I have 2 trojans please help

firefighter5654 · Nov 8, 2009

First I had the Opachki.a!lnk Trojan & was getting all kind of McAfee pop up warnings that it had detected & stopped the virus but all of my web pages were being hijacked & sending me all over the place when I would click on any link or do any search & had a rogue windows defender software on my system & started blocking my access to my anti virus software. I was then able to find this forum & followed the 8 steps & have my 3 logs but McAfee when running a full scan finds nothing but it's pop up comes up every few seconds to say it stoped the virus so after running the CCleanr, Malwarebytes, SuperAntiSpyware, & Hijackthis several times, which all found numerous virus locations on my pc . But now it looks like the Opachki.a!lnk trojan does not show up on any of the scans and now McAfee pop up is saying it is finding & stopping this Trojan now:
Detected: Artemis!3E3C44793893 (Trojan), Artemis!3E3C44793893 (Trojan)
Location: C:\WINDOWS\TEMP\vnmc.tmp
which is now showing up in a different C:\windows\temp\ location each time it pops up in McAfee. And all the spyware software now says computer is clean.

Can somebody please help?? I have included the last 2 log files from Malwarebytes & SuperAntiSpyware & only log i have for hijackthis

firefighter5654 · Nov 8, 2009

I have firefox 3.5.5 & ie 8 & a java is most recent version & older version removed

Branden · Nov 10, 2009

Opachki.a!lnk

This one is nasty. I found a lot of help about it on the following web page.

http://vil.nai.com/vil/content/v_240488.htm

I hope it helps it did me.

Cheers Branden

Bobbye · Nov 10, 2009

Welcome to TechSpot, firefighter. I'll try and help with the malware.

To begin, your host files have been hijacked. So everytime you try to access a site, you're being taken to a site in Germany: Hetzner Online AG, country: DE

Please reopen HijackThis to 'do system scan only'. Check all of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 88.198.198.204 google.ae
O1 - Hosts: 88.198.198.204 google.as
O1 - Hosts: 88.198.198.204 google.at
O1 - Hosts: 88.198.198.204 google.az
O1 - Hosts: 88.198.198.204 google.ba
O1 - Hosts: 88.198.198.204 google.be
O1 - Hosts: 88.198.198.204 google.bg
O1 - Hosts: 88.198.198.204 google.bs
O1 - Hosts: 88.198.198.204 google.ca
O1 - Hosts: 88.198.198.204 google.cd
O1 - Hosts: 88.198.198.204 google.com.gh
O1 - Hosts: 88.198.198.204 google.com.hk
O1 - Hosts: 88.198.198.204 google.com.jm
O1 - Hosts: 88.198.198.204 google.com.mx
O1 - Hosts: 88.198.198.204 google.com.my
O1 - Hosts: 88.198.198.204 google.com.na
O1 - Hosts: 88.198.198.204 google.com.nf
O1 - Hosts: 88.198.198.204 google.com.ng
O1 - Hosts: 88.198.198.204 google.ch
O1 - Hosts: 88.198.198.204 google.com.np
O1 - Hosts: 88.198.198.204 google.com.pr
O1 - Hosts: 88.198.198.204 google.com.qa
O1 - Hosts: 88.198.198.204 google.com.sg
O1 - Hosts: 88.198.198.204 google.com.tj
O1 - Hosts: 88.198.198.204 google.com.tw
O1 - Hosts: 88.198.198.204 google.dj
O1 - Hosts: 88.198.198.204 google.de
O1 - Hosts: 88.198.198.204 google.dk
O1 - Hosts: 88.198.198.204 google.dm
O1 - Hosts: 88.198.198.204 google.ee
O1 - Hosts: 88.198.198.204 google.fi
O1 - Hosts: 88.198.198.204 google.fm
O1 - Hosts: 88.198.198.204 google.fr
O1 - Hosts: 88.198.198.204 google.ge
O1 - Hosts: 88.198.198.204 google.gg
O1 - Hosts: 88.198.198.204 google.gm
O1 - Hosts: 88.198.198.204 google.gr
O1 - Hosts: 88.198.198.204 google.ht
O1 - Hosts: 88.198.198.204 google.ie
O1 - Hosts: 88.198.198.204 google.im
O1 - Hosts: 88.198.198.204 google.in
O1 - Hosts: 88.198.198.204 google.it
O1 - Hosts: 88.198.198.204 google.ki
O1 - Hosts: 88.198.198.204 google.la
O1 - Hosts: 88.198.198.204 google.li
O1 - Hosts: 88.198.198.204 google.lv
O1 - Hosts: 88.198.198.204 google.ma
O1 - Hosts: 88.198.198.204 google.ms
O1 - Hosts: 88.198.198.204 google.mu
O1 - Hosts: 88.198.198.204 google.mw
O1 - Hosts: 88.198.198.204 google.nl
O1 - Hosts: 88.198.198.204 google.no
O1 - Hosts: 88.198.198.204 google.nr
O1 - Hosts: 88.198.198.204 google.nu
O1 - Hosts: 88.198.198.204 google.pl
O1 - Hosts: 88.198.198.204 google.pn
O1 - Hosts: 88.198.198.204 google.pt
O1 - Hosts: 88.198.198.204 google.ro
O1 - Hosts: 88.198.198.204 google.ru
O1 - Hosts: 88.198.198.204 google.rw
O1 - Hosts: 88.198.198.204 google.sc
O1 - Hosts: 88.198.198.204 google.se
O1 - Hosts: 88.198.198.204 google.sh
O1 - Hosts: 88.198.198.204 google.si
O1 - Hosts: 88.198.198.204 google.sm
O1 - Hosts: 88.198.198.204 google.sn
O1 - Hosts: 88.198.198.204 google.st
O1 - Hosts: 88.198.198.204 google.tl
O1 - Hosts: 88.198.198.204 google.tm
O1 - Hosts: 88.198.198.204 google.tt
O1 - Hosts: 88.198.198.204 google.us
O1 - Hosts: 88.198.198.204 google.vu
O1 - Hosts: 88.198.198.204 google.ws
O1 - Hosts: 88.198.198.204 google.co.ck
O1 - Hosts: 88.198.198.204 google.co.id
O1 - Hosts: 88.198.198.204 google.co.il
O1 - Hosts: 88.198.198.204 google.co.in
O1 - Hosts: 88.198.198.204 google.co.jp
O1 - Hosts: 88.198.198.204 google.co.kr
O1 - Hosts: 88.198.198.204 google.co.ls
O1 - Hosts: 88.198.198.204 google.co.ma
O1 - Hosts: 88.198.198.204 google.co.nz
O1 - Hosts: 88.198.198.204 google.co.tz
O1 - Hosts: 88.198.198.204 google.co.ug
O1 - Hosts: 88.198.198.204 google.co.uk
O1 - Hosts: 88.198.198.204 google.co.za
O1 - Hosts: 88.198.198.204 google.co.zm
O1 - Hosts: 88.198.198.204 google.com
O1 - Hosts: 88.198.198.204 google.com.af
O1 - Hosts: 88.198.198.204 google.com.ag
O1 - Hosts: 88.198.198.204 google.com.ar
O1 - Hosts: 88.198.198.204 google.com.au
O1 - Hosts: 88.198.198.204 google.com.bn
O1 - Hosts: 88.198.198.204 google.com.br

Close all Windows except HijackThis and click on "Fix Checked."

Empty the Recycle Bin

TFC (Temp File Cleaner)

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

When you have finished, please rescan with HijackThis and paste a new log in your next reply..

I'll continue after that.

firefighter5654 · Nov 16, 2009

No Luck Removing those items

I checked all of the items you said to check & clicked fix checked & tried to empty recycle bin but they were empty so nothing to empty & ran the TFC like you said & it did its thing & shut down windows but just stalls on windows shutting down screen & then I have to do a hard shut down after 10 minutes or more. Tried this 3 times with same results each time. I also went to to svc.host file directly to delete all items listed & tried to save & it says it can't be saved. I even tried to delete the complete svc.host file completely but each time it comes right back. I'm pulling my hair out at this point & don't know what else to do. i have included new hijackthis log but it looks the same to me.

Bobbye · Nov 16, 2009

I'm going to ask for some help firefighter. Hang on, okay?

kritius · Nov 17, 2009

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Begin copying here:
Files to delete:
C:\WINDOWS\system32\drivers\etc\hosts

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Bobbye · Nov 17, 2009

firefighter, you are in good hands. Please follow the instructions that kritius has set up for you.

Thanks for your help kritus.

firefighter5654 · Dec 19, 2009

Hi Bobbye & Kritius,

Sorry for long delay to respond but pc finally crash & had to resort to formating hard drive & lost all bookmarks so i could not find your forum. I have found it now & thank you for your time & effort. This is an excellent service you provide for free & i guess its like me being a vol firefighter. It's great that we all help each other out & i will be back if any of my friends or i have future problems. Thanks Ron

Bobbye · Dec 19, 2009

Thanks for taking the time to come back and update us Ron. Very few people bother to do that- but it's always appreciated.

Wishing you a Happy Holiday Season!

I have 2 trojans please help

firefighter5654

firefighter5654

Branden

Bobbye

Posts: 16,313 +36

firefighter5654

Bobbye

Posts: 16,313 +36

kritius

Posts: 2,077 +0

Bobbye

Posts: 16,313 +36

firefighter5654

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts