TechSpot

I need help removing Virus Trigger

By brooklynfeline
Nov 20, 2008
  1. Virus Trigger has corrupted my computer. AVG will not complete, it just keeps scanning. I installed Malwarebytes and it will not open. I have run CCleaner. My computer will run Hijack This. I have attached the hijackthis log file. Thanks so much.
     
  2. Zerothma

    Zerothma TS Rookie Posts: 23

    Uh, can't you give viruses in .pdf? Wouldn't it be better to save the HJT log in a .log from the actual hijackthis program? Scan and save...
     
  3. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    I actually brought the copies to work to scan on another computer. I can upload it when I get home. Thanks.
     
  4. Zerothma

    Zerothma TS Rookie Posts: 23

    Well it's probably fine, but it's better to be safe than sorry.
     
  5. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    Yes, that is true. Thanks
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi brooklynfeline

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Do all skip no step (do not install another virus scanner if you already have one).

    Most importantly update MalwareBytes and SuperAntiSptware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware config

    After installed double-click the icon on your desktop to run it.

    It asks to update the program definitions, click Yes.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HJT log.

    Do this correctly and we will make a short job of this!

    If you can install but not update or run any of these programs, try only once and let me know and we will need something aditional to make them work.

    Mike
     
  7. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    I have tried completing the 8 steps. Avg will not stop running when I try and run a full scan. It ran for 14 hours the other night. I have run CCleaner. I tried to stop AVG and I got a "Error 1053 The service did not respond to the start or control request in a timely fashion". Spybot will not open. Malwarebytes will not open. When I try and download SuperAntiSpyware it takes me to "Page can not be displayed". I tried to update Java and it said it had the latest version. So here is my hjt log. Thanks again.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    OK that is why I asked you to get back if they did not run or update!

    Reboot F8 into Safe Mode Networking

    Go here and try to get the attachment the malware may prevent it!

    On this board Executables (.EXE ) can not be attached so download the Fixit.zip Rt Click it get Properties and in the name box change from Fixit.zip to Fixit.exe.

    Then execute it
    Read this and do it!

    http://www.techspot.com/vb/post684649-3.html

    Mike
     
  9. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    That file worked. I updated both programs and scanned.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi brooklynfeline

    When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.

    The goal is to get these to come up clean or find something it can not handle.

    So run both MBAM and SAS again and post the logs.

    Good job so far.

    Mike
     
  11. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    I just ran them again. I will keep running them. Thanks
     

    Attached Files:

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Wow BrooklynCatGirl

    The Good job so far from my last post was an understatement you are doing a fantastic job!

    No more HJT until I ask.

    May I guess at the type of feline? Tiger!:)

    Mike
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    We were not through!

    What is happening?

    Due to what I saw in the logs do the below:

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    brooklynfeline, please hold off on running any additional programs. I will check your latest logs shortly.
     
  15. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    I am work, so I will run mbam and sas again shortly and post the new logs. Thanks
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hold on running again until I have reviewed the last logs.
     
  17. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    A friend told me to try SDFix. Here is the log file.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mbam removed Trojan Zlob. SAS showing Rootkit.TDSServ and suspecious Trojan in temp folder:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Regarding this entry: O11 - Options group: [INTERNATIONAL] International*
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK the following if present:
    Control Panel> Add/Remove Programs> UNINSTALL the following if present:
    Open Internet Options> security tab> Trusted Zone> Sites> remove the following:
    http://scanner.sysprotect.com
    http://locator.cdn.imageservr.com
    Then go to the restricted Zone> Sites> type in *.sysprotect.com> Add

    Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again.' Stay in Selective Startup.

    NOTE: There are no Services showing in this log. Either you left them off or none are running. Some MUST be running so be sure to include that section.

    Regarding these entries in the Trusted Zone:
    O15 - Trusted Zone: http://scanner.sysprotect.com
    SysProtect is the new form of WinFixer/WinAntiVirus. SysProtect is another rogue tool which requires paid registration before any problems that it finds can be fixed. Often times Vundo infections will cause popups referring to SysProtect or Winfixer.

    To remove SysProtect follow the instructions below to download this new tool from Atribune.
    Regarding this entry in the Trusted Zone:
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    There is nothing on this site that would demand you place it in this zone. We will remove it from there.

    When you have finished ith the SysPRotect Removal, run new scan with HijackThis and attach log.

    There is more to be done, but this should have been handled earlier.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have not checked the SDFix log. It would be in your best interest NOT to run random programs while we are trying to clean your system. This is a good time NOT to listen to friends. Pleas follow what I have set up for you.

    You should also avoid doing a reformat or reinstall as it will undo everything we have done. Also, do not use System Restore. Malware can get in the restore points and if use, you can reinfect the system, We will remove those restore points at the end.
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    Hmm they must not have given very good direction as this is the instruction for SDFix,

    You likely needed it.

    If you booted to safe mode and let it do its thing then real log file is in c:\SDFIX folder named report.txt.

    Mike
     
  21. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    So I did all that was instructed. There were none of the acceleration, sysprotect, etc. in the startup tab when I was going to remove those. The backweb was not in the add/remove programs. I have had problems with that stopsign, it will not let me remove it because of a corrupted file. Here is my new hjt log. Do I need to remove the sysprotect line from the hjt that you were talking about.
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi TigerGirl

    I think I have had Cat Scratch fever the last day or so and my be on R&R for a couple days!

    Ok go back and carefully do post #13 and see if you can get a log.

    I see where I requested it but don't see that it was ever ran.

    Meantime I will post new SDFix directions.

    Mike

    EDIT Also uninsatll your old HJT then go back to the 8 Steps and get the newest.

    EDIT2

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attache Report.txt file to your next post.

    Mike
     
  23. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    combofix will not run. I get an error message: You can not rename combofix.exe to combofix.exe(1). I have tried to rename it and it still comes up with the same error message.

    The SDFix would run. I uninstalled hjt and installed the current one like you said.
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok now we are getting somwhere.

    Reboot.

    Re download and reinstall combofix it will ikely run now since sdfix.

    Mike
     
  25. brooklynfeline

    brooklynfeline TS Rookie Topic Starter Posts: 26

    It still does the same thing.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...