TechSpot

removal of trojans

By jjob2
Mar 13, 2006
  1. Can someone please help I have been having various problems with spyware and trojans, I think!
    I have done a freedom GUi scan for trojans and here is the log file. The auther says dont edit or delete files unless you know what you are doing and I dont. Can anyone please tell me which files in the log should be deleted or which ones should not? Thanks in advance John.


    C:\Windows\SYSTEM\MKCOMPAT.EXE at 10:30:21 PM on 3/13/06 detected!
    C:\WINDOWS\SYSTEM\MKCOMPAT.EXE at 7:15:54 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\CFGWIZ32.EXE at 7:18:37 AM on 3/14/06 detected!
    C:\WINDOWS\command.PIF at 7:29:53 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\JDBGMGR.EXE at 7:30:40 AM on 3/14/06 detected!
    C:\WINDOWS\RUNDLL.EXE at 7:31:54 AM on 3/14/06 detected!
    C:\WINDOWS\TASKMON.EXE at 7:33:53 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\CFGWIZ32.EXE at 7:43:10 AM on 3/14/06 detected!
    C:\WINDOWS\SAMPLES\WSH\CHART.VBS at 7:43:18 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\SUCATREG.EXE at 8:27:15 AM on 3/14/06 detected!
    C:\WINDOWS\TOUR98.EXE at 8:32:26 AM on 3/14/06 detected!
    C:\WINDOWS\unvise32qt.exe at 8:33:41 AM on 3/14/06 detected!
    C:\WINDOWS\WINHELP.EXE at 8:37:51 AM on 3/14/06 detected!
    C:\WINDOWS\SYSBCKUP\WINHELP.EXE at 8:37:52 AM on 3/14/06 detected!
    C:\WINDOWS\WININIT.EXE at 8:38:06 AM on 3/14/06 detected!
    C:\WINDOWS\WINMINE.EXE at 8:39:08 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\WSASRV.EXE at 8:42:10 AM on 3/14/06 detected!
    C:\WINDOWS\SYSTEM\SPOOL32.EXE at 9:03:17 AM on 3/14/06 detected!
    C:\WINDOWS\MSNMGSR1.EXE at 9:09:16 AM on 3/14/06 detected!
    C:\WINDOWS\tool1.exe at 9:10:37 AM on 3/14/06 detected!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  3. Peddant

    Peddant TS Rookie Posts: 1,644

    Post removed.
     
  4. jjob2

    jjob2 TS Rookie Topic Starter

    Thanks for the reply

    Thanks for the reply Howard, but I have followed all instructions and am still having problems. I found the HJT help a little confusing so I will post my HJT log file for you to see. I am also getting a notification each time I boot up windows which says Cannot find file ibm0001.exe or words to that effect. Adaware, spybot, cw shredder, coolws., about buster etc all found nothing.
    I have a PII 450mhz, 128 Ram, OS win98, and IE 6.0

    thanks again John
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    F1 - win.ini: run=lxcgppls.exe

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL

    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16

    O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/ Only fix this entry, if it doesn`t belong to your computer manufacturer, or your ISP provider.

    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.75,85.255.112.139 Only fix this entry, if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode.

    Regards Howard :)
     
  6. jjob2

    jjob2 TS Rookie Topic Starter

    panda scan log

    OK I have done all that, things seem much better however I have now done the Panda online active scan and the results dont look promising! Any suggestions?

    thanks again John
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    C:\Program Files\Doctor Alex\Undo

    Close control panel.

    Delete the following bold file(if there).

    C:\Program Files\Doctor Alex\Undo

    Open HJT and click on the config button, then the Misc Tools button.

    Click on the delete file on reboot button.

    Browse to the following files and enter these locations 1 at a time into the open box and click open.

    C:\WINDOWS\webload196.exe.tcf

    C:\WINDOWS\tool2.exe

    C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hir7zlkz.default\cookies.txt[]

    C:\WINDOWS\SYSTEM\lxcgsr9x.exe

    C:\WINDOWS\SYSTEM\azebar.xml

    You will be asked after each entry, if you want to reboot your computer. Click yes. You will be required to reboot your computer 5 times.

    Regards Howard :)
     
  8. jjob2

    jjob2 TS Rookie Topic Starter

    thank you

    You is da man Howard thank you for your patience and help, it worked a treat.

    regards john
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.