exe right? Was giving me problems accessing the internet.

    Also attached my anti-spyware full system scan and registry scan and hjt logs...
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    guard.exe belongs to AVG Antispyware and not the free AVG antivirus programme. Please run a full system scan with your AVG antivirus programme as requested in my post above.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT, Combofix and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of Khemic81 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. Khemic81

    Khemic81 TS Rookie Topic Starter

    Seems to have done the trick. :)
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Everything looks good now.

    Don`t forget to re-enable your Antivirus programme asap.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Khemic81 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. Khemic81

    Khemic81 TS Rookie Topic Starter

    Thank you so much, the last few days have been pretty stressful and I haven't gotten much sleep. :) System restore point is set and the previous are deleted and I have anti-virus back on.

    Once again thanks. Now time to hit the hay. :zzz:
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.