TechSpot

trojan 28.a

By Crpnobbs
Oct 16, 2006
  1. Hi there

    Ran through the process but still got the virus.
    3 days of banging head of wall- - please help.

    Thanks Crpnobbs
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re not running any antivirus or firewall software. This is a huge security risk. Follow all the instructions below exactly.

    Download and install the free AVG or Avast antivirus programmes and either the free Zonealarm or Kerio firewall programmes. You can get them HERE, HERE, HERE and HERE.

    Install whichever firewall you chose, followed by whichever antivirus programme you chose. Reboot your system the required number of times. Run the antivirus updates. Close the antivirus programme.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with your antivirus programme and delete whatever it finds. This includes any thing in the virus vault/quarantine. Close your antivirus programme.

    Delete all files in the AVG Antispyware quarantine.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O9 - Extra button: (no name) - {E908B145-C847-4e85-B315-07E2E70DECF8} - (no file)

    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab

    O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab

    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = s26378.tjgo.com<Only fix this if you don`t recognise the domain or it doesn`t belong to your ISP.

    O20 - Winlogon Notify: winhsq32 - C:\WINDOWS\SYSTEM32\winhsq32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the file path you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winhsq32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let mm know how your system is running.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Thanks will try this in the a.m.
    Am a bit worried though because i have been using windows firewall and have avg and PC tools AntiVirus loaded. (think i may load Kerio )
    Will get back to you,

    thanks again.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Uninstall pctools antivirus, it`s crap.

    The windows Firewall is also crap.

    The free Zonealarm or Kerio firewall programmes are much better.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Thanks, it's looking good, (touching wood).

    Do have a question: spamgrid , what is it and would it be safe to move?
    I may have loaded it a few years ago but I cannie mind.


    Anyway thanks again you've been a great help.

    Crp Nobbs

    (Night Watch)

    forgot to add log.

    Cheers
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please stop installing new software until we have your problems sorted out. You`re just making this harder for yourself and for me too.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    PC Tools AntiVirus

    BARBMU~1

    Hercules\Video\Hercules 3DTweaker 3.0 LE (Build 25)

    1-2-3 Spyware Free

    ashampoo\Ashampoo AntiSpyWare

    Jetico\Jetico Personal Firewall

    ipwins

    Close control panel.

    Once you`ve uninstalled all that crap, reboot your computer and install either the free Zonealarm or the free Kerio firewall programmes.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Morning:
    The only new software instaled was Jetico firewall, because couldn't get zone alarm to download fully but going off to try again.

    Cheers mate.
     
  8. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    trying to load zone but get the message "unable to log into TrueVector service, how do i shut the service down.

    Thanks
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Strange, please post a fresh HJT log.

    Regards Howard :)
     
  10. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Sorry ment to add with last post.

    Thanks
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Jetico

    Jetico Personal Firewall
    ashampoo
    Ashampoo AntiSpyWare

    1-2-3 Spyware Free
    PC Tools AntiVirus
    DAP

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    DAP.EXE
    jpf.exe
    AntiSpyWareGuard.exe

    SpywareFreeMonitor.exe
    PCTAV.exe
    PowerReg Scheduler.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    F1 - win.ini: run=MSVXD.EXE,MSVXD.EXE,MSVXD.EXE,MSVXD.EXE,MSVXD.EXE,MSVXD.EXE÷¯DHCP÷]

    O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe"

    O4 - HKLM\..\Run: [glrmxwe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\glrmxwe.dll,qnvaobf

    O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe

    O4 - HKLM\..\Run: [123Monitor] C:\Program Files\1-2-3 Spyware Free\SpywareFreeMonitor.exe

    O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

    O4 - Startup: PowerReg Scheduler.exe

    O4 - Global Startup: PowerReg Scheduler.exe

    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

    O20 - Winlogon Notify: winhsq32 - winhsq32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\PROGRA~1\DAP
    C:\Program Files\PC Tools AntiVirus
    C:\Program Files\1-2-3 Spyware Free

    C:\Program Files\ashampoo
    C:\Program Files\Jetico
    PowerReg Scheduler.exe Search your system for this file and delete all instances of it.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\glrmxwe.dll,qnvaobf

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Followed the insturctions and removed what files were there but still no joy with zone alarm.

    Not wanting to persume but i did notice that 4 of the files turned up in the log (119 taken after rebooting into normal mode) but were not present in safe mode (118) would this have anything to do with it?

    I'm just guessing.

    thanks.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In that case, follow the instructions in normal mode.

    Then, post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Gone through the whole lot but still unable to load Zone alarm.
    Any idea as to what True Vector Service are?

    thanks
     
  15. tomrca

    tomrca TS Rookie Posts: 1,000

    have you till got jetico firewall running
     
  16. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    just ran a search on all my drives: no sign of Jetico.
    Have redownloaded zone alarm again still the same prob, may have to try another firewall.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    I don`t know what the problem is with Zonealarm, maybe try the free KERIO firewall and see how that goes.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Crpnobbs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. Crpnobbs

    Crpnobbs TS Rookie Topic Starter Posts: 20

    Thanks for all the help Howard.
    Gave up on Zone Alarm and am now trying out Comodo.
    Will see what thats like.

    Thanks again.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...