TechSpot

HJT log for review - had .tibs and luder.a worm

By reyna
Jan 10, 2007
  1. Hello,

    My mother started noticing all of these .t extension files on her computer. I did a little looking and ended up here. I followed the "prelliminary removal" instructions and here is my log. Please let me know if I need to do anything else. Any help would be greatly appreciated!
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with at least one trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Post a fresh HJT log and an AVG Antispyware log as per the instructions in this thread HERE.

    Regards Howard :wave: :wave:

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Okay. Those are the instructions I originally followed. The only thing was that I could not get the smitfraud fix tool to work, as when I tried to open it it told me that I did not have permission to access.

    Are you asking me to do all of those things over again and post new HJT and AVG antispyware log? I just want to make sure I do it right.
     
  4. tomrca

    tomrca TS Rookie Posts: 1,000

    hi Reyna.
    Howard hasn't mentioned this yet, but he most certainly will. you are running norton (symantec) and zone alarm together. these two programmes are no compatible. you will be far better of running zone alarm firewall (free), with (free) rather than norton. norton is a big name and big bother!!
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should try and run the smitfraudfix again, but don`t worry too much if it still won`t work.

    I didn`t mean for you to follow all the instructions again, I just wanted you to follow the instructions for AVG Antispyware, then post fresh log files.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Thanks, both of you. I will get my mother to send me a fresh for HJT and AVG antispyware asap. [Do the scans still need to be run in safemode?] The next time I go to her home I will follow your all's instructions for getting rid of Norton.

    I cannot tell you how many times I said, "Mom do you have your antivirus updated?" and she said yes. I swear I don't think she's updated it since the computer was purchased in 2002.

    Okay, got them. Thanks guys.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    alsys.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

    O4 - HKLM\..\Run: [Agent] C:\WINDOWS\System32\alsys.exe

    O4 - HKCU\..\Run: [Agent] C:\WINDOWS\System32\alsys.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    Fix all 018-Protocol: entries.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\alsys.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Here is the new:
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    You are running more than one antivirus programme. this is not recommended, will slow your system and can cause conflicts. I suggest you completely uninstall Symantec/Norton crapware. If you have any problems with the uninstall, see this thread HERE.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Thank you so much. As soon as I get back to her house I will uninstall Norton.
     
  11. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Can't access certain sites

    Hi guys,

    I have a laptop and my husband has a desktop computer and they are networked. Neither of us can access certain sites in either IE or FirefoxWhen trying to load these sites, you get each browser's version of the "404 error" page after a couple seconds. Examples of sites I cannot access are macys.com, wvu.edu, and ftc.gov. I followed the preliminary instructions and attached are my hijack this log and AVG antispyware log.
     
  12. Rik

    Rik Banned Posts: 3,814

  13. reyna

    reyna TS Rookie Topic Starter Posts: 21

    I would like to clean the system.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Threads merged.

    Your system is infected with a rootkit.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Hi Howard, sorry I have different threads running because they were for different computers. I tried blacklight and it did not find anything but here is the log.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{168DF924-B89F-471E-BD2D-60E44F65EE7B}: NameServer = 85.255.113.91,85.255.112.180

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2729BBD8-F2E6-4CD7-903B-FFA5AF4766B4}: NameServer = 85.255.113.91,85.255.112.180

    O17 - HKLM\System\CS1\Services\Tcpip\..\{168DF924-B89F-471E-BD2D-60E44F65EE7B}: NameServer = 85.255.113.91,85.255.112.180

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Done. New log for my comp:
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. reyna

    reyna TS Rookie Topic Starter Posts: 21

    And finally.. my husband's computer

    Thanks, this is my husband's logs on his comp. I suspect it is his comp that hangs everything up on access to the sites.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    Download and run the Blacklight programme. follow all the instructions carefully.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dmkmf.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    F2 - REG:system.ini: UserInit=userinit.exe

    O1 - Hosts: localhost 127.0.0.1

    O4 - HKLM\..\Run: [dmkmf.exe] C:\WINDOWS\system32\dmkmf.exe

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{20FF2619-B70D-46D1-BC0E-A800208D431B}: NameServer = 85.255.116.130,85.255.112.191

    O17 - HKLM\System\CCS\Services\Tcpip\..\{21DB5A62-3B35-41C2-9592-5E4E5CDF8E15}: NameServer = 85.255.116.130,85.255.112.191

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1EEB06E-BD36-406D-9712-80DC711256DE}: NameServer = 85.255.116.130,85.255.112.191

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.130 85.255.112.191

    O17 - HKLM\System\CS1\Services\Tcpip\..\{20FF2619-B70D-46D1-BC0E-A800208D431B}: NameServer = 85.255.116.130,85.255.112.191

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.130 85.255.112.191

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\dmkmf.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Done - fresh log.

    ps I see down at the very bottom there is "O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)" is that something that needs fixed?
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. reyna

    reyna TS Rookie Topic Starter Posts: 21

    Let the deity of your choice bless you, and is there a place here where I can donate or something? Thank you SO much for reviewing these!
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Techspot is paid for from advertising, therefore, it`s not necessary to make a donation. Thanks for the offer though.

    Regards Howard :)

    This thread is for the use of reyna only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...