Trojan, Adware help needed, blocks firefox

By Cybershree
May 22, 2009
Topic Status:
Not open for further replies.
  1. guys i m newcomer need your HELP. attached is hijack log file. i have tried ccleaner and malware too.. i have symantec antivirus corporate edition 9.0. it detects hackroot.toolkit in c:\windows\system32\drivers\sys32.drv ... though it says it has deleted the infected file.. after a while same msg displays again. After some time...firefox stops working.. it does not connect to internet. e-mail clients does not work..

    i have tried ccleaner and malware as suggested. malware does not detect any. ccleaner cleans reg some adware but it reappears in the registry. Please help how to remove viruses from my pc! thanks in advance for the help

    Attached Files:

  2. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    i cannot run windows XP in safe mode either. if i start it in safe mode. it reboots the computer again n again until i boot it in normal starting mode. can anybody have a look please?
  3. touch

    touch Newcomer, in training Posts: 978

    Hello Cybershree


    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  4. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    hi touch!

    Thank you so much for the help.. I did it as per the instruction. attached is the combofix.txt file. Does it mean that the virus is removed? thanks in advance.

    Attached Files:

  5. touch

    touch Newcomer, in training Posts: 978

  6. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    Hi touch!

    Thanks a lot. Here is the report. It says both of these files are not infected. Does it mean no virus now :)

    Filename: explorer(2).exe
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Thu 4 Jun 2009 08:55:57 (CET) Permalink

    Filename: userinit.exe
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Fri 5 Jun 2009 10:27:20 (CET) Permalink

    Thanks,

    Shreekar
  7. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    attached are detailed reports, thanks
  8. touch

    touch Newcomer, in training Posts: 978

    No, you still have infections, we´ll remove now -

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  9. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    Hi Touch,

    Thanks a lot. c:\windows\system32\drivers\sysdrv32.sys was detected by SAV as Hacktool.rootkit. I had run Combofix.exe. Attached is the report. I hope it is clear now :(

    Thanking you once again.

    Attached Files:

  10. touch

    touch Newcomer, in training Posts: 978

    Unfortunality no.

    Open notepad and copy/paste the text in the codebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Code:
    Killall::
    Snapshot::
    File::
    c:\windows\system32\drivers\sysdrv32.sys
    c:\windows\system32\55.scr
    c:\windows\system\netmon.exe
    c:\windows\system32\48.scr
    c:\windows\system32\33.scr
    c:\windows\system32\82.scr
    c:\windows\system32\42.scr
    c:\windows\system32\12.scr
    c:\windows\system32\51.scr
    c:\windows\system32\[u]0[/u]1.scr
    c:\windows\system32\87.scr
    c:\windows\system32\75.scr
    c:\windows\system32\14.scr
    c:\windows\system32\67.scr
    c:\windows\system32\35.scr
    c:\windows\system32\88.scr
    c:\windows\system32\27.scr
    c:\windows\system32\36.scr
    c:\windows\system32\40.scr
    c:\windows\system32\38.scr
    Rootkit::
    c:\windows\system32\drivers\sysdrv32.sys
    c:\windows\system\netmon.exe
    Driver::
    sysdrv32
    Play Port I/O Driver
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\System32\\48.scr"=-
    "c:\\WINDOWS\\System32\\82.scr"=-
    "c:\\WINDOWS\\system\\netmon.exe"=-
    "c:\\WINDOWS\\System32\\55.scr"=-
    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  11. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    hi touch!

    Attached is the CombFix.txt. I added one line in the script for '85.scr' which was showing up in the system32 folder. I had scanned it through Jotti and found virus infected. Now there is no more *.scr files in the folder. I hope no more problem now.

    Thanks once again.
     
  12. touch

    touch Newcomer, in training Posts: 978

  13. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    the computer is still infected with the trojan virus. super antispyware however detected some of the files infected. attached are the log files.
  14. touch

    touch Newcomer, in training Posts: 978

    Ok. Run one more scan with super antispyware, and let me know if it still find the virus ?
  15. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    No, not this time.. :) It says no more threats! So it is okay now? Thanks
  16. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    hi touch!

    i m getting still backdoor.irc.bot virus notification from SAV. I can see several *.scr files in c:\windows\system32 folder. I have attached the SAV.csv file and hijack's log file. I am not getting problem in TCP/IP as before but it seems a lot of files have been generated now by the virus.

    Could you please have a look? Thanks.
  17. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    also i had scanned using ccleaner, malware n superantispyware... no virus was detected.
  18. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    there is a folder in c drive: c:\Qoobox. It has all combofix.txt files that was generated in the past while I used combofix. Also some *.exe files like C:\Qoobox\Quarantine\C\Program Files\WINDOWS\PEV.exe.vir

    Looking for help. Thanks
  19. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    Using Jotti, I didn't find any virus detection on *.scr files. One of the files in Qoobox folder was detected by virus by CP-Secure.
  20. touch

    touch Newcomer, in training Posts: 978

    The files/folders in c:\Qoobox, don´t do any harm.

    Sure, a look on what ?
  21. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    hi, sorry forgot to attach the log file. Also attached is the combofix.txt and log of SAV-SAV.txt

    Thanks,
  22. touch

    touch Newcomer, in training Posts: 978

    Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
    Not more."
    Remove/uninstall from " add/remove programs " in controlpanel:
    Trend Micro or Norton

    Reboot.


    Delete these files:
    c:\windows\system32\51.scr
    c:\windows\system32\46.scr
    c:\windows\system32\61.scr
    c:\windows\system32\47.scr

    If you have more number scr files, delete them as well.

    Post fresh hijackthis log, and please give an update on how the computer are behaving ?
  23. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    trend micro antivirus was already removed but in add/remove it shows installation of Trend micro internet security. Removing it gives 'Fatal error during installation' message. The folder program files/trend micro/.. is thus retained. however, now i m not having any seen problem in my pc so far. pc is running faster than before.

    i have already deleted those .scr files. attached is hijackthis log file.
  24. touch

    touch Newcomer, in training Posts: 978

    Ok :)

    Start –Run, type services.msc (or copy/paste) in 'run' box. Click OK. When the services window opens, scroll down to:
    Trend Micro Personal Firewall
    Right click on it and choose 'properties. You will see a little drop down bar with an arrow. Click on that and change it to ”Deactivate”

    Same procedure with:
    Trend NT Realtime Service
    ..........................................
    Trend Micro Proxy Service

    Reboot, and you´re done.

    Now your computer problems are solved, it is time for the clean-up procedure
    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Click START then RUN
    Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    When shown the disclaimer, Select "2"
    The above procedure will:
    Delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present.
    The C:\Deckard folder, if present.
    The C:_OtMoveIt folder, if present.
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.


    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place?
  25. Cybershree

    Cybershree Newcomer, in training Topic Starter Posts: 16

    thanks a lot! I did it. Thanks again.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.