Trojan, Adware help needed, blocks firefox

Status
Not open for further replies.

Cybershree

Posts: 16   +0
Guys I m newcomer need your HELP. attached is hijack log file. I have tried ccleaner and malware too.. I have symantec antivirus corporate edition 9.0. it detects hackroot.toolkit in c:\windows\system32\drivers\sys32.drv ... though it says it has deleted the infected file.. after a while same msg displays again. After some time...firefox stops working.. it does not connect to internet. e-mail clients does not work..

I have tried ccleaner and malware as suggested. malware does not detect any. ccleaner cleans reg some adware but it reappears in the registry. Please help how to remove viruses from my pc! thanks in advance for the help
 

Attachments

  • hijackthis.log
    12.4 KB · Views: 12
i cannot run windows XP in safe mode either. if i start it in safe mode. it reboots the computer again n again until i boot it in normal starting mode. can anybody have a look please?
 
Hello Cybershree


Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
File::
C:\WINDOWS\system\1sass.exe

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Hi touch!

Thank you so much for the help.. I did it as per the instruction. attached is the combofix.txt file. Does it mean that the virus is removed? thanks in advance.
 

Attachments

  • ComboFix.txt
    18.2 KB · Views: 11
Hi touch!

Thanks a lot. Here is the report. It says both of these files are not infected. Does it mean no virus now :)

Filename: explorer(2).exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 4 Jun 2009 08:55:57 (CET) Permalink

Filename: userinit.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Fri 5 Jun 2009 10:27:20 (CET) Permalink

Thanks,

Shreekar
 
No, you still have infections, we´ll remove now -

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system\1sass.exe
FileLook::
c:\windows\system32\48.scr
c:\windows\system32\33.scr
Driver::
sysdrv32
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"lsass"=-

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Hi Touch,

Thanks a lot. c:\windows\system32\drivers\sysdrv32.sys was detected by SAV as Hacktool.rootkit. I had run Combofix.exe. Attached is the report. I hope it is clear now :(

Thanking you once again.
 

Attachments

  • ComboFix.txt
    19 KB · Views: 5
Unfortunality no.

Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Code:
Killall::
Snapshot::
File::
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\55.scr
c:\windows\system\netmon.exe
c:\windows\system32\48.scr
c:\windows\system32\33.scr
c:\windows\system32\82.scr
c:\windows\system32\42.scr
c:\windows\system32\12.scr
c:\windows\system32\51.scr
c:\windows\system32\[u]0[/u]1.scr
c:\windows\system32\87.scr
c:\windows\system32\75.scr
c:\windows\system32\14.scr
c:\windows\system32\67.scr
c:\windows\system32\35.scr
c:\windows\system32\88.scr
c:\windows\system32\27.scr
c:\windows\system32\36.scr
c:\windows\system32\40.scr
c:\windows\system32\38.scr
Rootkit::
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system\netmon.exe
Driver::
sysdrv32
Play Port I/O Driver
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\48.scr"=-
"c:\\WINDOWS\\System32\\82.scr"=-
"c:\\WINDOWS\\system\\netmon.exe"=-
"c:\\WINDOWS\\System32\\55.scr"=-

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
hi touch!

Attached is the CombFix.txt. I added one line in the script for '85.scr' which was showing up in the system32 folder. I had scanned it through Jotti and found virus infected. Now there is no more *.scr files in the folder. I hope no more problem now.

Thanks once again.
 
the computer is still infected with the trojan virus. super antispyware however detected some of the files infected. attached are the log files.
 
Ok. Run one more scan with super antispyware, and let me know if it still find the virus ?
 
hi touch!

i m getting still backdoor.irc.bot virus notification from SAV. I can see several *.scr files in c:\windows\system32 folder. I have attached the SAV.csv file and hijack's log file. I am not getting problem in TCP/IP as before but it seems a lot of files have been generated now by the virus.

Could you please have a look? Thanks.
 
there is a folder in c drive: c:\Qoobox. It has all combofix.txt files that was generated in the past while I used combofix. Also some *.exe files like C:\Qoobox\Quarantine\C\Program Files\WINDOWS\PEV.exe.vir

Looking for help. Thanks
 
Using Jotti, I didn't find any virus detection on *.scr files. One of the files in Qoobox folder was detected by virus by CP-Secure.
 
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."
Remove/uninstall from " add/remove programs " in controlpanel:
Trend Micro or Norton

Reboot.


Delete these files:
c:\windows\system32\51.scr
c:\windows\system32\46.scr
c:\windows\system32\61.scr
c:\windows\system32\47.scr

If you have more number scr files, delete them as well.

Post fresh hijackthis log, and please give an update on how the computer are behaving ?
 
trend micro antivirus was already removed but in add/remove it shows installation of Trend micro internet security. Removing it gives 'Fatal error during installation' message. The folder program files/trend micro/.. is thus retained. however, now i m not having any seen problem in my pc so far. pc is running faster than before.

i have already deleted those .scr files. attached is hijackthis log file.
 
Ok :)

Start –Run, type services.msc (or copy/paste) in 'run' box. Click OK. When the services window opens, scroll down to:
Trend Micro Personal Firewall
Right click on it and choose 'properties. You will see a little drop down bar with an arrow. Click on that and change it to ”Deactivate”

Same procedure with:
Trend NT Realtime Service
..........................................
Trend Micro Proxy Service

Reboot, and you´re done.

Now your computer problems are solved, it is time for the clean-up procedure
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present.
The C:\Deckard folder, if present.
The C:_OtMoveIt folder, if present.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.


To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place?
 
Status
Not open for further replies.
Back