TechSpot

Trojans, etc >< Need your Help. Log Files attached.

By Fidelus28
Dec 19, 2006
Topic Status:
Not open for further replies.
  1. Hey,
    As in the title, i have been infected.
    I really need to get rid of this! I've run Adaware and each time something different pops up. But always the Win32.Downloader trojan.
    I've run Vundo Fix and it picked up on three files and got rid of them.
    I've also run Etrust. But that doesn't seem to pick up on it. THe only time Etrust mentions anything about trojans is with the realtime monitor, which is unusual i reckon.

    There is a little bubble - SystemAlert! that keeps on popping up, and it installed Antivermins which i promptyl unistalled. Though i'm sure remnants of it are still lurking around.
    I also ran through my program list and uninstalled a few things, Bar88 or something amongst them. I got rid of the ones i didn't know or havn't ever seen before. Nevertheless, i think it messed up my system more.

    Anyways, Logs i will post in new post...

    I know the ishost.exe file is evil and have tried deleting it but it won't go. Same as a few others.
    Also, when my laptop loads up i get these two errors:

    ipwins.exe - Unable to locate Components
    This applocation has failed to start because Services.dll was not found. Re-installing this..

    RUNDLL
    Error loading C:\WINDOWS\system32\drvvuz.dll
    The specified module could not be found.


    Um - yer that's about it. I'm basically a Newbie at this stuff so any help would be greatly appreciated.
    I leave my precious laptop in your hands!

    -Fids
  2. Rik

    Rik Banned Posts: 4,985

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Fidelus28

    Fidelus28 TS Rookie Topic Starter Posts: 17

    Thanks

    Thank you for your reply.
    Sorry, i should have read through that first.

    I'm doing those steps now and will post back A.S.A.P

    Thanks.
  4. Fidelus28

    Fidelus28 TS Rookie Topic Starter Posts: 17

    Logs

    OKay,
    I followed the instructions on that thread...
    Except for the Online scan as my internet is rather slow. Hopefully, it can be done without.

    Anyway,
    They're attached as requested. I hope you can help.

    P.S Good news - after following those instructions the SystemAlert! window disapeared. However, my system has slowed drastically at startup and Etrust still picks up trojans in realtime.
  5. Rik

    Rik Banned Posts: 4,985

    Run AVG antispyware again and get it to quarantine everything, that should help.
    Post a new HJT after having done the above so we can see how many of all those nasties are left.


    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how HERE.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Give4Free Plugin
    ipwins

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    COM+ Messages

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ipwins.exe
    Update.exe
    svchosts.exe<Note the extra S on the end The genuine file is svchost.exe

    Close task manager.



    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: Give4Free Plugin Installer - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - C:\Program Files\Give4Free Plugin\ibho.dll

    O2 - BHO: (no name) - {31BCC6C3-399E-4CBB-B715-2529384CEF9B} - (no file)

    O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)

    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CF30~1\Bar888.dll (file missing)

    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CF30~1\Bar888.dll (file missing)

    O4 - HKLM\..\Run: [{4CF30250-07CA-1033-0329-05030305003d}] "C:\Program Files\Common Files\{4CF30250-07CA-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

    O4 - HKLM\..\Run: [{4CF30250-07CB-1033-0329-05030305003d}] "C:\Program Files\Common Files\{4CF30250-07CB-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    O4 - HKLM\..\Run: [{4CF30250-025C-1033-0329-05030305003d}] "C:\Program Files\Common Files\{4CF30250-025C-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    O9 - Extra button: FreshDownload - {3CA893AC-89F0-4832-B8BF-3B0C48BFE3CD} - C:\Program Files\FreshDevices\FreshDownload\fd.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{084955FB-313F-46FF-8CF7-A7A8D2D7DA50}: NameServer = 203.8.183.1 192.189.54.33

    O17 - HKLM\System\CS1\Services\Tcpip\..\{084955FB-313F-46FF-8CF7-A7A8D2D7DA50}: NameServer = 203.8.183.1 192.189.54.33

    Only fix the above 017 entries if they don`t belong to your ISP.

    O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)

    O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\svchosts.exe<Make sure you only delete this file and not svchost.exe.

    C:\Program Files\Common Files\{4CF30250-025C-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    C:\Program Files\Common Files\{4CF30250-07CB-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    C:\Program Files\ipwins<Delete the entire folder.

    C:\Program Files\Common Files\{4CF30250-07CA-1033-0329-05030305003d}\Update.exe" mc-110-12-0000272

    C:\PROGRA~1\COMMON~1\{3CF30~1\Bar888.dll

    C:\Program Files\Give4Free Plugin<Delete the entire folder.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :wave: :wave:

    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. Fidelus28

    Fidelus28 TS Rookie Topic Starter Posts: 17

    Instructions Complete

    Okay,
    I've done Rik's instructions and put them as the log file "HJT After AVG Scan + Quarantine"

    And then,
    I've done Howard_Hopkinso's instructions and put them as the log file "HJT After Second Set of Instructions"

    Hope this helps!
    Thanks for your help so far - it has been really helpful. ^^
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Well done, your HJT log is now clean.

    Please will you post the fresh AVG Antispyware log as it doesn`t seem to be in with your other HJT log.

    Tell me how your system is running.

    Regards Howard :)

    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. Fidelus28

    Fidelus28 TS Rookie Topic Starter Posts: 17

    AVG Log + More

    Hey,

    I've attached the fresh AVG log (which is clean :) ) I also scanned my laptop with Adaware, CC Cleaner and Spybot just to doubly check. They were all clean except for SPybot which picked up on a product called MaxFiles. In the description it says that it's basically ipswins. There was only one entry and i fixed that promptly, though i'm worried it may pop up again. Should it be gone now?

    The laptop is running much better - so THANKYOU very much! I didn't expect to get that much help so quickly.
    I was actually wondering whether the people who reply to these threads are professional graduates or just really experienced people? Is it possible for someone like me to learn more about the nasty things that jump onto computer and eventually help people in threads like this?

    Once again, Thankyou so much. I assume it's safe to go back to internet banking and so on?

    ^^ Thanks,
    -Fids.
  10. Rik

    Rik Banned Posts: 4,985

    I'm glad to hear your system is working well.:)

    Both myself and Howard are enthusiasts and not professionals.

    Howard is the real boffin when it comes to spyware removal and i am in the process of learning from him.

    If you should have any more problems then post in this thread and we will be glad to help.:)


    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    As far as I can tell, your system is clean. Therefore, I think you`re good to go.

    Regards Howard :)

    This thread is for the use of Fidelus28 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.