also @ TechSpot: Updated Microsoft EULA prohibits class action lawsuits

TechSpot

TR/Downloader.Gen Trojan - svchost.exe in the C:\Windows\Temp

Discussion in 'Virus and Malware Removal' started by Arthurik_jan, Dec 23, 2009.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Arthurik_jan TechSpot Member

    :wave: Welcome to Techspot EnigmaCharisma! By the way, in order for Bobbye to be able to scan your HTJ log effectively, you have to:
    1. download and install the HiJackThis into C:\HJT
    2. close every program you have running
    3. scan with HJT
    4. copy paste the generated log without touching anything in it into your post (edit your previous one)

    Bobbye I did as told. I'll go point by point:

    1. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\xvkq.tmp\svchost.exe (User 'Default user')

    were removed, as told. O9 entry was left untouched as it is a legitimate entry by MS Office 2003. Upon googling refiebar.dll i get a description stating that refiebar.dll is a module which allows you to use the Microsoft Office Research Library and its collection of information services from Microsoft Internet Explorer

    2. Read the whole article "How do spammers harvest email addresses?" and it was very educational. I am a very cautious user. I do not get more than 5-10 spams a day and I always read the subject before totally deleting them. I do not even open these messages at all. So I'm not going to track this spammer.

    3. rdolib.dll was not located in system32 after I'd done exactly what you told me in safe mode so I just checked the box and clicked on fix in HJT.

    4. I deleted the contents of the C:\Windows\Temp folder through safe mode as told.

    5. How is this ComboFix supposed to work? I downloaded it as Combo-Fix(.exe) just as told but is it supposed to look like Combo-Fix(.exe).exe or just Combo-Fix(.exe)? Here's what happens:

    a) I double click Combo-Fix(.exe).exe located on my desktop.
    b) A ComboFix process bar appears
    c) A warning screen appears, I confirm that I am aware of the risk I'm taking with this program (screenshot: http://img85.imageshack.us/img85/4039/003d.png)
    d) A folder appears in C:\ called 32788R22FWJFW with a hole bunch of files as if a program was installed there.

    - Am I doing something wrong here? (btw, Avira was off, Firewall was off, the internet connection was off and the network adapters were disabled during the above mentioned ComboFix procedure and I get the same thing in safe mode as well)

    Once again Bobbye I appreciate the effort. Thank you.

    Arthur
    Arthurik_jan, Dec 29, 2009
    #21

  2. Bobbye Helper on the Fringe

    EnigmaCharisma: Please start a separate thread for your problem. While you may have "the same problem"> getting redirected when using the Google search, the cause may be different. You are also running the wrong version of HijackThhis. Use the links in the removal thread. Suggest you re-title to Subject: Trojan in the SVChost file

    end1snear Please start you own thread following the steps in the link below.

    While some of the same programs may be used, they are on instruction of and guidance of the helper. Hitman is NOT in our preliminary removal instructions and we ask that you follow the steps in the Preliminary Virus and Malware Removal first.

    Leave all three logs for review.
    ---------------------------------------------------------------

    This thread is for the use of member Arthurik_jan only. If you have a malware problem, please follow the steps in the Preliminary Virus and Malware Removal thread first.

    Start as new thread to post your problem and attach your logs.
    Bobbye, Dec 29, 2009
    #22
Page 2 of 2
Thread Status:
Not open for further replies.