Need help with removing trojan

By zrules
Nov 27, 2007
Topic Status:
Not open for further replies.
  1. I got numerous virus and trojans on my computer discovered by zonealarm internet security and i used HTJ to save a log file. Can some one please review my HTJ log file to remove these malicious virus and trojans?

    Trojan.Win32.Obfuscated.If
    Trojan.Win32.Obfuscated.kp
    not-a-virus:Montor.Win32.Ardamax.271
  2. evilfantasy

    evilfantasy Banned Posts: 428

    Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!

    Delete the copy you have if you can find it and follow the instructions to install it properly.

    Download HijackThis.
    Double-click on the installer you just downloaded.
    Click on the "Install" button to install.
    It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
    Please do not change the default install location.

    Next go to C:\Program Files\Trend Micro\HijackThis.exe
    Right click on HijackThis.exe and select Rename
    Type in crusty.exe and press enter.

    ** Don't run HijackThis until after completing the next step.


    Please read carefully in order to clean and save the log properly

    Download SUPERAntispyware Free Edition

    Install it and double-click the icon on your desktop to run it.
    * It will ask if you want to Update the program definitions, click Yes.
    * Under Configuration and Preferences, click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked:
    + Close browsers before scanning
    + Scan for tracking cookies
    + Terminate memory threats before quarantining.
    + Please leave the others unchecked.
    + Click the Close button to leave the control center screen.
    * On the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK.
    * Make sure everything in the white box has a check next to it, then click Next.
    * It will quarantine what it found and if it asks if you want to reboot, click Yes.
    * To retrieve the removal information please do the following:
    + After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    + Click Preferences. Click the Statistics/Logs tab.
    + Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    + It will open in your default text editor (such as Notepad/Wordpad).
    + Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    * Please add the log as an attachment in your post.

    Now run HijackThis and save the log to post as an attachment.

    Next post please add as attachments
    SUPERAntiSpyware log
    New HijackThis log
  3. zrules

    zrules Newcomer, in training Topic Starter Posts: 50

    Thank you

    I have dont the scan and here are the logs
    (hopefully clean)
  4. evilfantasy

    evilfantasy Banned Posts: 428

    Open HijackThis and select "Do a system scan only"

    Place a check mark next to:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67} - C:\WINDOWS\system32\nnnlmll.dll (file missing)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
    O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
    O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
    O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O9 - Extra button: ZDNet - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\WINDOWS\system32\IEPlugin.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - Winlogon Notify: nnnlmll - nnnlmll.dll (file missing)


    Close all windows except HijackThis and click "Fix checked"

    ======

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause your computer to stall


    ======

    Next post attach:
    Combofix log
    New HijackThis log
  5. zrules

    zrules Newcomer, in training Topic Starter Posts: 50

    I followed your instructions, here are the logs
    Just to add on, I cannot find all of the items in the HTJ checklist, but I did on most of them.
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Open HijackThis and select "Do a system scan only"

    Place a check mark next to:

    O2 - BHO: (no name) - {17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67} - (no file)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    Close all windows and click "Fix checked"

    =====

    Please download Vundofix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will shutdown your computer, click OK.
    * Turn your computer back on.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Please let Vundo finish, sometimes it can take multiple passes


    Next post attach:
    vundofix.txt
  7. zrules

    zrules Newcomer, in training Topic Starter Posts: 50

    Thats ok!

    Thats ok, My computer is much faster now, no virus appeared lately. Also, I ran Vundofix and no infections detected. Anyways, Thank you for your assistance!


    Best Regards
    :slurp:
  8. evilfantasy

    evilfantasy Banned Posts: 428

    You should post another HijackThis log as we were not done with cleanup. Thats why we were checking for vundo, there were entries I could not identify.
  9. zrules

    zrules Newcomer, in training Topic Starter Posts: 50

    Here is the HTJ log

    Here is the HTJ log I scanned recently
  10. evilfantasy

    evilfantasy Banned Posts: 428

    [​IMG] Your Java is out of date
    Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version of Java components and update

    Updating Java:
    * Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    * Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    ** The latest version is Java 6 Update 3. Remove all other entries.
    * Click the Remove or Change/Remove button.
    * Repeat as many times as necessary to remove each of the Java versions.
    * Reboot your computer once all Java components are removed.

    * Download the latest version of Java Runtime Environment (JRE) 6
    * Click the Free Java Download button.
    * Click the Download Now button.
    * When the Software Installation dialog box opens. Click on the Install Now button.
    * Follow the prompts to complete installation.


    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again


    Let us know if anything else comes up.
  11. zrules

    zrules Newcomer, in training Topic Starter Posts: 50

    ok, thank you very much. My computer is faster than ever now.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.