Trojan Virus
- Thread starter remlapm
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above you decide you want to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.
Regards Howard :wave: :wave:
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above you decide you want to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.
Regards Howard :wave: :wave:
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I completed the on line scan and it found quite a bit and said to run the scan again so I did. While it was doing the second scan IE errored out so I restarted my computer and ran the on line scan again. It said that my drive was clean. When I went to run HJT a wierd thing happend. As soon as my mouse went over the executable the screen goes blank and then the desktop comes back. I tried running it from the start/run line and HJT started, but before it can write a log file it ends. I can run HJT from safe mode. Will this give you the information in the log that you need?
I renamed hijackthis to anylise and ran it from the shortcut I created on the desktop. It took a couple of times to get it to run long enough to create a log file but it finally did. This thing seems to be getting smarter and smarter as it goes.
I renamed hijackthis to anylise and ran it from the shortcut I created on the desktop. It took a couple of times to get it to run long enough to create a log file but it finally did. This thing seems to be getting smarter and smarter as it goes.
howard_hopkinso
Posts: 21,238 +17
You have not posted an AVG Antispyware log as requested. Please do so in your next reply.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
SpywareBot
POPUPR~1
??stem
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
COM+ Messages
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
svchosts.exe<Not to be confused with svchost.exe which is a legit file.
SpywareBot.exe
Update.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - URLSearchHook: (no name) - {0033B619-08D0-5824-DC7C-7F129746E193} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\kdrzfmucjf\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\kdrzfmucjf\winlogon.exe
Fix all O1 - Hosts: entries.
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [{F8D7ECA6-063C-1033-0821-060320200001}] "C:\Program Files\Common Files\{F8D7ECA6-063C-1033-0821-060320200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [Ovrt] C:\Program Files\??stem\explorer.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe.
C:\Program Files\??stem<Delete the entire folder.
C:\Program Files\SpywareBot<Delete the entire folder.
C:\Program Files\Common Files\{F8D7ECA6-063C-1033-0821-060320200001}\Update.exe
C:\PROGRA~1\POPUPR~1<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
Post fresh HJT and AVG Antispyware logs.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
SpywareBot
POPUPR~1
??stem
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
COM+ Messages
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
svchosts.exe<Not to be confused with svchost.exe which is a legit file.
SpywareBot.exe
Update.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - URLSearchHook: (no name) - {0033B619-08D0-5824-DC7C-7F129746E193} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\kdrzfmucjf\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\kdrzfmucjf\winlogon.exe
Fix all O1 - Hosts: entries.
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [{F8D7ECA6-063C-1033-0821-060320200001}] "C:\Program Files\Common Files\{F8D7ECA6-063C-1033-0821-060320200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [Ovrt] C:\Program Files\??stem\explorer.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe.
C:\Program Files\??stem<Delete the entire folder.
C:\Program Files\SpywareBot<Delete the entire folder.
C:\Program Files\Common Files\{F8D7ECA6-063C-1033-0821-060320200001}\Update.exe
C:\PROGRA~1\POPUPR~1<Delete the entire folder.
Reboot into normal mode and rehide your protected OS files.
Post fresh HJT and AVG Antispyware logs.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Thank-you for you help. I have attached the latest HJT log file and I think the latest AVG Log file, but I am not sure about the AVG Log file. This is a history log file. I don't know if that is the one you want or not.
By following your last message it seems to have fixed my problems. I really appreciate your help. Please let me know if I need to do anything else.
I was just wondering why you had me remove Spybot? Is it a bad spyware removal program?
By following your last message it seems to have fixed my problems. I really appreciate your help. Please let me know if I need to do anything else.
I was just wondering why you had me remove Spybot? Is it a bad spyware removal program?
howard_hopkinso
Posts: 21,238 +17
Your HJT log is now clean. Unfortunately, the History .txt log is not what I meant by an AVG Antispyware log.
Instructions for downloading, installing and running AVG Antispyware, can be found in this thread HERE. I would like to see an AVG Antispyware log, just in case there`s something else we need to get rid of.
I had you delete Spywarebot as it is at best a dubious programme and at worst it`s nasty. It must not be confused with Spybot Search & Destroy, which is an excellent and trustworthy programme. You will find a link to the programme in the above link.
Once I have your AVG Antispyware log, I`ll advise you further.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Instructions for downloading, installing and running AVG Antispyware, can be found in this thread HERE. I would like to see an AVG Antispyware log, just in case there`s something else we need to get rid of.
I had you delete Spywarebot as it is at best a dubious programme and at worst it`s nasty. It must not be confused with Spybot Search & Destroy, which is an excellent and trustworthy programme. You will find a link to the programme in the above link.
Once I have your AVG Antispyware log, I`ll advise you further.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
AVG free is an antivirus programme. AVG Antispyware is a antispyware programme. All you have to do is read the instructions for AVG Antispyware and Spybot Search & Destroy.
This is taken from the link I gave you.
I hope that makes it clear.
While the AVG Antispyware programme is a trial version, once the trial has ended, the programme will carry on working, minus one or two features, that`s all.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
This is taken from the link I gave you.
I hope that makes it clear.
While the AVG Antispyware programme is a trial version, once the trial has ended, the programme will carry on working, minus one or two features, that`s all.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Delete all files in AVG Antispyware quarantine and you should be good to go.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Delete all files in AVG Antispyware quarantine and you should be good to go.
Regards Howard
This thread is for the use of remlapm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
Latest posts
-
Worry your friends with this $9,420 flamethrower robot dog
- Tinderbox replied
-
Researchers have unlocked the "Holy Grail" of memory technology- DanteSmith replied
