Trojan, Downloader, etc.

Status
Not open for further replies.
Hi there. I was hoping someone could help me with this. I did the 8 steps and from AVG to Superantispyware, I have come up with four different issues that are supposedly removed:

TROJAN HORSE AGENT.3.R

JS/DOWNLOADER.AGENT

ROGUE.XP ANTISPYWARE2009-TRACE

TROJAN.DROPPER/FAKEALERT

I am attaching the logs and would be grateful for any help.
 
Hi Jet

Boot to Safe Mode Networking (Safe Mode networking has Internet access regular Safe Mode does not). This is to allow posting of logs back while in Safe Mode.

Run both MalwareBytes and SAS again multiple times until they come up clean or cannot clean something.

Reboot to normal and post new HJT log.

You have other issues I am not addressing at this time.

Mainly you have 2 major online active Anti Virus programs, Norton and AVG. This is a no no and can actually lower your protection level as they compete with each other. And a couple of useless start ups.

Mike
 
Hey Mike,
Thanks for replying to this post so quickly. I did what you said to do. I ran both cleaners until it found nothing. I am attaching the latest Hijack This file.

You said that Norton's was running on my PC. I removed that long ago using the removal tool. At least I thought it was removed. Thanks again for taking the time to help me on this.

Jeff

PS, I added another HJT file. This file was taken after I rebooted windows out of safe mode. I misread your post. Thanks.
 

Attachments

  • hijackthis1010222.txt
    11.5 KB · Views: 6
I will be glad to review the logs you have attached from the TechSpot malware cleaning. It is no so simple to say run programs until they're clean. Give me a few minutes, okay?
 
Ok jet

Simple are we supposed to do it the hard way, I did parse his logs.
Good job jet.

I see that was the leftovers of Norton/Symantec.

Ok run HJT Scan only and select the following for removal.

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Then go to Add/Remove programs and uninstall Viepoint.

Run a full Virus scan after updating post the results and tell me how the computer is running.

After this reboot and post new HJT Log.

Mike
 
Let's get some updating done:
Update Java:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Update Adobe:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but does’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button

Have SAS remove Trojan.Dropper/FakeAlert, XP AntiSpyware2009-Trace. and the Tracking Cookies. The screen shots here can be enlarged with a click to see the settings to use:
http://superantispyware.en.softonic.com/images.

Reset Cookies:
Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
You are showing two antivirus programs installed: both are loading. If you previously used Norton, you will need to use their Removal tool to complete the uninstallation: Download and Save to your desktop. Don't run yet: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Note please that I am reviewing your original HijackThis log. You have some Real Time processes running that should have been stopped before the cleaning. We will see if this is an obstacle.

NOTE: Your System Restore points are infected. DO NO use System Restore. Those files are protected and the cleaning programs will not remove them. When the system is clean, we will remove the old restore points and set a new one.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
And there is also a McAfee security process loading: Remove:
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Now close all
windows other than HiJackThis, then click Fix Checked
. Close H
iJackThis and reboot into Safe Mode:
Start> Run> type in msconfig' without quotes> Enter> Selective startup> Startup tab> UNCHECK:
All Symantec or Norton processes
Any McAfee process
Any Viewpoint entries
Apply> OK.

Control Panel> Add/remove Programs> Uninstall the following if present:
Symantec /Norton
Viewpoint
Any McAfee program

Start> Run> services.msc: On each of the following Services: Right click> Properties> Change Startup type to Disabled:
Symantec Core LC
Viewpoint Manager Service
Now run the Norton Removal Tool by a double-click on the Setup you save to the desktop.

Reboot into Normal Mode. You will get a nag message that you can just close after checking 'don't show this message again'. Stay in Selective Startup.

Run new HijackThis scan and attach log.

A NOTE: If speed is an issue for you, you have many processes loading at Startup that do not to. We can work on that if you want, when through with the cleaning.
 
Bobbye,

Thanks for taking the time to help me with this problem. Both you and Mike are awesome! I have done what the both of you have said to do. I am attaching the latest HJT file. At your convenience, please review this and let me know if there is anything further for me to do. Thanks again.
 
Hi Jet

You did a great job followed instructions and posted the logs.:grinthumb

Looks good to me.

Only a few wheel spinners in startup quicktime updater etc
But your Malware is gone.

I would do the below.

Run CCleaner cleanup temps twice or until no more found and Registry twice or until no more found..

----------------------------------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html

----------------------------------------------------------------------------------------------------------------------------------
The Malware is saved in your System Restore so we need to clean that

Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs. Note: if you minimize now go to My Computer and note the free space and check this again after the run you will be able to see the likely large difference.

This is if you have the Volume Shadow Copy running which is the default.

Next:
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Once the new Restore point is made run the Disk Cleanup again and it will then only leave the clean "After cleanup at TechSpot" point!
----------------------------------------------------------------------------------------------------------------------------------

A Defrag is in order.

Wait for Bobbye's comments also.

Mike:wave:
 
The log look good. Keep in mind what I said:
A NOTE: If speed is an issue for you, you have many processes loading at Startup that do not to. We can work on that if you want, when through with the cleaning.

Now let's remove the cleaning tools:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

You did a nice job. It was a pleasure working with you. Let us know if we can be of further help.
 
It is done!

I just want to thank mflynn and Bobbye for being kind enough to help me out of a jam. The both of you are great!!! TechSpot is really a breath of fresh air. I am no computer genius by any stretch of the imagination but I think I'm going to hang around and read these boards on a regular basis. With people like you two here, I'm sure to pick up some valuable information.

One last question though....how can I get my clock back to regular time? After all this happened, it went to a 24hr military format.

Thanks again,
Jeff
 
Reset clock to regular time from military time:
Step1> Open Control Panel
Step2> Open "Regional and Language Options"
Step3> Click "Customize"
Step4> Click on the "Time" tab
Step5> Change "Time Format" section to h:mm:ss tt
Step6>Be sure ":" for the time separator and AM and PM are selected on the next couple of lines. They may be set here already.
Step7> Click "Apply" and "Ok" on each open window.

NOTE: The Control Panel needs to be set in Category View.
 
Status
Not open for further replies.
Back