Possible trojan, spyware etc on Vista

Status
Not open for further replies.

tranquillo

Posts: 23   +0
Hi.

I've read and followed the 3 pages long instruction on removing spyware somewhere here in the forum... the tip was to download and run about 10 000 applications plus running a online scan twice. some applications found and removed dirt and some didn't. now I have a stack of applications asking me stupid questions like if windows update, or msn, should be allowed to connect to the internet...
And I still get annoying popups everytime I open IE or explorer... google gets hijacked by random and sometimes I have to click a google result 4-5 times (click, notice the link is hijacked, click back and click the link again) before getting where I want...

heres my latest hijackthis log... pleeeaaassee, tell me what to do...
 
First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Next please follow these instructions. Your version of Hijackthis is out of date

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • Go to its folder and rename the .exe file to crusty or something similar.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

please do the following then we will better know where the infection is.
 
Just an fyi....

i've already swapped privates with Julio noting the typo in the Spyware post. The latest HijackThis installed via the link in his post is v2.0.2 not v2.0.0.2
 
LookinAround said:
Just an fyi....

i've already swapped privates with Julio noting the typo in the Spyware post. The latest HijackThis installed via the link in his post is v2.0.2 not v2.0.0.2

Cheers for that, I kept meaning to say to someone about it.

@ tranquillo

Please download HostsXpert extract it tp ypur desktop and run it, When it opens, click on the Restore Original Hosts button and then exit HostsXpert.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

If you stopped your antivirus or firewall you can restart them again.

Run HJT after these are completed and post a new log, I need to check and see whats different.
 
i hope tranquillo doesn't mind me stealing some bandwidth from the thread but if i could ask kritius a couple questions
  • Am just curious..I can go through a HJT log or most any tool's log and know how to verify/validate entries to identify the suspicious/malware/etc entries. But wondering where u picked up (and is there a database?) of all the various tools and removal instructions that go with those various entries once identified?
  • I've seen combofix often recommended by a number of different people for malware removal. I've never needed it but of course went to look at it out of geek curiosity. I see it warning about having a Recovery Console installed but not sure i recall that ever mentioned in posted instructions. Just wondered is it pretty rare that combofix should do something that requires the need for Recovery Console?
 
after the running of the vast amount of anti spyware, scans and whatever... I suspect that this may be a problem that comes back when I restart the computer... so I restarted and made a new log... just in case...
 
disable this: O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
then run combo fix and post a fresh log.
i would suggest tat you get a more reliable av programme and also install a firewall. it also seems that you may be running more than one av programme. only one is advisable.
did you run smitfraud? if not please do it. run it in safe mode after disabling the 023 entry then run combofix
 
lol... right...

quick google result:
"SmitFraud attacks show fake antispyware programs popups on your screen"
"Trojan.Smitfraud is a group of programs that are used to download rogue security products"

this is something I should run?
 
tranquillo said:
lol... right...

quick google result:
"SmitFraud attacks show fake antispyware programs popups on your screen"
"Trojan.Smitfraud is a group of programs that are used to download rogue security products"

this is something I should run?
yes. after running it you may lose your desktop background, don't worry just reset it when all is finished. you may also need to run virtumundobegone too
 
did all those things (except disabling VundoFix Service... don't know how or where... the vundofix is one of the softwares I downloaded from the instructions) and now it seems like the popups are gone, but google links are still hijacked and mostly points to some (probably fake) anti spyware/ anti virus software sites... my guess is that the popups will come back soon to, as they allways do after cleaning up with various softwares and scanners...
 
don't give up yet!
to stop this service: start>run>type "services.msc" but without the quotations>ok>look for the service VundoFixSvc by attribune>right click and stop/disable.
please post the logs from hjt, combofix and smitfraud

can you give a little more information on the pop-ups eg, what they are advertising etc and if there is any name at the top of the add, such as "outer info" for example. is there any unknown icons in the service tray?
 
did all the above except stopping vundofix and combofix did not return a log... just a small progress bar saying it was running and then it went away... I'll give it another try... first smitfraud, save the log, then combofix, try and find a log somewhere then hjt...
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode and show all hidden files and folders,

Go to start>run and type services.msc
VundoFix Service (VundoFixSvc)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

VundoFixSVC.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.
 
you seemed to have acquired 2 new entries in your hjt log. are cleaning your pc between projects?

perhaps it may be best if you start again should kritius's instructions fail.

if so go HERE and follow these instructions. i must add that all instructions must be followed to the letter
 
if you mean from previous hjt logs, I've actually removed two entrys from the host file that I'm sure to be ok since I put them there myslef, but I didn't bother to remove them from the latest log...

when it comes to the process of the latest scan/clean I did everything exactly as instructed with the exception that I restarted the computor before running combofix and hjt...

I'll look into the instructions above in a minute...
 
Quick question tranquillo,

What antivirus program do you use? I noticed in your logs that it mentions AVG 8, where did you download this from? How long have you had it for?
 
my guess is that it was one of the 1000 downloads in the basic instructions I followed a couple of days ago.
before all this, I had windows defender and the symantec... now I'm not sure any more after all the downloads...


here's the hjt log...
 
Status
Not open for further replies.
Back