TechSpot

virus/trojan problem

By Eslavs
Nov 24, 2006
  1. I must have picked something up on my laptop -I have a red circle with a white exclamation point in my windows toolbar. Plus, every so often, it seems my system process 'explorer.exe' goes nuts, running at 50% of my processor. The red circle warning looks very similar to the one that pops up with the spysherriff bug. It presented on Wed. evening, I ran ewido, adaware, and trojanhunter. It went away, and just now popped back up again.

    Attached is my HijackThis log.

    As a side note/question, I do have a system restore point prior to when I believe I got the bug. Would restoring to that point (the day before) solve my problem?

    Much Thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You have some rather nasty infections on your system.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    avg anti-virus can't update

    I continually try to update avg antivirus, it keeps telling me it can't connect to the internet. after allowing it via my firewall, it keeps kicking it out. Any ideas? Can I download updates directly from the site? If so, where do they go?

    E
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Take a look HERE for instructions on how to do a manual update.

    Regards Howard :)

    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    Followed all instructions. Ran Spybot SD a few times and the Smitfraud C Toolbar888 was there after fixing it each time. After running my HJT in normal mode, i uninstalled it from my control panel (we'll see). Here are my HJT and AVGspyware logs.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Uninstall.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\kchrwyut.dll

    O2 - BHO: (no name) - {16448A02-C260-40B5-B0EE-F7E60EFB724C} - (no file)

    O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll (file missing)

    O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\SYSTEM32\winrnt32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winrnt32.dll
    C:\WINDOWS\system32\kchrwyut.dll
    C:\Program Files\Common Files\{38F59401-06C1-1033-0815-060426060001}\Uninstall.exe
    C:\Program Files\Common Files\{38F59401-06C1-1033-0815-060426060001}\system.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    Howard:

    Followed your instructions. Here is my latest HJT log.

    Only think I still notice is that my IE homepage is still set to msn.com, and any attempt to change it is fruitless. I hardly ever use IE anyhow, but it's the only thing I still notice.

    Thanks,
    Eric

    In addition, after running spybot once again, the smitfraud-c.toolbarr888 is still showing. However, it's not in my add/remove programs any longer. That's the only other thing I have noticed.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Have HJT fix the following inactive entry.

    O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

    The home page issue might be solved by taking a look at this thread HERE. Particularly post #35.

    Regards Howard :)

    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    Howard:

    Fixed that last entry. Other than that, everything seems to be ok. I downloaded IE7 and tried to fix the homepage problem, but I'm having issues getting IE7 to connect. My other browser (opera) is connecting fine. I'm running ZoneAlarm, and may have denied access, I'm not 100% sure.

    Thanks for your help with the virus/trojan problem. I greatly appreciate your prompt responses and will post again if I ever have any other troubles.

    Much thanks,
    Eric
     
  10. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    Howard:

    Out of curiosity, I ran a sweep on my desktop as well. Followed the previous instructions in safe mode. Attached is my HJT log after running all the previously mentioned programs.

    Thanks,
    Eric
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    Fix all O1 - Hosts entries no matter what they are.

    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS

    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.sarasotamls.com/XMLSearch/XMLCache.CAB

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E153A414-B539-4E9F-9838-5728B634BF20}: NameServer = 68.87.74.162,68.87.68.162<Only fix this if it doesn`t belong to your ISP.

    Fix all O18 - Protocol entries.

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Eslavs

    Eslavs TS Rookie Topic Starter Posts: 28

    Here is my latest HJT log after removing everything you suggested.

    Once again, thank you for all your help!

    Eric
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Eslavs only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...