I need help removing Virus Trigger

Status
Not open for further replies.

brooklynfeline

Posts: 26   +0
Virus Trigger has corrupted my computer. AVG will not complete, it just keeps scanning. I installed Malwarebytes and it will not open. I have run CCleaner. My computer will run Hijack This. I have attached the hijackthis log file. Thanks so much.
 
Uh, can't you give viruses in .pdf? Wouldn't it be better to save the HJT log in a .log from the actual hijackthis program? Scan and save...
 
Hi brooklynfeline

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Do all skip no step (do not install another virus scanner if you already have one).

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware config

After installed double-click the icon on your desktop to run it.

It asks to update the program definitions, click Yes.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

In MalwareBytes after update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and post their logs then a new HJT log.

Do this correctly and we will make a short job of this!

If you can install but not update or run any of these programs, try only once and let me know and we will need something aditional to make them work.

Mike
 
I have tried completing the 8 steps. Avg will not stop running when I try and run a full scan. It ran for 14 hours the other night. I have run CCleaner. I tried to stop AVG and I got a "Error 1053 The service did not respond to the start or control request in a timely fashion". Spybot will not open. Malwarebytes will not open. When I try and download SuperAntiSpyware it takes me to "Page can not be displayed". I tried to update Java and it said it had the latest version. So here is my hjt log. Thanks again.
 
OK that is why I asked you to get back if they did not run or update!

Reboot F8 into Safe Mode Networking

Go here and try to get the attachment the malware may prevent it!

On this board Executables (.EXE ) can not be attached so download the Fixit.zip Rt Click it get Properties and in the name box change from Fixit.zip to Fixit.exe.

Then execute it
Read this and do it!

https://www.techspot.com/vb/post684649-3.html

Mike
 
Hi brooklynfeline

When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.

The goal is to get these to come up clean or find something it can not handle.

So run both MBAM and SAS again and post the logs.

Good job so far.

Mike
 
I just ran them again. I will keep running them. Thanks
 

Attachments

  • SUPERAntiSpyware Scan Log.txt
    884 bytes · Views: 6
  • mbam-log.txt
    921 bytes · Views: 5
  • hijackthis4.txt
    9.4 KB · Views: 5
Wow BrooklynCatGirl

The Good job so far from my last post was an understatement you are doing a fantastic job!

No more HJT until I ask.

May I guess at the type of feline? Tiger!:)

Mike
 
We were not through!

What is happening?

Due to what I saw in the logs do the below:

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike
 
brooklynfeline, please hold off on running any additional programs. I will check your latest logs shortly.
 
Mbam removed Trojan Zlob. SAS showing Rootkit.TDSServ and suspecious Trojan in temp folder:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [BCROReminder] C:\Program Files\ByteCrusher\RegistryOptimax\BCRO.exe -rem
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
(Kodak uses BackWeb as their updater)
O20 - AppInit_DLLs: karna.dat
Regarding this entry: O11 - Options group: [INTERNATIONAL] International*
If you have an 011 entry that means there is an added group to your Internet Options - Advanced choices. To see these open Internet Explorer and go to:
Tools > Internet Options > Advanced tab
There are several groups of options listed there: Accessibility, Browsing, etc. Apparently you have an extra group named International.
IF you did not specifically set this up or are no aware of it's contents, please check it for HijackThis to remove.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK the following if present:
Acceleration
SysProtect
ALL HP entries
Dell Support
Dell Printer
RegistryOptomizer (may show as BCROReminder or BCRO.exe)
.Kodak software updater
Control Panel> Add/Remove Programs> UNINSTALL the following if present:
BackWeb
Any entry from Accleration/webscan/StopSignSsTsMon
Open Internet Options> security tab> Trusted Zone> Sites> remove the following:
http://scanner.sysprotect.com
http://locator.cdn.imageservr.com
Then go to the restricted Zone> Sites> type in *.sysprotect.com> Add

Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again.' Stay in Selective Startup.

NOTE: There are no Services showing in this log. Either you left them off or none are running. Some MUST be running so be sure to include that section.

Regarding these entries in the Trusted Zone:
O15 - Trusted Zone: http://scanner.sysprotect.com
SysProtect is the new form of WinFixer/WinAntiVirus. SysProtect is another rogue tool which requires paid registration before any problems that it finds can be fixed. Often times Vundo infections will cause popups referring to SysProtect or Winfixer.

To remove SysProtect follow the instructions below to download this new tool from Atribune.
1. Download and run SysProtect Remover.exe. from the link here in SysProtect Removal:
http://www.atribune.org/index.php?option=com_content&task=view&id=30&Itemid=2
2. Once it is running click the "Remove Now" button and follow the on screen instructions.
3. You will receive a message that asks if you want to remove SysProtect, click YES.
4. When it's finished, you will see a message saying:
"Done removing SysProtect from your computer, please reboot now"
Please reboot your computer to complete the SysProtect removal.
Regarding this entry in the Trusted Zone:
O15 - Trusted Zone: http://locator.cdn.imageservr.com
There is nothing on this site that would demand you place it in this zone. We will remove it from there.

When you have finished ith the SysPRotect Removal, run new scan with HijackThis and attach log.

There is more to be done, but this should have been handled earlier.
 
I have not checked the SDFix log. It would be in your best interest NOT to run random programs while we are trying to clean your system. This is a good time NOT to listen to friends. Pleas follow what I have set up for you.

You should also avoid doing a reformat or reinstall as it will undo everything we have done. Also, do not use System Restore. Malware can get in the restore points and if use, you can reinfect the system, We will remove those restore points at the end.
 
Hmm they must not have given very good direction as this is the instruction for SDFix,

You likely needed it.

If you booted to safe mode and let it do its thing then real log file is in c:\SDFIX folder named report.txt.

Mike
 
So I did all that was instructed. There were none of the acceleration, sysprotect, etc. in the startup tab when I was going to remove those. The backweb was not in the add/remove programs. I have had problems with that stopsign, it will not let me remove it because of a corrupted file. Here is my new hjt log. Do I need to remove the sysprotect line from the hjt that you were talking about.
 
Hi TigerGirl

I think I have had Cat Scratch fever the last day or so and my be on R&R for a couple days!

Ok go back and carefully do post #13 and see if you can get a log.

I see where I requested it but don't see that it was ever ran.

Meantime I will post new SDFix directions.

Mike

EDIT Also uninsatll your old HJT then go back to the 8 Steps and get the newest.

EDIT2

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attache Report.txt file to your next post.

Mike
 
combofix will not run. I get an error message: You can not rename combofix.exe to combofix.exe(1). I have tried to rename it and it still comes up with the same error message.

The SDFix would run. I uninstalled hjt and installed the current one like you said.
 
Ok now we are getting somwhere.

Reboot.

Re download and reinstall combofix it will ikely run now since sdfix.

Mike
 
Status
Not open for further replies.
Back