Help with Trojan Horse IRC/Backdoor.SdBot2.KLE

[howard_hopkinso]

That`s why you need to follow the instructions above.

The O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINDOWS\lsass.exe (file missing) entry is the main nasty worm/trojan that you have and needs to be got rid of asap.

lsass.exe when running from the C;\windows\system32 folder is perfectly legit. However the entry in your HJT log is running from C:\windows and is a bogus file.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Hi:

Just got done with your instructions and will post a new HJT log in a sec. I'm assuming that the new one should be one I run in NORMAL mode.

Also, wasn't sure that whether this belonged to my ISP. So, I deleted anyway.

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA8FB665-61FF-4A4F-8C36-EA9E19C41A9B}: NameServer = 216.254.95.2,216.231.41.2

Lastly, should I delete what was quarantined in AVG Anti-spyware from last nite?

 

[howard_hopkinso]

I'm assuming that the new one should be one I run in NORMAL mode.

Yes.

should I delete what was quarantined in AVG Anti-spyware from last nite?

Yes.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Haha,

Okay, I guess I shouldn't have deleted that 017 after all, cuz now I don't have internet access on that computer.

Also, I disable LSA Shel in the services menu. But, didn't find Isass.exe anywhere in the Windows folder.

Now I have to repunch in the IP instructions from my provider...(hope that's not going to bring back that virus). I'm so paranoid.

Okay back on the Internet. Going to run another HJT log and post it in a sec.

 

[howard_hopkinso]

Here`s what you need to do. Run HJT and click on the config button, followed by the backups button. Place a tick in the little box nxet to the 107 entry in the list and click the retore button. Reboot your computer anf follow the rest of the instructions.

Post a fresh HJT log when done.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

I'm connected again (punched in the IP instructions) and just ran the HJT log (attached below). If you want me to redo the final few steps with your last instructions, let me know.

Thank you!

Okay, confused a bit. Just open AVG Anti-spyware to delete the quarantine files from last night. It shows 0 files quarantined?! Should I make the Shield function active now?

 

[howard_hopkinso]

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Don`t worry about AVG Antispyware and no, don`t activate the active shield, it`s not necessary and just uses system resources. Just update and scan with AVG Antispyware once every week or two.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Yay! My God that was something. Btw, if I'm willing to pay for good virus/spyware protection what would you recommend? Or, does it really make no difference?

Thank you so much for your help.

 

[howard_hopkinso]

The best antivirus programme is Kaspersky and has been at the top of most antivirus lists for some time.

However, if you`re careful in your browsing habits, you shouldn`t actually get any viruses etc.

Take a look at this thread HERE. It will show you how to keep your system more secure.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.