TechSpot

I have 2 trojans please help

By firefighter5654
Nov 8, 2009
  1. First I had the Opachki.a!lnk Trojan & was getting all kind of McAfee pop up warnings that it had detected & stopped the virus but all of my web pages were being hijacked & sending me all over the place when I would click on any link or do any search & had a rogue windows defender software on my system & started blocking my access to my anti virus software. I was then able to find this forum & followed the 8 steps & have my 3 logs but McAfee when running a full scan finds nothing but it's pop up comes up every few seconds to say it stoped the virus so after running the CCleanr, Malwarebytes, SuperAntiSpyware, & Hijackthis several times, which all found numerous virus locations on my pc . But now it looks like the Opachki.a!lnk trojan does not show up on any of the scans and now McAfee pop up is saying it is finding & stopping this Trojan now:
    Detected: Artemis!3E3C44793893 (Trojan), Artemis!3E3C44793893 (Trojan)
    Location: C:\WINDOWS\TEMP\vnmc.tmp
    which is now showing up in a different C:\windows\temp\ location each time it pops up in McAfee. And all the spyware software now says computer is clean.

    Can somebody please help?? I have included the last 2 log files from Malwarebytes & SuperAntiSpyware & only log i have for hijackthis
     
  2. firefighter5654

    firefighter5654 TS Rookie Topic Starter

    I have firefox 3.5.5 & ie 8 & a java is most recent version & older version removed
     
  3. Branden

    Branden TS Rookie

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, firefighter. I'll try and help with the malware.

    To begin, your host files have been hijacked. So everytime you try to access a site, you're being taken to a site in Germany: Hetzner Online AG, country: DE

    Please reopen HijackThis to 'do system scan only'. Check all of the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 88.198.198.204 google.ae
    O1 - Hosts: 88.198.198.204 google.as
    O1 - Hosts: 88.198.198.204 google.at
    O1 - Hosts: 88.198.198.204 google.az
    O1 - Hosts: 88.198.198.204 google.ba
    O1 - Hosts: 88.198.198.204 google.be
    O1 - Hosts: 88.198.198.204 google.bg
    O1 - Hosts: 88.198.198.204 google.bs
    O1 - Hosts: 88.198.198.204 google.ca
    O1 - Hosts: 88.198.198.204 google.cd
    O1 - Hosts: 88.198.198.204 google.com.gh
    O1 - Hosts: 88.198.198.204 google.com.hk
    O1 - Hosts: 88.198.198.204 google.com.jm
    O1 - Hosts: 88.198.198.204 google.com.mx
    O1 - Hosts: 88.198.198.204 google.com.my
    O1 - Hosts: 88.198.198.204 google.com.na
    O1 - Hosts: 88.198.198.204 google.com.nf
    O1 - Hosts: 88.198.198.204 google.com.ng
    O1 - Hosts: 88.198.198.204 google.ch
    O1 - Hosts: 88.198.198.204 google.com.np
    O1 - Hosts: 88.198.198.204 google.com.pr
    O1 - Hosts: 88.198.198.204 google.com.qa
    O1 - Hosts: 88.198.198.204 google.com.sg
    O1 - Hosts: 88.198.198.204 google.com.tj
    O1 - Hosts: 88.198.198.204 google.com.tw
    O1 - Hosts: 88.198.198.204 google.dj
    O1 - Hosts: 88.198.198.204 google.de
    O1 - Hosts: 88.198.198.204 google.dk
    O1 - Hosts: 88.198.198.204 google.dm
    O1 - Hosts: 88.198.198.204 google.ee
    O1 - Hosts: 88.198.198.204 google.fi
    O1 - Hosts: 88.198.198.204 google.fm
    O1 - Hosts: 88.198.198.204 google.fr
    O1 - Hosts: 88.198.198.204 google.ge
    O1 - Hosts: 88.198.198.204 google.gg
    O1 - Hosts: 88.198.198.204 google.gm
    O1 - Hosts: 88.198.198.204 google.gr
    O1 - Hosts: 88.198.198.204 google.ht
    O1 - Hosts: 88.198.198.204 google.ie
    O1 - Hosts: 88.198.198.204 google.im
    O1 - Hosts: 88.198.198.204 google.in
    O1 - Hosts: 88.198.198.204 google.it
    O1 - Hosts: 88.198.198.204 google.ki
    O1 - Hosts: 88.198.198.204 google.la
    O1 - Hosts: 88.198.198.204 google.li
    O1 - Hosts: 88.198.198.204 google.lv
    O1 - Hosts: 88.198.198.204 google.ma
    O1 - Hosts: 88.198.198.204 google.ms
    O1 - Hosts: 88.198.198.204 google.mu
    O1 - Hosts: 88.198.198.204 google.mw
    O1 - Hosts: 88.198.198.204 google.nl
    O1 - Hosts: 88.198.198.204 google.no
    O1 - Hosts: 88.198.198.204 google.nr
    O1 - Hosts: 88.198.198.204 google.nu
    O1 - Hosts: 88.198.198.204 google.pl
    O1 - Hosts: 88.198.198.204 google.pn
    O1 - Hosts: 88.198.198.204 google.pt
    O1 - Hosts: 88.198.198.204 google.ro
    O1 - Hosts: 88.198.198.204 google.ru
    O1 - Hosts: 88.198.198.204 google.rw
    O1 - Hosts: 88.198.198.204 google.sc
    O1 - Hosts: 88.198.198.204 google.se
    O1 - Hosts: 88.198.198.204 google.sh
    O1 - Hosts: 88.198.198.204 google.si
    O1 - Hosts: 88.198.198.204 google.sm
    O1 - Hosts: 88.198.198.204 google.sn
    O1 - Hosts: 88.198.198.204 google.st
    O1 - Hosts: 88.198.198.204 google.tl
    O1 - Hosts: 88.198.198.204 google.tm
    O1 - Hosts: 88.198.198.204 google.tt
    O1 - Hosts: 88.198.198.204 google.us
    O1 - Hosts: 88.198.198.204 google.vu
    O1 - Hosts: 88.198.198.204 google.ws
    O1 - Hosts: 88.198.198.204 google.co.ck
    O1 - Hosts: 88.198.198.204 google.co.id
    O1 - Hosts: 88.198.198.204 google.co.il
    O1 - Hosts: 88.198.198.204 google.co.in
    O1 - Hosts: 88.198.198.204 google.co.jp
    O1 - Hosts: 88.198.198.204 google.co.kr
    O1 - Hosts: 88.198.198.204 google.co.ls
    O1 - Hosts: 88.198.198.204 google.co.ma
    O1 - Hosts: 88.198.198.204 google.co.nz
    O1 - Hosts: 88.198.198.204 google.co.tz
    O1 - Hosts: 88.198.198.204 google.co.ug
    O1 - Hosts: 88.198.198.204 google.co.uk
    O1 - Hosts: 88.198.198.204 google.co.za
    O1 - Hosts: 88.198.198.204 google.co.zm
    O1 - Hosts: 88.198.198.204 google.com
    O1 - Hosts: 88.198.198.204 google.com.af
    O1 - Hosts: 88.198.198.204 google.com.ag
    O1 - Hosts: 88.198.198.204 google.com.ar
    O1 - Hosts: 88.198.198.204 google.com.au
    O1 - Hosts: 88.198.198.204 google.com.bn
    O1 - Hosts: 88.198.198.204 google.com.br


    Close all Windows except HijackThis and click on "Fix Checked."

    Empty the Recycle Bin

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    When you have finished, please rescan with HijackThis and paste a new log in your next reply..

    I'll continue after that.
     
  5. firefighter5654

    firefighter5654 TS Rookie Topic Starter

    No Luck Removing those items

    I checked all of the items you said to check & clicked fix checked & tried to empty recycle bin but they were empty so nothing to empty & ran the TFC like you said & it did its thing & shut down windows but just stalls on windows shutting down screen & then I have to do a hard shut down after 10 minutes or more. Tried this 3 times with same results each time. I also went to to svc.host file directly to delete all items listed & tried to save & it says it can't be saved. I even tried to delete the complete svc.host file completely but each time it comes right back. I'm pulling my hair out at this point & don't know what else to do. i have included new hijackthis log but it looks the same to me.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to ask for some help firefighter. Hang on, okay?
     
  7. kritius

    kritius TS Guru Posts: 2,084

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Files to delete:
    C:\WINDOWS\system32\drivers\etc\hosts

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    firefighter, you are in good hands. Please follow the instructions that kritius has set up for you.

    Thanks for your help kritus.
     
  9. firefighter5654

    firefighter5654 TS Rookie Topic Starter

    Hi Bobbye & Kritius,

    Sorry for long delay to respond but pc finally crash & had to resort to formating hard drive & lost all bookmarks so i could not find your forum. I have found it now & thank you for your time & effort. This is an excellent service you provide for free & i guess its like me being a vol firefighter. It's great that we all help each other out & i will be back if any of my friends or i have future problems. Thanks Ron
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for taking the time to come back and update us Ron. Very few people bother to do that- but it's always appreciated.

    Wishing you a Happy Holiday Season!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...