Crictal System Errors! From virburster

[cthul]

Hi there and thank you ahead of time for any help.
The moment I realized I caught this little bug I knew had trouble and shortly after I found this site and its very explicit tut how to get rid of trojans. After going through each step I seemed to work especially since none of it’s .exe’s where in the process tab of the task manager and didn’t –seem- to be in my HJT log.

I’m not getting any of the pop-up’s that I was getting before but it is still in the task tray next to the clock. Which is why I’m posting this message, I’m trying to get rid of that last reminder of it.

Couple this to note: Before I found this site I did try uninstalling it, which did remove its folder from the \Programs Files\ and from the add/remove programs list but of course didn’t do anything else. Also while going through the steps SmitFruadFix did say it got rid of it, but while I was in Safe Mode the process was still running in the task tray.

Anyway here are the log’s and thank you for any help.

 

[wolfram]

Hi and Welcome to Techspot!!

You have the Trojan.Win32.FTP. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.

Please go HERE and follow the instructions exactly.

Then post fresh HJT and AVG antispyware logs.

Regards :wave:

 

[cthul]

Those are the steps I followed the best I could.

Before going to Safe Mode SmitFraudFix seen that I had virusburster and when I went to Safe Mode virusburster was still running, I ran and cleaned using SmitFruadFix. SmitFruadFix said it got rid of it and since then, SafeMode or not it, SFF, has not noticed virusburster was still on my machine.

I will redo the proccess, I just don't know what step I missed to still have it on my machine that would be able to complete it this time.

However thanks for the reply.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Remind_XP.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O21 - SSODL: detachments - {01d8d081-0f76-4ab5-b5e4-9b23a709670e} - C:\WINDOWS\system32\sacskza.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Creator<Delete the entire folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\sacskza.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT and an AVG Antispyware log. Let me know how your system is running.

Regards Howard :wave: :wave:

This thread is for the use of cthul only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[cthul]

Wow, thanks a lot man! That got rid of it!!

I've included the fresh HJT log for your review and there was nothing to report by AVG anti-spyware.

I do have a few questions though.
1) Being that none of the programs detected virusburster after SmitFruadFix got rid of some the of the programs how can I be sure I don’t have any other trojans and
2) Why in the world would the writer of the trojan I just got rid of (thanks to your help) would have left the reminder on my task tray instead just hiding the program so that it could run secretly?

One last question just out of curiosity, is it possible to write a program that can actually trace the location from where the attacker is remote controlling my computer? I mean if the trojan is sending this attacker my information that information is going somewhere and is there a way to find out where it is going?

Again thank you for all the support and help, this has the best site I’ve ever come across!!

 

[howard_hopkinso]

Your HJT log is clean.

The reason there was an icon in your system tray, is to entice you to click on it. It would then connect to wherever and download even more crap onto your system.

I can see no evidence of any other trojans on your system. If all scans come up clean, it`s safe to assume your system is clean.

As for tracing the location of an attacker, I don`t know of any way to accurately achieve that. Even if you could, I don`t know what good it`d do.

The best way is not to get infected in the first place. Maybe you`d like to take a look at this thread HERE. It`ll show you how to keep your system more secure.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of cthul only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.