TechSpot

Trojandownload.xs headache..need help

By recperez
Apr 3, 2008
Topic Status:
Not open for further replies.
  1. First thanks..and I do understand

    win xp..with mcfee, avg 7.5 and spybot SD resident

    the tool bar that was placed on it..i did get rid of with spybot..
    he has placed a screensaver default..and the annoying popups with the triangle..

    Please help me get rid of it..had worm couple months ago..and it cost way to much to clean it up..i could bought me a new computer...anyways thanks

    recperez
  2. kritius

    kritius TS Guru Posts: 2,087

    The first thing that I need you to do for me is to download and install HijackThis for me,

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log in your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

    Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

    If you have any problems or questions then please post back.
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hi recperez,

    Thankyou for starting your own thread. I am now subscribed to this thread and will receive an email each time you reply.

    If you have the same infection as in the other thread, I don't think that it is your sons fault. We have seen 50+ infections of that malware within the last few days. My guess on it, is that you Java Runtime is not the most current version and that the malware exploited that. Or maybe the lack of a firewall. Just a guess there, will know more after you follow these 3 instructions, if you need help with any of them feel free to ask me.

    Step 1
    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Step 2
    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Step 3
    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.


    Attach back here using the paperclip looking icon above your reply box
    1) MBAM log
    2) Combofix log
    3) Hijackthis log ran after the other 2.

    This thread is for the use of recperez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. recperez

    recperez TS Rookie Topic Starter

    check the attached file..

    thanks
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    As I said in my last post your Java is way out of date and you have no firewall.

    --------------------------------------------------------------------------------------------------------
    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default
    configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm
    -------------------------------------------------------------------------------------------------------------

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
    -----------------------------------------------------------------------------------------------------

    Afterwards, Please follow my first post and attach the 3 requested logs.



    This thread is for the use of recperez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. recperez

    recperez TS Rookie Topic Starter

    I will download the other 2 and scan also download the firewall on Comodo

    Thanks for being here and taking your time with me.
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    It is absolutely no problem, I know how frustrating it can be to go through this. It is time consuming, but just stay patient and things will work out.

    I would go in this order

    1) Get firewall up and running (it will be kind of annoying at first as it learns your habits and you have to ok everything, but will be less nagging once it get to know you)

    2) Update Java Runtime
    3)MBAM
    4)Combofix
    5)Fresh Hijackthis after doing the first 4 steps

    This thread is for the use of recperez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. recperez

    recperez TS Rookie Topic Starter

    okay i have done all requested..i hope..and i think i have attached the correct ones

    and Java has been updated..and the firewall is installed.

    thanks
  9. kritius

    kritius TS Guru Posts: 2,087

    Can you redo the malwarebytes scan and make sure it removes all that it finds, theres a lot of bad stuff in there.

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



    Please download ATF cleaner
    Make sure that all browser windows are closed.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.



    Manually clear cache
    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
    • If desired, reset the folder options you changed in step 1.


    Post a fresh HijackThis log as well as the resulting combofix log
  10. recperez

    recperez TS Rookie Topic Starter

    Good Morning...here i am again..i have done the scan with the script..

    hope your evening was well...
  11. kritius

    kritius TS Guru Posts: 2,087

    Good job,

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    Also run a fresh HijackThis scan and post it back too.

    Thanks
     
  12. recperez

    recperez TS Rookie Topic Starter

    ATF has been done..i will be doing the Manually clear cache
  13. kritius

    kritius TS Guru Posts: 2,087

    Good, do that and then what I mentioned above.
  14. recperez

    recperez TS Rookie Topic Starter

    on the Manually clear cache..have a problem..when i go to tools on the ie..to view files a temp file folder popups..no address is available..what am i doing wrong..

    I will go ahead and run the hijack refresh..waiting for your response.
  15. recperez

    recperez TS Rookie Topic Starter

    here is the hijack report
  16. kritius

    kritius TS Guru Posts: 2,087

    at the very top, it should say something like,
    [​IMG]

    Click on that bar and an address will come up, add \content.ie5 to the end of that.
  17. recperez

    recperez TS Rookie Topic Starter

    i dont have that when it is pulled up..it is solid..no address field.
  18. kritius

    kritius TS Guru Posts: 2,087

    Blind dragon or I will post instructions once the Kaspersky scan is finished.
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Not internet explorer, windows explorer (double click my computer)

    Or hold down the windows key on your keyboard and Press E at the same time ;)
  20. recperez

    recperez TS Rookie Topic Starter

    oh okay never done that before..thanks

    here is the scan log from Kaspersky
  21. recperez

    recperez TS Rookie Topic Starter

    do i need to hold off the Manually clear cache until later..or just instruct me when i need to do this..
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    AVG should pick up that last infection, the rest is in quarantine and in the old restore points which we will reset after you remove this.

    AVG Anti Spyware
    • Download and install the latest version of AVG Anti Spyware
    • Click Save File on the box that pops up after clicking the link
    • The AVG installer will download to your desktop, Double click on this Icon
    • In the installer Click Next, I agree, Next, Install, after it extracts the files, check box to launch AVGAS then Finish
    • With the program launched, Select the Icon at the top that says UPDATE then Start Update in the left pane
    • Now select the Icon at the top that says SHIELD then at the top of the left pane change "Resident Shield is ..." from Active to Inactive
    • Click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan
  23. recperez

    recperez TS Rookie Topic Starter

    thanks you so much for everything..you guys are great...

    two more items..please..

    1) now when i go into some of my sites..like my yahoo groups..i get a message popup telling me that i am not permitted...and i need a password..what do i need to do..

    and

    2) when i start my computer..my common folder is the very first thing that opens..how do i stop it..

    thanks
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    The yahoo site asking for a password is probably because we deleted your saved passwords that are normally entered automatically, as well as temp files. Select Forgot password and follow the prompts they should send it to you, unless it is a program that is popping up telling you that.


    Please run a fresh scan with Hijackthis so we can see everything that is starting up
  25. recperez

    recperez TS Rookie Topic Starter

    attached hijack log..i did not fix..just ran scan and posted log for you.

    the popup is coming from the system like windows..with a face on it...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.