Trojan downloader still back - 8 steps done

[andy85]

i tried to use avg, malwarebytes to scan and superantispyware to clear off it off in safe mode but once i reboot my com or after i deleted the infected files and a few minutes later its back in the temp folder and temporary internet folder...

 

[Squiggly1]

Do you know the name of this virus? When did it first appear? I'd look for a manual removal method by searching Google or Yahoo.

 

[kimsland]

@Squiggly1 please read here: Special governing rules for the Virus & Malware removal board
If you are not going to read the logs then, don't try supporting on Virus\Malware removal

@andy85 We need 3 logs!
By the way, uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Install Avira free AntiVirus

 

[andy85]

C:\DOCU~1\ANDY\LOCALS!1\Temp\91c0.dl\Trojan horse Downloader
C:\Documents and Settings\andy\local settings\temp\184741 -trojan horse PSW.onlineGames.BPPQ

some others names that i copied down

trojan horse PSW.onlineGames.small.fbw
trojan horse PSw.onlineGames.BQMI
trojan horse PSw.onlineGames.BPSW
trojan horse PSw.generic6.BCHR


C:\Documents and Settings\andy\local settings\temporary internet files\content.IE5\HS6989NG\new20[1].exe -trojan horse psw.Ldpinch.11.BQ

new1[1].exe - new30[1].exe

There's a jusched.log which is 1kb but actual size is 500+ kb keep showing up in my temp folder as well....

ok i unistalled AVG, use remover and install Avira and attached 1 more log ...

After i installed Avira i got a c:\WINDOWS\system32\ctfmon.exe which no matter i qurrantine/delete/deny access it will keep poping up indicating it as a trojan...

 

[kimsland]

HijackThis v1.99.1

The version of HijackThis you are using is years old
I or anyone, cannot work from this old version, as HijackThis made many changes that can affect the support given

Uninstall HJT (this is a must)
Updated Avira (just in case, it updates manually)
Startup Malwarebytes again
Update Malwarebytes
Run another full scan (With Avira enabled in the background)
Remove all found Viruses and Malware

Uninstall SUPERAntiSpyware
Restart

Download HJT (it's in the 8-step guide, you hopefully were working off)
Run a scan only
Tick every (or any) entry that has "file missing" on
Select Fix to all "file missing" entries only
Close HJT

Download and run Startup Control Panel, and check all tabs
Remove (un-tick) any not not required shortcut startups, not including Avira
(as a guide I have 1 startup only)

Restart

Run HJT scan and log, and attach the log to a new reply

 

[andy85]

ok done .... got a new hijackthis and unistall superantispyware

from my logfile is there any harm/any use for them if i delete something like

O1 - Hosts: 127.0.0.2 bnasnd83nd.cn
O1 - Hosts: 127.0.0.0 gamehacker.com.cn

 

[kimsland]

Actually it's preferred to tick and fix those two in HJT
Make sure that your Internet browser is closed before selecting Fix though

Anyway, I'll check the new HJT log now and reply again...

Um remove all the 01 entries actually ! I didn't realize there were so many

You need to uninstall BitComet and AVG Antispyware
These programs may hinder any cleaning process

Note BitComet is most likely your Malware infest problem of Malware, will you still be using this again?

 

[andy85]

yea.. i am using bitcomet to dl files i'll get rid of those 01's ...

 

[kimsland]

Sadly I can't help you further as you'll just be straight back here again in a day or two
Note: File Sharing programs do just that, they share your files, even if you disable sharing (how bad is that!)
Not only that, but these downloaded files usually (and obviously confirmed here) carry Malware

Instead of doing this on Windows, try using the free Ubuntu CD for downloading things, at least Windows won't be infected all the time doing it this way.

Anyway, I'll give you the last fix to do, good luck from there
If any other support members wish to continue helping you, good luck to them too.

Including the above, please tick and fix all these in HJT scan

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Captcha5] rundll "C:\Program Files\captcha5.dll",captcha
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download with FreeDAccelerator! - C:\Program Files\Free Download Accelerator 2\FreeDAccelerator.htm
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80A5764B-2C7A-4C07-9CE3-8961B5694E0E}: NameServer = 202.156.1.58,218.186.1.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBF4DF21-BE59-4494-9A9C-14EACA2D7506}: NameServer = 202.156.1.58,218.186.1.38

 

[andy85]

really thanks a lot for all ur help buddy i delete all those as listed

Should be more or less clean and i reattached a new log as well