Tech Support Forum - View Single Post - Trojan can't be removed, Task Manager gone

**Deckard** · 02-12-2007, 10:10 PM

You're welcome! I like flattery -- it'll get you everywhere.

You've got a persistant bugger, so let's try fixing it again and if it still stays around, we'll bring out the big guns.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Clean Quarantine
Please follow Symantec's guide to clean out your Norton quarantine directory.

Submit for Analysis
Please download the Suspicious File Packer from Safer-Networking.Org and unzip it to your Desktop. Double-click on SFP.exe to run it. Next, please copy the following red lines and paste them into the Step 1: Paste Text window:

C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe

then click "Continue". This will create a .cab file on your Desktop named requested-files[Date/Time].cab.

Please submit it to this Malware Submission page. Please include your login so I know which submission is yours.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe" ""
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\MyEmoticons
C:\Program Files\Common Files\Totem Shared
C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe
C:\Program Files\MySearch
C:\Program Files\NavExcel

Reboot
Reboot your system to Normal Mode.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

Re-run ComboFix
Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\ComboFix2.txt and produce a new log in C:\ComboFix.txt. Please post only the new log.

With Your Next Post...
Please paste the following with your next reply (in this order please):

Kaspersky scan report,
The contents of C:\ComboFix.txt, and
a new HiJackThis log taken after ComboFix finishes.

02-12-2007, 10:10 PM	#7 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	You're welcome! I like flattery -- it'll get you everywhere. You've got a persistant bugger, so let's try fixing it again and if it still stays around, we'll bring out the big guns. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Clean Quarantine Please follow Symantec's guide to clean out your Norton quarantine directory. Submit for Analysis Please download the Suspicious File Packer from Safer-Networking.Org and unzip it to your Desktop. Double-click on SFP.exe to run it. Next, please copy the following red lines and paste them into the Step 1: Paste Text window: C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe then click "Continue". This will create a .cab file on your Desktop named requested-files[Date/Time].cab. Please submit it to this Malware Submission page. Please include your login so I know which submission is yours. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe" "" O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\MyEmoticons C:\Program Files\Common Files\Totem Shared C:\Program Files\Java\jre1.5.0_06\bin\svchost.exe C:\Program Files\MySearch C:\Program Files\NavExcel Reboot Reboot your system to Normal Mode. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. Re-run ComboFix Double click combofix.exe & follow the prompts. When the tool has finished, it will move the old log to C:\ComboFix2.txt and produce a new log in C:\ComboFix.txt. Please post only the new log. With Your Next Post... Please paste the following with your next reply (in this order please): Kaspersky scan report, The contents of C:\ComboFix.txt, and a new HiJackThis log taken after ComboFix finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006