Possible Trojan virus??

[sjuhatten10]

The other day I used the Spybot search and destroy program to scan my computer. The results showed something with the word Trojan in it. To make sure I was not infected I followed all of the preliminary steps and posted the following logs. Thanks in advance for the help. Also the Panda Antirootkit programme came up with no results.

 

[kitty500cat]

It appears that your computer may have been infected with a backdoor, which can send personal information from your computer over the Internet to hackers.

Please read this thread and let me know how you wish to proceed.

Regards

This thread is for the use of sjuhatten10 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[sjuhatten10]

I would rather not re-format or reinstall my laptop. I attached the requested logs in the previous post. I basically use my laptop for internet access, music, and school work. Thanks again.

 

[kitty500cat]

OK, let's get started then.

Go to start > run, type in notepad.exe and press enter.

Copy and paste the following text (all except the word "quote") into the Notepad window:

C:\WINDOWS\Cursors\lsasrv.exe

Save the file as CFScript to your desktop.

Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.

Once that's done, post the resulting ComboFix log.

Do you know anything about the file oregontrail.exe on your desktop?

Regards

 

[sjuhatten10]

Here is the Combofix log you requested. I currently don't have an icon's on my desktop that says oregontrail.exe. But I think i tried to download the game oregon trail once off of the internet.

 

[kitty500cat]

Search your system for the filename lsasrv.exe and delete all instances found.
Note: Do NOT confuse the above filename with lsass.exe, which is legitimate.

Then please post a fresh HijackThis log.

Regards

 

[sjuhatten10]

I didn't find any files when I searched for lsasrv.exe. I just searched under all files and folders in the regular search engine under "my computer." Here is the updated hijackthis log.

 

[sjuhatten10]

I have not recieved a response in a few days after posting my latest hijackthis log. Does this mean that my computer is virus free?

 

[kitty500cat]

Sorry, I somehow missed your post.

Fix this entry with HJT:

O4 - HKCU\..\Run: [OregonTrail.exe] C:\DOCUME~1\Billy\Desktop\OREGON~1.EXE /r

Your system appears to be clean; please post a fresh ComboFix log just to be sure.

Regards

 

[sjuhatten10]

Thanks again for all of your help. Here is the ComboFix log.

 

[kitty500cat]

Please download The Avenger by Swandog46 to your Desktop.

• Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.
• Copy the text in the box below, all except the word QUOTE, into your clipboard by highlighting it and pressing CTRL+C

Files to delete:
C:\WINDOWS\Cursors\lsasrv.exe

Note: The above script is intended only for this user. If you are not this user, do NOT follow these instructions as they could damage the workings of your system.

• Now, run The Avenger program by double clicking its icon on your Desktop.
• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing Ctrl+V.
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. (When the script being executed contains "Drivers to Unload", The Avenger will actually reboot your system two times.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the reboot, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please attach the C:\avenger.txt file to your next post.

Regards

 

[sjuhatten10]

Here is the avenger.txt log.

 

[kitty500cat]

Your computer looks completely clean now.

Turn off system restore. See how here.
This will delete all old system restore points and any malware in them.

Now, turn system restore back on. This will have created a new, clean system restore point.

I also recommend reading this thread here, which explains how to keep your system from becoming infected again.

If you have any further virus/spyware problems, please post in this thread.

Regards

This thread is for the use of sjuhatten10 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.