just today when i logged on the internet and when i started surfin the web, avast! kept detecting threats from trojan-gen {other} and {trj} (about 20 infections in the avast! log viewer). but anyways, i read thru all the 8 steps from the forum here and i'll post up my log file soon.
Trojan problem
- Thread starter cubyong
- Start date
- Status
Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
Most importantly update MalwareBytes and SuperAntiSpyware!
Get us the logs!
Mike
Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
Most importantly update MalwareBytes and SuperAntiSpyware!
Get us the logs!
Mike
Hi Cub
SVCHOST is a legit program, actually in layman's terms it is a runner of other programs/processes. In this case it is running Malware. Which we are about to fix below.
Run HJT Scan only select and remove the below.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time. So another run Quick Scan will likely find more. So UPDATE them run again.
Post all logs HJT last.
Mike
SVCHOST is a legit program, actually in layman's terms it is a runner of other programs/processes. In this case it is running Malware. Which we are about to fix below.
Run HJT Scan only select and remove the below.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time. So another run Quick Scan will likely find more. So UPDATE them run again.
Post all logs HJT last.
Mike
NO until I see the 2nd run of MBAM and SAS. I do not believe you are clean.
Get me the logs.
Then only after the above logs do the below
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
Get me the logs.
Then only after the above logs do the below
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
here it is. apparently everything was clean but after using combofix n sdfix, mbam picked up 6 infected files but it's to be removed once i restart my computer. here you go.
after restarting, there was one infection. i'll post it here with the mbam log. oh yea, here's my hijackthis log file too
hmmm when i restarted my computer, it says boot.ini file invalid; booting from c:\windows\. apparently i got rid of the \boot.ini file which is needed since pressing f8 does not start my windows in safe mode. so i had to use msconfig and click on boot.ini so that when i restart, it'll be in safe mode. i don't think it's a trojan.. is it? cos when i ran msconfig again, the boot.ini tab was gone. should i leave the boot.ini file in the ignore list?
after restarting, there was one infection. i'll post it here with the mbam log. oh yea, here's my hijackthis log file too
hmmm when i restarted my computer, it says boot.ini file invalid; booting from c:\windows\. apparently i got rid of the \boot.ini file which is needed since pressing f8 does not start my windows in safe mode. so i had to use msconfig and click on boot.ini so that when i restart, it'll be in safe mode. i don't think it's a trojan.. is it? cos when i ran msconfig again, the boot.ini tab was gone. should i leave the boot.ini file in the ignore list?
yea i did install recovery console when i ran it. what about the boot.ini?
btw, i can't boot in safe mode since the boot.ini is quarantined in mbam. i'm using an asus motherboard so it's different. only when i restore the boot.ini file, then i can boot in safe mode.
here's the latest mbam log. everything looks alright.. maybe mbam mistook boot.ini as a malware but i'll scan with combofix again n post the log here
btw, i can't boot in safe mode since the boot.ini is quarantined in mbam. i'm using an asus motherboard so it's different. only when i restore the boot.ini file, then i can boot in safe mode.
here's the latest mbam log. everything looks alright.. maybe mbam mistook boot.ini as a malware but i'll scan with combofix again n post the log here
OK good we are clean after I see one more ComboFix it had 1 item cleaned, and I want to confirm gone!
For boot.ini
May want to print this.
Boot Recovery console and type
bootcfg /rebuild
When it finishes
type
exit
and hit the Enter key
After I see the ComboFix log we should be finished.
Mike
For boot.ini
May want to print this.
Boot Recovery console and type
bootcfg /rebuild
When it finishes
type
exit
and hit the Enter key
After I see the ComboFix log we should be finished.
Mike
Combofix was clean.
For the boot.ini.
You said you installed the Recovery console if so then when you boot there is an option to enter Recovery Console.
Chose that option get to the prompt and type (bootcfg /rebuild ) as in post 16 and it will fix the boot. You may then need to reverse what you din in msconfig!
Mike
For the boot.ini.
You said you installed the Recovery console if so then when you boot there is an option to enter Recovery Console.
Chose that option get to the prompt and type (bootcfg /rebuild ) as in post 16 and it will fix the boot. You may then need to reverse what you din in msconfig!
Mike
You are good to go!
Good job!
Consider the following. It also answers your question.
Thread closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
Good job!
Consider the following. It also answers your question.
Thread closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
- Status
