Trojan win32 infection

Status
Not open for further replies.
Hello floodgate59

See if you can run combofix ->

Please download combofix here -> https://www.techspot.com/downloads/5587-combofix.html

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

NB. If you can´t run it from normal mode, do it from safe mode.
 
Combofix log post

here is the combofix log.

it asked me to disable antivirus and anti spyware...so i uninstalled avg. It still recognized the program and ran anyway.

what is the next step? thank you for the help.
 
Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\users\Matthew Harreld\AppData\Roaming\Ahead\socks1.exe
c:\users\Matthew Harreld\AppData\Roaming\Crayon Physics Deluxe\lego.exe
c:\users\Matthew Harreld\AppData\Roaming\Apple Computer\nomad.exe
c:\users\Matthew Harreld\AppData\Roaming\Adobe\rengo.dll
c:\users\Matthew Harreld\AppData\Roaming\CyberLink\msgdi.dll
c:\users\Matthew Harreld\AppData\Roaming\acccore\shalom.exe
c:\users\Matthew Harreld\AppData\Roaming\Hewlett-Packard\kern.dll
Filelook::
c:\programdata\Microsoft\Windows Defender\Definition Updates\{C3C12C72-6769-4043-B252-9355AB7839DE}\mpengine.dll

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
I am under a similar dilemma. I ran combofix and it did not find all of the registry items deemed 'Suspicious' by anti spyware websites.
I have hunted down these items in RegEdit, and managed to delete some, although I am left with the following keys which will not let me remove them ;

HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_LOCAL_MACHINE\software\classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_CLASSES_ROOT\WinInetApp.WinInet
HKEY_CLASSES_ROOT\WinInetApp.WinInet.1
HKEY_CLASSES_ROOT\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}
HKEY_CLASSES_ROOT\Typelib\{B360243E-09E8-402F-8721-00B6798089AD}
HKEY_CLASSES_ROOT\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
HKEY_LOCAL_MACHINE\software\classes\WinInetApp.WinInet
HKEY_LOCAL_MACHINE\software\classes\WinInetApp.WinInet.1
HKEY_LOCAL_MACHINE\software\classes\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}
HKEY_LOCAL_MACHINE\software\classes\Typelib\{B360243E-09E8-402F-8721-00B6798089AD}
HKEY_LOCAL_MACHINE\software\classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}

Is there a way I can make combofix remove these keys?
Thank you in advance.
 
Hi elliotbrady,

The instructions by touch were intended for floodgate59.

I suggest creating a new thread with your problem, so that it doesn't get confusing and the instructions can be directed at you :)
 
Thank you.

I cant thank you enough for all the help you've given me over the last several days. My pc is running 100% better now. Thank you again. I do have two final questions. On my last running of Malwarebytes, 12 files were found with malware still infecting them. should i select "remove selected" and get them off my computer once and for all? Also...what precautions can i take to make sure i dont get this type of virus again? Thanks again for all your help!
 
It should be safe to delete the 12 files were found with malwarebyte.

Now your computer problems are solved, it is time for the clean-up procedure
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
http://www.spywareinfoforum.com/index.php?showtopic=60955


Keep safe :wave:
 
Status
Not open for further replies.
Back