TechSpot

Recovering from some nasty trojans, may I ask some assistance?

By Hopeful Death
May 15, 2007
  1. Well I made some pretty stupid moves today. Got myself a few baddies. I was confident enough to take care of the "obvious" stuff (A system folder in Program Files with one suspicious exe called AVP.exe? Haha.... yeah right)

    Unfortunately most of them were backdoors that give information out, I tried to disconnect the internet as quick as possible but who knows what the hell got out. It's kind of scary.

    Annnnyway. I followed the directions in that topic, and here are my latest hijack and combofix logs. Any help would be greatly appreciated thank you

    Oh... and don't let the recently created rundll32, msconfig, and taskmanager worry you. I put those there myself after the malware trashed 'em. Cheeky little bastard isn't it.

    Sorry for the double post... I just kind of did it without thinking
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You have posted your HJT log from safe mode. I need to see a HJT log from normal mode please.

    Also, you haven`t posted an AVG Antispyware log, nor have you given the results of the AVG Antirootkit scan.

    Please go back to this thread and follow all the instructions exactly, then post the requested logfiles.

    Regards Howard :wave: :wave:

    This thread is for the use of Hopeful Death only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Hopeful Death

    Hopeful Death TS Rookie Topic Starter

    Okie. I was a little scared to go back to what was crawling with trojans before. But they appear to be inactive so apparently I did enough alone to stop the damage. But I need to wipe out the traces too.

    Latest logs.

    The root thing came up completely clean.

    As for AVG.... well... I cut a little corners. I did full scan and after 3 hours it was only 1/10 of the way done. I'm kind of on a schedule here so I just let it scan in /Windows and /Program Files. I didn't make a report for some reason, I dunno. But I can tell you that it found 2 things. One was Weatherbug, minor adware. The other was winrkq32 or something like that, which was a trojan.

    Edit: On second thought, it's going a LOT faster on normal mode. If it finishes anytime soon I'll update the post with that log too
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your logs look clean. However, it appears you`re not running any antivirus software, this is a huge security risk and needs to be addressed asap.

    Download and install one of the free antivirus programme in the instructions HERE. Then, do a full system scan and delete whatever is found.

    I still need to see an AVG Antispyware log, otherwise I can`t say with any certainty whether your system is clean.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {1B7E284A-63CC-4459-B7FA-F4BF2E84628F} - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AA69EE6-26C6-4655-8B01-4837728B504C}: NameServer = 208.67.222.222,208.67.220.220

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3070F698-787C-479B-B18F-478AFA881E91}: NameServer = 208.67.222.222,208.67.220.220

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7310C77-A707-4BF5-8AA8-F4C60F06C280}: NameServer = 208.67.222.222,208.67.220.220

    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AA69EE6-26C6-4655-8B01-4837728B504C}: NameServer = 208.67.222.222,208.67.220.220

    O17 - HKLM\System\CS2\Services\Tcpip\..\{0AA69EE6-26C6-4655-8B01-4837728B504C}: NameServer = 208.67.222.222,208.67.220.220

    Only fix the above 017 entries, if they don`t belong to your ISP.

    O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)

    Click on the fix checked button.

    Close HJT and reboot your system.

    Other than the above, your HJT log is clean.

    Please post an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of Hopeful Death only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Hopeful Death

    Hopeful Death TS Rookie Topic Starter

    What do you mean if it's from my ISP? The addresses 208.67.222.222,208.67.220.220 are the DNS addresses that I'm using if that means anything.

    Anyway, yeah, it's going as we speak. Picked up another Trojan too(Downloader.LoadAdv)

    That makes the 5th freaking one. Sheesh. Whoda thought I could get them all within the span of 3 minutes after being clean for 6 years!

    Also, the biggest offender I had was a program called smanager.7.exe. I managed to get rid of it, but I couldn't find much official info on it.

    More shenanigans, I couldn't install any programs under normal mode because they would automatically close in 5 seconds.

    Heh, you know, sure they're bad, but they do provide for some amusement...

    Sorry, just killing time waiting for this scan to finish =D
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok mate no problem.

    I`m going off line now for a few hours, as I`ve been at it all day and I`m getting very tired. I`ll be back to check your AVG Antispyware log in a few hours.

    Regards Howard :)

    This thread is for the use of Hopeful Death only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...