Inactive Need help with removing trojan horse

[Broni]

Neither file is good.
Attached is zipped qmgr.dll file from my XP.
Unzip it and place qmgr.dll file into root C:\ folder (be sure of it).

Now....


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
c:\qmgr.dll | c:\windows\system32\qmgr.dll
c:\qmgr.dll | c:\windows\ERDNT\cache\qmgr.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Timberstone]

I guess it worked. Windows gave me warnings that the file was unknown and could make the system unstable and asked me to insert the windows install CD to get the file back :s . What was different from the previous times I ran combofix is that this time I didn't get any damaged files showing up. But I still think this is not yet over, I'll try things out now and hope that there won't be any freezes anymore... Anyway, here is the log.
Btw: Combofix shows that some system files aren't there where they should be:
c:\windows\System32\wscntfy.exe ... is niet aanwezig !! (= is not present)
c:\windows\System32\xmlprov.dll ... is niet aanwezig !!
Now I hope that it will be over... Thx

--> Nope it's not over, keep getting freezes...

 

[Broni]

Yep, it worked
Yes, you have couple of files missing.
We'll fix it...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  wscntfy.exe
  xmlprov.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Timberstone]

I did the systemlook and it didn't find the files, so they are really missing. So what's next? Replacing those files too? I don't think that will help... The trojan is causing all of this crap. Isn't there a way to just permanently delete the file with the trojan in or just heal the file and destroy the trojan or whatever. I mean like Combofix doesn't seem to work, so did the other programs. But anyway, you are the expert, not me, so I'll just continue to follow your steps thanks

Edit: The trojan is using my temporary internet files! That's the reason why they always got damaged and I needed to fix them using chkdsk. I found this out because firefox gave me a warning that I wasn't going to be able to use history and favorites because another program was using some of the firefox files (it also said this could be because of securityprograms... Which I don't currently have installed on my system!). I think that the trojan uses this to get information about me like passwords and things like that. Recently I also had my system rebooting on its own for like 4 times when the welcome screen was reached it stopped and rebooted. After I ran the disk check thing on startup and it repaired lots of things again (again including temp files...). Keeps freezing though

 

[Broni]

With infections, never rush anything.
Be patient. Things have to be fixed one at a time.

Attached are zipped wscntfy.exe and xmlprov.dll files.
Unzip them and place both files into c:\windows\System32 folder.
Disregard any Windows warnings.

Re-run Combofix and post fresh log.

 

[Timberstone]

Hi sry but I don't have a lot of time today, I already downloaded the files and put them in system32 folder and tomorrow I'll run combofix. Sorry for taking so long to run combofix.

 

[Broni]

Don't worry about it

 

[Timberstone]

Ok, I ran combofix now and nothing seems wrong. Here's the log. Still getting freezes

Ugh, this makes me mad. Almost broke my desk lol. Now even getting freezes sometimes when just started up or like just when I open my internet browser. Mostly takes 3-5 mins now... I thougt it could be because of computer overheating but all those programs show that the temperature is just fine. So it's probably that trojan.

 

[Broni]

Combofix looks good now.
Keep in mind, that you may have some other issues on a top of the infection, but we'll keep checking, to make sure, your computer is clean.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

 

[Timberstone]

Hi, sorry that I didn't respond for a long time, but my computer is now totally broken. It got fried by lightning (overvoltage or something like that). The power supply, the motherboard... almost everything is broken . So I'm going to get a new computer from my friend (temporarily) and after that I'll buy a new pc. Thank you very much for your help! I hope I never write you again (because if I will write you it'll be because my new pc has a problem. Bye! thx again

 

[Broni]

I'm sorry to hear bad news

Good luck with new computer