TechSpot

Help me find/remove my trojan please!

By melian
Sep 1, 2006
  1. Clamwin and Ad-Aware tell me my system is clean now, but it isn't.... I keep getting random popups and then the malware comes back one by one. I don't know how to find the trojan that is causing all of this. It has found trojan.downloader.small before plus I have used vundofix and smitfraudfix. Here is my hijackthis log. Can someone please help?
     
  2. tomrca

    tomrca TS Rookie Posts: 1,000

    hello melian and welcome.
    first you need to go to here be sure to follow all the instructions to the 'T'. the repost your fresh hjt in the format required. you can also scan with ewido from here
     
  3. melian

    melian TS Rookie Topic Starter

    I'm sorry that I didn't see that post first. I am reading it now and on step 1. I have a question though. I have already scanned wtih trend micro housecall using firefox. The other 3 all say I have to use Internet Explorer. The only way I can keep my computer from getting bogged down in a few minutes is by keeping internet explorer "offline" so that it can't go download more stuff and pop up windows. Do I have to use more online scanners than the housecall? Please let me know if there is a better solution than enabling IE again.
     
  4. tomrca

    tomrca TS Rookie Posts: 1,000

    rather than use the online scanners us the free trials some offer, and if you don't want to keep them, delete them. ewido for instance, gives a free trial of the version with real time protection, but you can keep it without this service and update manually. it is pretty good with Trojan and dialer's . but if it's the only way ,this method will still remove that problem too. the hjt readers have an excellent track record,
     
  5. melian

    melian TS Rookie Topic Starter

    There was another reply here before and I followed those instructions. I don't know why it has disappeared. But I have scanned with spybot and ewido and they found a bunch of things... I deleted them but everytime I run them it finds new ones. The only thing that Spybot can't get rid of is Command Service. It is some registry entries that can't be deleted. Mayeb this is what keeps reinstalling all of the other ones. How do I remove Command Service?
     
  6. melian

    melian TS Rookie Topic Starter

    Is there a reason I can't attach another file? I was going to send my ewido log also. I keep having to delete the same files over and over.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    It was my reply you`d seen. I deleted it because I`d dropped a clanger.

    You should be able to post the ewido log as an attachment, but if you`re having trouble, you can copy and paste it. Your HJT log is now clean BTW.

    My sincere appologies.

    Regards Howard :wave: :wave:
     
  8. melian

    melian TS Rookie Topic Starter

    The problem is that I can get it "clean" for a minute but the underlying problem is still there because they just keep coming back immediately. Here is the HJ log I just ran and there are some bad things in it... Plus ewido has popped up about 5 malwares since I started writing this. I have run everything in those threads you pointed me to earlier and everythign just keeps coming back. Maybe the problem is that Command Service thing in the registry that won't delete... How do I take care of that?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Toolbar888.

    Close control panel.

    Delete the bold folder C:\program files\toolbar888

    Download and run these four tools. Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4.

    Post fresh HJT and Ewido logs after you`re done.

    Regards Howard :)

    This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. melian

    melian TS Rookie Topic Starter

    I did the uninstall and ran those 4 tools. I have run them before trying to get rid of this stuff and like I said, they keep coming back. Here are my new logs.... I can get you clean ones but the viruses will be back a minute later.... is there a "master virus" I need to find and delete somehow?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

    O20 - Winlogon Notify: h618 - C:\WINDOWS\g771921.dll (file missing)

    O20 - Winlogon Notify: winaoc32 - C:\WINDOWS\SYSTEM32\winaoc32.dll<this is the nasty entry.

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winaoc32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. melian

    melian TS Rookie Topic Starter

    Thanks for getting back to me so quickly! I have done what you asked and here is the new HJT log.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this inactive entry.

    O20 - Winlogon Notify: winaoc32 - winaoc32.dll (file missing)

    Other than that, your HJT log is clean.

    How`s your system running?

    Regards Howard :)

    This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. melian

    melian TS Rookie Topic Starter

    It is still a little slow to start up, but I haven't seen any windows try to pop up in the last few minutes... A couple things:

    1. I have 6 svchost.exe processes running--- is that normal?
    2. ewido keeps finding new TrackingCookies even though I've scanned twice since that clean HJT. Does this mean something is still going on behind the scenes?
    3. Spybot has just found smitfraud-C, smitfraud-C.toolbar888, command service (which I was never able to remove) and HotsearchBar-- it is still searching so maybe there are more too...
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes.

    I wouldn`t worry unduly about tracking cookies, they are normally fairly harmless. However, you can block any cookies you don`t want in Firefox. See HERE for instructions.

    Once Spybot has finished scanning, delete whatever it finds, then go into the recovery section of Spybot and purge all items in there.

    Then, go HERE and follow the instructions for speeding up your system.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. melian

    melian TS Rookie Topic Starter

    Thank you very much for your help. I am still worried about the command service found by spybot. I am scanning with everything I have and right now my system does look clean but I am worried that if I take IE off of "offline" then I'll get flooded with malware again. I would leave IE alone except that I use Picasa to send pictures by email and it seems to use the IE internet settings. Otherwise, I only use Firefox to surf.

    I will take a look at the other links you sent me and if I decide to take IE back online and get reinfected then will post back here.
     
  17. tomrca

    tomrca TS Rookie Posts: 1,000

    no matter what explorer you use it will not stop malware being installed into your pc. it is downloaded by the pc owner, so more care is needed when downloading. there are firewalls available that will inform you that certain sites are spy sites etc, but even that won't stop some people. there is a EULA reader that will give you some idea of the overall content of the EULA, before ticking and clicking accept.
    Howard is far more advanced than I am in computing, so his view on malware etc can be taken as gospel, and in general with what i am saying will most likely agree. may i also add this, don't accept that a borrowed CD from a friend is free of malware either!

    be suspicious:suspiciou :wave:
     
  18. melian

    melian TS Rookie Topic Starter

    I know that it is my fault this happened this time. I downloaded and installed something I shouldn't have. But what I meant is that I wonder if everything is NOT really off of my computer and there is a hidden virus that will use IE to pop up ads and download more bad stuff. I think I will have to wait until Monday to find out though becuase I don't have time to deal with it this weekend. I've spent the last 3 days of this week trying to clean this computer and now I need a break! Is there a specific firewall that you recommend? I had not heard of these EULA readers? Is that something that you think would really help? If software has malware in it will they actually tell you that in the EULA?
     
  19. tomrca

    tomrca TS Rookie Posts: 1,000

    hi melian. firewalls that usually have this facility come as a package with an AV programme. there are two pretty good ones, 1. pc-cillin 2.zone alarm. there more but stay away from norton/symantec and McAfee, but that's my view!
    you can go here for a eula reader. have a good look through the site, there is some very good information there.
    take care...:wave:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...