trojan spyware problem

[ramsey]

Dear Anybody Who can assist,
I would appreciate any suggestions that could help me get rid of a trojan that comes up when I run the spywaredoctor scan.
Adaware and Spybot dont pick it up however.
It comes up as Trojan.Crypt E and the paths go to System 32\cmd.com
\ping.com
\tasklist.com
\tracert.com
\regedit.com
I notice you always ask for a printout from Highjack this so I will add this as well


I'm just feeling my way with your site so I hope you will excuse any errors I have accidently made Cheers,arthur

 

[howard_hopkinso]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run the Spyware doctor scan again and delete whatever it finds.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O1 - Hosts: localhost 127.0.0.1

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/05cd06d...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1146217504653
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab


O17 - HKLM\System\CCS\Services\Tcpip\..\{98477459-31CC-41AF-8C09-C19731EAEB56}: NameServer = 85.255.113.90 85.255.112.5<Only fix this, if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.


Regards Howard :wave: :wave:

 

[ramsey]

Thanks HH

Dear HH,Many thanks for your promp response.
I will be back in touch,Cheers arthur

 

[ramsey]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run the Spyware doctor scan again and delete whatever it finds.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O1 - Hosts: localhost 127.0.0.1

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/05cd06d...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1146217504653
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab


O17 - HKLM\System\CCS\Services\Tcpip\..\{98477459-31CC-41AF-8C09-C19731EAEB56}: NameServer = 85.255.113.90 85.255.112.5<Only fix this, if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.


Regards Howard :wave: :wave:

Dear Howard,
Once again thank you for responding to my question.
I have battled my way through your response as well as other messages such as 'before posting your hjt read this"and am now fully aware how pc illiterate I am.
However with a bit of patience and trial +error and the downloading of a multitude of anti-spyware programs I think I am now free of bugs thanks to you.
I'm quite chuffed I managed it, though I didn't have 100% success with some programs;
now I have a final query;Do I now restore the hidden files that you had me show up back to "hidden" again and can I now delete the swag of anti spyware in my pc
eg:smitfraudfix,everest,vundo fix,look 2 me,HJT,spyware doctor,and keep only spybot+avg+ewido+adaware or do you recommend another option.
One other thing,a device error box comes up when I restart the pc saying "windows could not load installer for Monitor"but everything seem fine. Do I ignore it?
Many thanks for your help without which I would have been totally befuddled, yours is really worthwhile site and I wish you all success
Thank You ,arthur

 

[howard_hopkinso]

Do I now restore the hidden files that you had me show up back to "hidden" again and can I now delete the swag of anti spyware in my pc

Yes no problem.

spybot+avg+ewido+adaware or do you recommend another option.

They are fine. Spyware Blaster may be a good addition and Ccleaner as well.

One other thing,a device error box comes up when I restart the pc saying "windows could not load installer for Monitor"but everything seem fine. Do I ignore it?

No, please post a fresh HJT log.

Regards Howard

 

[ramsey]

Dear Howard,It appears I may have been a tad premature with my self congrats as something keeps loading (in my docs and settings )cookies called arthur@tribalfusion+ arthur@112.2o7+arthur@serving-system,
any ideas? cheers arthur

 

[ramsey]

no reply

ok obviously something has been missed from my side, however thanks for your efforts,cheers arthur

 

[howard_hopkinso]

I take it your problem is solved?

Your last HJT log was clean BTW.

Regards Howard

 

[ramsey]

well not really ,,,however
a chap at work suggested I try firefox as a browser and there seems to be no spys ,I am trying your recomms and they seem excellent
cheers arthur

 

[Spike]

In what way are you still having problems?

The tracking cookies you are seeing are perfectly normal behaviour. In an ideal world we wouldn't get them, but we do. They should be cleaned out occasionally, but on the grand scale of things, they're relatively harmless.

 

[ramsey]

Continuing alerts

Hello Spike,ok,I can live with that;The reason I asked is, one of the afore- mentioned anti spyware programs= Ewido, sets of an alarm and tells me I have been infected with malware when these cookies are opened and efforts to block them are ineffectual.
Also another site I have been suggested may help, Registry Mechanic,finds a multitude of "high priority value is invalid" warnings in locations such as HKEY_LOCAL_MACHINE SOFTWARE wherever that is
cheers arthur