Problems disabling system restore - trojan detected

[jaycee]

Hi

Firstly thankyou for existing!!! I am desperately trying to tackle a virus detected on my laptop last night by AVG. It is coming up as Trojan BackDoor.Generic2.SLC The AVG is isolating the virus in the vault but not dealing with it. I have downloaded the various mal ware programs recommended i.e. ewido, HJT, Ad - aware and I already had Ccleaner installed. I am attempting to follow your instructions in Trojans and Pakes basic steps to dealing with them. Unfortunately the Trojan has got me at the first hurdle!! I cannot disable system restore!! I get an error message telling me that there was an error in attempting to disable one or more of my drives and to reboot and try again. Of course a million retries and here I am!! I tried to access a restore point via system restore out of curiosity and am getting a message saying system restore cannot protect my computer? The control panel/systems folder indicates that system restore is enabled ??

Am i being forced into wiping the disk and starting again here?

Many thanks

Jaycee x

PS Whilst I can find my way around the computer as much as most who have ever played about with control panel and security settings etc (not much!!!) I am computer naive please - trojan for dummies would be fantastic!! haha.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I know you`re already trying following the instructions, just follow as many of the instructions as you can in this thread HERE.

Then, post fresh HJT and Ewido logs as attachments into this thread.

I`ll see what I can do.

It is possible, you may end up having to reformat, but we`ll try and avoid that if at all possible.

Regards Howard :wave: :wave:

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Okay will do, thankyou for being so prompt. I wish I didnt need to avoid it but I am a freelance writer I have so much work in the laptop and I am not very organised at times when deadlines are clashing the dog is going mental and the child is bored!! Finding files and remembering half of their names for back up will be a nightmare!! I have also had disks reformatted on my desktop previously and found that they keep going down every six months ago (though probably due to the dodgy shop I took it to!!) Thanks again, will get on with that now.

regards Jill x

 

[jaycee]

okay done all of that. please see attached log files as requested.

Problems I am having ? Well repeated AVG finds of the same file (trojan horse backdoor) whenever I boot up or sometimes just out of the blue. I am totally unable to put computer into safe mode or system restore (as described earlier). Computer seems to be running a little slower at times, but otherwise no real evidence as of yet.

Many thanks for your time.

Regards

Jill x

 

[howard_hopkinso]

I won`t bother asking you to boot into safe mode or turn off system restore yet. See if this helps.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

BroadJump\Client Foundation

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

CFD.exe
Remind_XP.exe
alg32.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [alg32] C:\WINDOWS\system32\alg32.exe

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photobox.co.uk/sg/common/uploader.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\BroadJump
C:\Windows\CREATOR
C:\WINDOWS\system32\alg32.exe

Rehide your protected OS files and reboot your computer.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

I have followed your instructions, thankyou. please see second HJT log attached. The CFD.exe and alg32.exe have been bugging my system registry since the AVG first detected the virus!! I have been trying to find those files for 24 hours!!

BroadJump has been deleted but I cannot detect the alg32.exe on the system.

So far so good no AVG warning at startup ? (though it can be delayed sometimes).

Starting to feel much happier

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE.

Extract it to your desktop.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\alg32.exe

Once your system has rebooted, post a fresh HJT log. Also, see if you can now access system restore and safe mode.

Let me know the results please.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

killbox didnt detect the alg32.exe file either maybe we got it? But still cant use safe mode or system restore.

Thanks

Jill

 

[howard_hopkinso]

According to your HJT log, the file is still there.

O4 - HKLM\..\Run: [alg32] C:\WINDOWS\system32\alg32.exe

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Run HiJackThis then:

1. Click the config button
2. Click the Misc Tools button
3. Click the Open Process manager

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\ALG32.EXE
C:\WINDOWS\System32\SPOOLSVU.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click Kill process. Now, click "Refresh", check again, and repeat this step if any remain.

Close HJT.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [alg32] C:\WINDOWS\system32\alg32.exe

Clock the fix checked button.

Locate and delete the following bold/b] file(if there)

C:\WINDOWS\system32\alg32.exe

Reboot your computer and post a fresh HJT log.

Regards Howard

 

[jaycee]

Sorry about delay / disappearance I literally flaked out at my desk (it was early hours)!! I have done as advised and still cant locate the ALG32.exe file and the only other file i can find is C:\WINDOWS\System32\SPOOLSV.EXE rahter than C:\WINDOWS\System32\SPOOLSVU.EXE

I didnt do anything with this yet since it is not an exact match ?

many thanks

Jill x

 

[jaycee]

haha found the alg32.exe file in the HJT log and 'fix'ed it . Problem was SS&D is creating a registry scanner to allow or deny changes and this was being repeatedly denied. I have turned off the process in the advanced options of the SS&D I think in deactivitating the 'Tea timer' ??? this appeared to do the trick in allowing me to fix the alg32 in the HJT ?? But still no system restore or safe mode after reboot. I am definately not getting virus alerts now though system has been running and rebooted several times since last night and nothing so far. :approve:

I have included HJT log for you to look at if you would please ?

Many thanks

Jill x

 

[howard_hopkinso]

Well done, your HJT log is clean.

The C:\WINDOWS\System32\SPOOLSV.EXE file is genuine and should not be deleted.

As far as I can tell, your system is now clean.

Maybe you should consider doing a Windows repair as per this thread HERE. It`s possible the viruses you had have damaged you OS in some way.

Regards Howard

This thread is for the use of jaycee only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jaycee]

Well done you! Thankyou so much for all of your help!! I will look at the system repair. Take Care and thankyou again (my gratitude is infinite!!!!!!):giddy:

 

[howard_hopkinso]

No problem mate. I`m happy to help.

Thanks for your kind words.

Regards Howard