Trojan Horse Downloader & Fake Alert

By giget2000
Nov 13, 2008
Topic Status:
Not open for further replies.
  1. I have the free trial of AVG and on 11/4 it showed that I had two infections
    1. Trojanhorsedownloader.generic8.BCQ
    2. Virus found Fake Alert

    I moved them to the vault and didn't really think anything would hapen but I was wrong. In the past few days my computer:

    will just shut off randomly,

    when typing on gmail chat there is a lag and some letters just don't type,

    today my wireless internet connection vanished (i am using a local connection)

    What can I do to fix this problem?
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi giget2000

    Go here:

    The TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    After loading but before clicking Scan do the below config changes

    SuperAntispyware config

    UPDATE!

    Then

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HJT log HJT always last.

    After attaching logs from above run both programs again to confirm they find nothing else and attach new logs for this run!

    If the programs will not update or run then you must do the below

    You need to rename SuperAntiSpyware to say SAS.exe and mbam.exe to mwbam.exe.

    So My Computer to \Program Files\SuperAntiSpyware find and rename as above and run from there by dbl clicking. Then do the same for MalwareBytes.

    Do this correctly and we will make a short job of this!

    Mike
  3. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    this is what happened

    This is what the results of my malware bytes program:
  4. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    hijack results

    deleted message
  5. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK repeat the run with mbam until it cleans all or finds something it can not clean.

    Attach the logs on each run (not post in thread) .

    Then do the same with SAS!

    Mike
  6. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    deleted message
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    The last was a partial HJT.

    Do not post in thread! ATTACH ATTACH ATTACH!:D

    Now attach the full HJT log and continue with my last post.

    Mike
  8. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    sorry

    i was having trouble attaching but i figured it out


    what do i do next?

    Attached Files:

  9. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    more log results

    here are the malware log results
  10. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK good now!

    Run mbam again until it comes up clean. Attach log each run.

    Then do same for SAS.

    Mike
  11. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    getting better

    the latest malware run says 0 problems,

    the SAS is still running and it says that there are 3 adware, tracing cookies thus far.

    I check my bank account regularly on this compter, is it a good idea to have all my accounts changed because of this or am I overreacting?
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    To be honest! Yes!

    But after this cleaning if you will run these programs update them once every 2 weeks or at first sign of trouble or slowdown.

    It should be OK!

    After you finish the above we may do another different step.

    Mike
  13. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    Results of SAS

    SAS said I had 7 adware tracing cookies the second time I ran it
     
  14. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    SAS

    I ran SAS yet again and this time I got 9 adware tracing cookies. Are these dangerous? I can't seem to get rid of them
  15. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi giget

    No not so dangerous.

    But attach the log, then move on to HJT please. Attache the log for HJT after running it.

    Mike
  16. Villon

    Villon Newcomer, in training

    Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

    * DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

    Reboot the computer.

    Create a new folder on the desktop and name it HiJackThis
    Then download HiJackThis v.2.0.2 to this new folder.
    Run a Full System Scan with HiJackThis and save the log.
    Post back here with both the MBA-M log and the HiJackThis log.
  17. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Mbam has already been run 3 times and SAS twice, HJT more than once????

    Mike
  18. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    Tests

    this it the latest hijack run
  19. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    I only ran mbam twice because it came up with 0 problems.

    SAS was done three times the first time had alot of tracing cookies, the second time had 7 and the third time said I had 9 tracing cookies.
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi giget

    HJT Scan onlySelect for remove all the below

    Note most of these are are pointing to legit windows files as missing which is a concern, I will have to address this before we finish.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    OK what abuot Norton/Symantec you had it, and uninstalled? Now use AVG!
    I will address this after your answer.

    Then Reboot open no Apps post another HJT I need to see if these clear.

    Mike
  21. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    sorry I am not that computer literate. I had Norton antivirus on my computer when i baught it (came with a 30 day trial) then I unistalled it because I wasn't going to renew the license. I use AVG but it dosen't "fix" anything it just seems to tell me I have problems.

    Do you want me to click the items you listed above and deleted them through hijack?
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes clear them all, then reboot and without running anything else run HJT clear them post a new HJT log.

    So as usual Norton did not completely uninstall but we will handle that before we close the thread.

    Please don't drop out on me until we are through and I tell you we are finished.

    You are doing fantastical.

    Mike
  23. mike171271

    mike171271 Newcomer, in training Posts: 34

    Superantispywarekiller (Free ed) Spybot , malwarebytes (free), combofix and avg free.
    Run in this order I do it 6 time a day on customers machines and never fails. hijackthis never hurts. Combofix is a monster that program has saved me so many times..
  24. giget2000

    giget2000 Newcomer, in training Topic Starter Posts: 21

    latest hijack

    i fixed the ones you posted and here is the latest hijack run.
  25. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Are you sure you did it right?

    All are still there! These are not related to Malware itself but may be from damage caused by them. As soon as I am sure we are clean we will fix thes issues.

    Run HJT Scan only select by checking boxes of these items and then below Fix Checked and ok to remove the items.

    Reboot before continuing below and run nothing but HJT and post another log.

    It looks like we have most of the Malware but do the below.

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.