removal of trojans

[jjob2]

Can someone please help I have been having various problems with spyware and trojans, I think!
I have done a freedom GUi scan for trojans and here is the log file. The auther says dont edit or delete files unless you know what you are doing and I dont. Can anyone please tell me which files in the log should be deleted or which ones should not? Thanks in advance John.


C:\Windows\SYSTEM\MKCOMPAT.EXE at 10:30:21 PM on 3/13/06 detected!
C:\WINDOWS\SYSTEM\MKCOMPAT.EXE at 7:15:54 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE at 7:18:37 AM on 3/14/06 detected!
C:\WINDOWS\command.PIF at 7:29:53 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\JDBGMGR.EXE at 7:30:40 AM on 3/14/06 detected!
C:\WINDOWS\RUNDLL.EXE at 7:31:54 AM on 3/14/06 detected!
C:\WINDOWS\TASKMON.EXE at 7:33:53 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE at 7:43:10 AM on 3/14/06 detected!
C:\WINDOWS\SAMPLES\WSH\CHART.VBS at 7:43:18 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\SUCATREG.EXE at 8:27:15 AM on 3/14/06 detected!
C:\WINDOWS\TOUR98.EXE at 8:32:26 AM on 3/14/06 detected!
C:\WINDOWS\unvise32qt.exe at 8:33:41 AM on 3/14/06 detected!
C:\WINDOWS\WINHELP.EXE at 8:37:51 AM on 3/14/06 detected!
C:\WINDOWS\SYSBCKUP\WINHELP.EXE at 8:37:52 AM on 3/14/06 detected!
C:\WINDOWS\WININIT.EXE at 8:38:06 AM on 3/14/06 detected!
C:\WINDOWS\WINMINE.EXE at 8:39:08 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\WSASRV.EXE at 8:42:10 AM on 3/14/06 detected!
C:\WINDOWS\SYSTEM\SPOOL32.EXE at 9:03:17 AM on 3/14/06 detected!
C:\WINDOWS\MSNMGSR1.EXE at 9:09:16 AM on 3/14/06 detected!
C:\WINDOWS\tool1.exe at 9:10:37 AM on 3/14/06 detected!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go and have your computer scanned HERE.

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Only post a HJT log, after doing the above.

Regards Howard :wave: :wave:

 

[Peddant]

Post removed.

 

[jjob2]

Thanks for the reply

Thanks for the reply Howard, but I have followed all instructions and am still having problems. I found the HJT help a little confusing so I will post my HJT log file for you to see. I am also getting a notification each time I boot up windows which says Cannot find file ibm0001.exe or words to that effect. Adaware, spybot, cw shredder, coolws., about buster etc all found nothing.
I have a PII 450mhz, 128 Ram, OS win98, and IE 6.0

thanks again John

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F1 - win.ini: run=lxcgppls.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL

O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16

O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/ Only fix this entry, if it doesn`t belong to your computer manufacturer, or your ISP provider.

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.75,85.255.112.139 Only fix this entry, if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Reboot into normal mode.

Regards Howard

 

[jjob2]

panda scan log

OK I have done all that, things seem much better however I have now done the Panda online active scan and the results dont look promising! Any suggestions?

thanks again John

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

C:\Program Files\Doctor Alex\Undo

Close control panel.

Delete the following bold file(if there).

C:\Program Files\Doctor Alex\Undo

Open HJT and click on the config button, then the Misc Tools button.

Click on the delete file on reboot button.

Browse to the following files and enter these locations 1 at a time into the open box and click open.

C:\WINDOWS\webload196.exe.tcf

C:\WINDOWS\tool2.exe

C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hir7zlkz.default\cookies.txt[]

C:\WINDOWS\SYSTEM\lxcgsr9x.exe

C:\WINDOWS\SYSTEM\azebar.xml

You will be asked after each entry, if you want to reboot your computer. Click yes. You will be required to reboot your computer 5 times.

Regards Howard

 

[jjob2]

thank you

You is da man Howard thank you for your patience and help, it worked a treat.

regards john