Help me find/remove my trojan please!

Status
Not open for further replies.

melian

Posts: 10   +0
Clamwin and Ad-Aware tell me my system is clean now, but it isn't.... I keep getting random popups and then the malware comes back one by one. I don't know how to find the trojan that is causing all of this. It has found trojan.downloader.small before plus I have used vundofix and smitfraudfix. Here is my hijackthis log. Can someone please help?
 
hello melian and welcome.
first you need to go to here be sure to follow all the instructions to the 'T'. the repost your fresh hjt in the format required. you can also scan with ewido from here
 
I'm sorry that I didn't see that post first. I am reading it now and on step 1. I have a question though. I have already scanned wtih trend micro housecall using firefox. The other 3 all say I have to use Internet Explorer. The only way I can keep my computer from getting bogged down in a few minutes is by keeping internet explorer "offline" so that it can't go download more stuff and pop up windows. Do I have to use more online scanners than the housecall? Please let me know if there is a better solution than enabling IE again.
 
rather than use the online scanners us the free trials some offer, and if you don't want to keep them, delete them. ewido for instance, gives a free trial of the version with real time protection, but you can keep it without this service and update manually. it is pretty good with Trojan and dialer's . but if it's the only way ,this method will still remove that problem too. the hjt readers have an excellent track record,
 
There was another reply here before and I followed those instructions. I don't know why it has disappeared. But I have scanned with spybot and ewido and they found a bunch of things... I deleted them but everytime I run them it finds new ones. The only thing that Spybot can't get rid of is Command Service. It is some registry entries that can't be deleted. Mayeb this is what keeps reinstalling all of the other ones. How do I remove Command Service?
 
Is there a reason I can't attach another file? I was going to send my ewido log also. I keep having to delete the same files over and over.
 
Hello and welcome to Techspot.

It was my reply you`d seen. I deleted it because I`d dropped a clanger.

You should be able to post the ewido log as an attachment, but if you`re having trouble, you can copy and paste it. Your HJT log is now clean BTW.

My sincere appologies.

Regards Howard :wave: :wave:
 
The problem is that I can get it "clean" for a minute but the underlying problem is still there because they just keep coming back immediately. Here is the HJ log I just ran and there are some bad things in it... Plus ewido has popped up about 5 malwares since I started writing this. I have run everything in those threads you pointed me to earlier and everythign just keeps coming back. Maybe the problem is that Command Service thing in the registry that won't delete... How do I take care of that?
 
Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Toolbar888.

Close control panel.

Delete the bold folder C:\program files\toolbar888

Download and run these four tools. Follow the instructions for using each tool.

Tool1 Tool2 Tool3 Tool4.

Post fresh HJT and Ewido logs after you`re done.

Regards Howard :)

This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I did the uninstall and ran those 4 tools. I have run them before trying to get rid of this stuff and like I said, they keep coming back. Here are my new logs.... I can get you clean ones but the viruses will be back a minute later.... is there a "master virus" I need to find and delete somehow?
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O20 - Winlogon Notify: h618 - C:\WINDOWS\g771921.dll (file missing)

O20 - Winlogon Notify: winaoc32 - C:\WINDOWS\SYSTEM32\winaoc32.dll<this is the nasty entry.

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winaoc32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for getting back to me so quickly! I have done what you asked and here is the new HJT log.
 
Have HJT fix this inactive entry.

O20 - Winlogon Notify: winaoc32 - winaoc32.dll (file missing)

Other than that, your HJT log is clean.

How`s your system running?

Regards Howard :)

This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It is still a little slow to start up, but I haven't seen any windows try to pop up in the last few minutes... A couple things:

1. I have 6 svchost.exe processes running--- is that normal?
2. ewido keeps finding new TrackingCookies even though I've scanned twice since that clean HJT. Does this mean something is still going on behind the scenes?
3. Spybot has just found smitfraud-C, smitfraud-C.toolbar888, command service (which I was never able to remove) and HotsearchBar-- it is still searching so maybe there are more too...
 
1. I have 6 svchost.exe processes running--- is that normal?

Yes.

2. ewido keeps finding new TrackingCookies even though I've scanned twice since that clean HJT. Does this mean something is still going on behind the scenes?

I wouldn`t worry unduly about tracking cookies, they are normally fairly harmless. However, you can block any cookies you don`t want in Firefox. See HERE for instructions.

3. Spybot has just found smitfraud-C, smitfraud-C.toolbar888, command service (which I was never able to remove) and HotsearchBar-- it is still searching so maybe there are more too...

Once Spybot has finished scanning, delete whatever it finds, then go into the recovery section of Spybot and purge all items in there.

Then, go HERE and follow the instructions for speeding up your system.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of melian only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thank you very much for your help. I am still worried about the command service found by spybot. I am scanning with everything I have and right now my system does look clean but I am worried that if I take IE off of "offline" then I'll get flooded with malware again. I would leave IE alone except that I use Picasa to send pictures by email and it seems to use the IE internet settings. Otherwise, I only use Firefox to surf.

I will take a look at the other links you sent me and if I decide to take IE back online and get reinfected then will post back here.
 
no matter what explorer you use it will not stop malware being installed into your pc. it is downloaded by the pc owner, so more care is needed when downloading. there are firewalls available that will inform you that certain sites are spy sites etc, but even that won't stop some people. there is a EULA reader that will give you some idea of the overall content of the EULA, before ticking and clicking accept.
Howard is far more advanced than I am in computing, so his view on malware etc can be taken as gospel, and in general with what i am saying will most likely agree. may i also add this, don't accept that a borrowed CD from a friend is free of malware either!

be suspicious:suspiciou :wave:
 
I know that it is my fault this happened this time. I downloaded and installed something I shouldn't have. But what I meant is that I wonder if everything is NOT really off of my computer and there is a hidden virus that will use IE to pop up ads and download more bad stuff. I think I will have to wait until Monday to find out though becuase I don't have time to deal with it this weekend. I've spent the last 3 days of this week trying to clean this computer and now I need a break! Is there a specific firewall that you recommend? I had not heard of these EULA readers? Is that something that you think would really help? If software has malware in it will they actually tell you that in the EULA?
 
hi melian. firewalls that usually have this facility come as a package with an AV programme. there are two pretty good ones, 1. pc-cillin 2.zone alarm. there more but stay away from norton/symantec and McAfee, but that's my view!
you can go here for a eula reader. have a good look through the site, there is some very good information there.
take care...:wave:
 
Status
Not open for further replies.
Back