Tech Support Forum banner
Cancel
Create thread New Forums
Status
Not open for further replies.

Trojan virus suspected...Windows Xp

Jump to Latest
1.3K views 5 replies 2 participants last post by  chemist  
C
#1 ·
Before, I posted this thread, I posted two other threads about "why my Hard drive C: isn't appearing and stuff like that"... at that time, i didnt know it was trojan or whatever.(i didnt even know what it was meant...)
you see, my whole Hard drive C: actually was like hidden, i couldnt see it but i noticed that my programs were still present... and then because of some help from other guys in other threads that i posted, i actually was able to bring the files in Hard drive C: back but it was in blue.
now I suspect it is trojan because when searched about it and looked in other threads... their problems were similar to mine... i used to get warnings about hard drive C:
Image

ATM... i using network at safe mode but i still dont know how to solve it... because you see, i even bought CDs like "system Mechanic : iolo technologies" but some reason i cannot install it at all... so i didnt know what to do but turn up to you guys...
Image


==DDS==
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by SUD2 at 13:47:37 on 2011-09-26
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = hxxp://192.168.0.1:46
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=10e6748d000000000000001617cf5b80&tlver=1.4.23.10&affID=19591
mURLSearchHooks: H - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.1.0.37\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.1.0.37\IPSBHO.DLL
BHO: c:\windows\system32\wkz4g.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\wkz4g.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.1.0.37\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [HNUSHTguuc] c:\docume~1\sud\locals~1\temp\system.exe
uRun: [HNUSHTgne] c:\docume~1\sud\locals~1\temp\mdm.exe
uRun: [HNUSHTgrb] c:\docume~1\sud\locals~1\temp\msmgm.exe
uRun: [HNUSHTgruf] c:\docume~1\sud\locals~1\temp\wininst.exe
uRun: [HNUSHTglb] c:\docume~1\sud\locals~1\temp\debug.exe
uRun: [HNUSHTgpb] c:\docume~1\sud\locals~1\temp\login.exe
uRun: [HNUSHTgtrf] c:\docume~1\sud\locals~1\temp\svchost.exe
uRun: [HNUSHTgre] c:\docume~1\sud\locals~1\temp\smss.exe
uRun: [HNUSHTgutc] c:\docume~1\sud\locals~1\temp\sysmgm.exe
uRun: [HNUSHTgrA] c:\docume~1\sud\locals~1\temp\win16.exe
uRun: [HNUSHTgosf] c:\docume~1\sud\locals~1\temp\taskmgr.exe
uRun: [HNUSHTgoA] c:\docume~1\sud\locals~1\temp\avp32.exe
uRun: [HNUSHTgnb] c:\docume~1\sud\locals~1\temp\cmd.exe
uRun: [HNUSHTgmtd] c:\docume~1\sud\locals~1\temp\iexplarer.exe
uRun: [HNUSHTgob] c:\docume~1\sud\locals~1\temp\drweb.exe
uRun: [HNUSHTgrvg] c:\docume~1\sud\locals~1\temp\spoolsv.exe
uRun: [MKaZ] c:\windows\cmd.exe
uRun: [HNUSHTgrsc] c:\docume~1\sud\locals~1\temp\winlogon.exe
uRun: [HNUSHTgsfP] c:\docume~1\sud\locals~1\temp\nvsvc32.exe
uRun: [HNUSHTgl/] c:\docume~1\sud\locals~1\temp\gdi32.exe
uRun: [HNUSHTgpta] c:\docume~1\sud\locals~1\temp\services.exe
uRun: [HNUSHTgupf] c:\docume~1\sud\locals~1\temp\sysedit.exe
uRun: [HNUSHTgoh] c:\docume~1\sud\locals~1\temp\csrss.exe
uRun: [HNUSHTgph] c:\docume~1\sud\locals~1\temp\setup.exe
uRun: [HNUSHTgmve] c:\docume~1\sud\locals~1\temp\hexdump.exe
uRun: [HNUSHTgotd] c:\docume~1\sud\locals~1\temp\install.exe
uRun: [HNUSHTgsQd] c:\docume~1\sud\locals~1\temp\ymu17el.exe
uRun: [HNUSHTgoe] c:\docume~1\sud\locals~1\temp\avp.exe
uRun: [HNUSHTgqd] c:\docume~1\sud\locals~1\temp\lsass.exe
uRun: [HNUSHTgrrc] c:\docume~1\sud\locals~1\temp\winamp.exe
uRun: [HNUHOXRnZ] c:\docume~1\sud2\locals~1\temp\cmd.exe
uRun: [HNUHOXRayyQ] c:\docume~1\sud2\locals~1\temp\1342101448.exe
uRun: [HNUHOXRa3zP] c:\docume~1\sud2\locals~1\temp\1877722824.exe
uRun: [HNUHOXRrta] c:\docume~1\sud2\locals~1\temp\services.exe
uRun: [HNUHOXRouqc] c:\docume~1\sud2\locals~1\temp\iexplarer.exe
uRun: [HNUHOXRspe] c:\docume~1\sud2\locals~1\temp\winamp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [VirginMediaHUB.exe] "c:\program files\virgin media\hub\VirginMediaHUB.exe" /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [HNUSHTglb] c:\docume~1\sud\locals~1\temp\debug.exe
mRun: [HNUSHTgrb] c:\docume~1\sud\locals~1\temp\msmgm.exe
mRun: [HNUSHTgruf] c:\docume~1\sud\locals~1\temp\wininst.exe
mRun: [HNUSHTgtrf] c:\docume~1\sud\locals~1\temp\svchost.exe
mRun: [HNUSHTgpb] c:\docume~1\sud\locals~1\temp\login.exe
mRun: [HNUSHTgne] c:\docume~1\sud\locals~1\temp\mdm.exe
mRun: [HNUSHTguuc] c:\docume~1\sud\locals~1\temp\system.exe
mRun: [HNUSHTgosf] c:\docume~1\sud\locals~1\temp\taskmgr.exe
mRun: [HNUSHTgmtd] c:\docume~1\sud\locals~1\temp\iexplarer.exe
mRun: [HNUSHTgsQd] c:\docume~1\sud\locals~1\temp\ymu17el.exe
mRun: [HNUSHTgre] c:\docume~1\sud\locals~1\temp\smss.exe
mRun: [HNUSHTgoA] c:\docume~1\sud\locals~1\temp\avp32.exe
mRun: [HNUSHTgmve] c:\docume~1\sud\locals~1\temp\hexdump.exe
mRun: [HNUSHTgrA] c:\docume~1\sud\locals~1\temp\win16.exe
mRun: [HNUSHTgrvg] c:\docume~1\sud\locals~1\temp\spoolsv.exe
mRun: [HNUSHTgupf] c:\docume~1\sud\locals~1\temp\sysedit.exe
mRun: [HNUSHTgrsc] c:\docume~1\sud\locals~1\temp\winlogon.exe
mRun: [HNUSHTgotd] c:\docume~1\sud\locals~1\temp\install.exe
mRun: [HNUSHTgutc] c:\docume~1\sud\locals~1\temp\sysmgm.exe
mRun: [HNUSHTgl/] c:\docume~1\sud\locals~1\temp\gdi32.exe
mRun: [HNUSHTgnb] c:\docume~1\sud\locals~1\temp\cmd.exe
mRun: [HNUSHTgob] c:\docume~1\sud\locals~1\temp\drweb.exe
mRun: [HNUSHTgoh] c:\docume~1\sud\locals~1\temp\csrss.exe
mRun: [HNUSHTgpta] c:\docume~1\sud\locals~1\temp\services.exe
mRun: [HNUSHTgqd] c:\docume~1\sud\locals~1\temp\lsass.exe
mRun: [HNUSHTgsfP] c:\docume~1\sud\locals~1\temp\nvsvc32.exe
mRun: [HNUSHTgrrc] c:\docume~1\sud\locals~1\temp\winamp.exe
mRun: [MKaZ] c:\windows\cmd.exe
mRun: [HNUSHTgta] c:\docume~1\sud\locals~1\temp\user.exe
mRun: [HNUSHTgoe] c:\docume~1\sud\locals~1\temp\avp.exe
mRun: [HNUSHTgph] c:\docume~1\sud\locals~1\temp\setup.exe
mRun: [cleanhdd] c:\documents and settings\sud\application data\cleanhdd.exe
mRun: [HNUHOXRnZ] c:\docume~1\sud2\locals~1\temp\cmd.exe
mRun: [HNUHOXRayyQ] c:\docume~1\sud2\locals~1\temp\1342101448.exe
mRun: [HNUHOXRa3zP] c:\docume~1\sud2\locals~1\temp\1877722824.exe
mRun: [HNUGROXRrvc] c:\docume~1\admini~1\locals~1\temp\setup.exe
mRun: [HNUGROXRspe] c:\docume~1\admini~1\locals~1\temp\winamp.exe
mRun: [HNUGROXRrse] c:\docume~1\admini~1\locals~1\temp\svchost.exe
mRun: [HNUGROXRota] c:\docume~1\admini~1\locals~1\temp\install.exe
mRun: [HNUGROXRsPc] c:\docume~1\admini~1\locals~1\temp\win16.exe
mRun: [HNUGROXRnoc] c:\docume~1\admini~1\locals~1\temp\debug.exe
mRun: [HNUGROXRnyc] c:\docume~1\admini~1\locals~1\temp\csrss.exe
mRun: [HNUGROXRmSc] c:\docume~1\admini~1\locals~1\temp\avp32.exe
mRun: [HNUGROXRrg] c:\docume~1\admini~1\locals~1\temp\smss.exe
mRun: [HNUGROXRsa] c:\docume~1\admini~1\locals~1\temp\win.exe
mRun: [HNUGROXRssc] c:\docume~1\admini~1\locals~1\temp\winlogon.exe
mRun: [HNUGROXRpw+] c:\docume~1\admini~1\locals~1\temp\nvsvc32.exe
mRun: [HNUGROXRrxe] c:\docume~1\admini~1\locals~1\temp\system.exe
mRun: [HNUGROXRnsc] c:\docume~1\admini~1\locals~1\temp\drweb.exe
mRun: [HNUGROXRnyh] c:\docume~1\admini~1\locals~1\temp\dxxsetup.exe
mRun: [HNUGROXRrrb] c:\docume~1\admini~1\locals~1\temp\taskmgr.exe
mRun: [HNUGROXRouqc] c:\docume~1\admini~1\locals~1\temp\iexplarer.exe
mRun: [HNUGROXRre] c:\docume~1\admini~1\locals~1\temp\user.exe
mRun: [HNUGROXRrta] c:\docume~1\admini~1\locals~1\temp\services.exe
mRun: [HNUGROXRpuc] c:\docume~1\admini~1\locals~1\temp\lsass.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HNUHOXRrta] c:\docume~1\sud2\locals~1\temp\services.exe
mRun: [HNUHOXRouqc] c:\docume~1\sud2\locals~1\temp\iexplarer.exe
mRun: [HNUHOXRspe] c:\docume~1\sud2\locals~1\temp\winamp.exe
mRun: [NIS] "c:\program files\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis\2454b0ab\18.1.0.37\InstStub.exe" /RELAUNCH /RUNONCE /NOPROMPT /PRODID NIS
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=TlVIRDQtWUg5UEUtTzNQNEUtUVJERUstR0RKWjctVk9YVUw"&"inst=NzYtOTIwNTY2Njk2LUZQOTIrNi1UQjkrMi1GTCs5LVNVUCsxLVNUMTJPSSsxLUREVCswLUtPSzA3KzEtU1QxMkROU1ArMQ"&"prod=55"&"ver=2012.0.1796"&"mid=32186dd97a125041d6a74f9ff8fe3359-640b086b3b9b3330e0389b0356626de8e11b043c
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.165.173,93.188.160.233
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6A590F18-0C0A-4B43-8F24-C6A198A5F93D} : NameServer = 93.188.165.173,93.188.160.233
TCP: Interfaces\{6A590F18-0C0A-4B43-8F24-C6A198A5F93D} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
STS: c:\windows\system32\wkz4g.dll: {b1b220c1-a500-99bd-f110-04b53a2c8952} - c:\windows\system32\wkz4g.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
Hosts: 209.172.52.77 Google
Hosts: 209.172.52.78 search.yahoo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sud2\application data\mozilla\firefox\profiles\n1ceypmg.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\virgin media\hub\nprpspa.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - e47844fd-d5ba-4879-a12e-d3ebcc2fa18a
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
.
=============== Created Last 30 ================
.
2011-09-26 12:38:19 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-09-16 12:03:09 666672 ----a-r- c:\windows\system32\drivers\nis\1201000.025\SymEFA.sys
2011-09-16 12:03:09 50096 ----a-r- c:\windows\system32\drivers\nis\1201000.025\srtspx.sys
2011-09-16 12:03:09 489008 ----a-r- c:\windows\system32\drivers\nis\1201000.025\srtsp.sys
2011-09-16 12:03:09 369072 ----a-r- c:\windows\system32\drivers\nis\1201000.025\symtdi.sys
2011-09-16 12:03:09 339504 ----a-r- c:\windows\system32\drivers\nis\1201000.025\SymDS.sys
2011-09-16 12:03:09 331312 ----a-r- c:\windows\system32\drivers\nis\1201000.025\symtdiv.sys
2011-09-16 12:03:09 294448 ----a-r- c:\windows\system32\drivers\nis\1201000.025\symnets.sys
2011-09-16 12:03:09 134704 ----a-r- c:\windows\system32\drivers\nis\1201000.025\Ironx86.sys
2011-09-16 12:02:47 -------- d-----w- c:\windows\system32\drivers\nis\1201000.025
2011-09-16 12:02:47 -------- d-----w- c:\windows\system32\drivers\NIS
2011-09-16 12:02:44 -------- d-----w- c:\program files\Norton Internet Security
2011-09-16 12:01:45 -------- d-----w- c:\program files\NortonInstaller
2011-09-16 11:29:20 -------- d-----w- c:\documents and settings\sud2\local settings\application data\VS Revo Group
2011-09-16 11:29:12 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-09-16 11:29:10 -------- d-----w- c:\program files\VS Revo Group
2011-09-13 12:53:37 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-09-13 10:27:52 -------- d-----w- c:\documents and settings\sud2\application data\AVG2012
2011-09-13 10:21:48 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-12 17:02:31 -------- dc----w- C:\iolo
2011-09-12 12:34:03 -------- d-----w- c:\program files\Priston tale2
2011-09-12 10:40:59 -------- d-sh--w- c:\windows\Installer
2011-09-10 17:52:05 940896 ----a-w- c:\windows\system32\Incinerator.dll
2011-09-10 17:52:01 8192 ----a-w- c:\windows\system32\smrgdf.exe
2011-09-10 17:52:01 28672 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-09-10 17:51:08 -------- d-----w- c:\documents and settings\sud2\application data\iolo
2011-09-10 17:51:08 -------- d-----w- c:\documents and settings\all users\application data\iolo
2011-08-29 15:28:32 -------- d-----w- c:\windows\system32\NtmsData
.
==================== Find3M ====================
.
2011-09-13 09:41:21 0 -c--a-w- c:\windows\Wwaqis.bin
2011-08-19 12:09:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST3200827AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll >>UNKNOWN [0x89B65EC5]<<
c:\windows\system32\drivers\xfilt.sys VIA Technologies,Inc VIA filter driver
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x895d8872; SUB DWORD [EBP-0x4], 0x895d812e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CEEAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DBAED0]
5 xfilt[0xBA341026] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x89D604A8]
7 ACPI[0xB9E69620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CF0940]
[0x89B586F8] -> IRP_MJ_CREATE -> 0x89B65EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3200827AS_____________________________3.AAE___#5&37a492b1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B65AEA
user & kernel MBR OK
sectors 390721966 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:49:18.26 ===============
 

Attachments

#2 ·
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please go to: VirusTotal
  • Click the Browse button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\windows\explorer.exe

  • Click Open then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
  • Please repeat for the following files:

    • c:\windows\system32\userinit.exe
    • c:\windows\system32\svchost.exe
    • c:\documents and settings\sud2\local settings\temp\iexplarer.exe
------------------------------------------------------
 
Save
Like Like
C
#3 ·
Hiya Chemist, ty for response... i made sure i did what you said me to do... so heres the urls for them.
: http://www.virustotal.com/file-scan...?id=1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455-1317287215
: http://www.virustotal.com/file-scan...?id=944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f-1317287006
: http://www.virustotal.com/file-scan...?id=2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5-1317287505

however, i couldnt open the last one ==c:\documents and settings\sud2\local settings\temp\iexplarer.exe==
it said that "file couldnot be found. make sure the path or internet address is correct" or something like that so i couldnt scan that and send you the url for it...
 
#4 ·
Hello cghosthuh.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

For XP Home >> Download Details - Microsoft Download Center - Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

For XP Pro >> Download Details - Microsoft Download Center - Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here

Image


Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Image


Please continue as follows:

  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 
Save
Like Like
#6 ·
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
Save
Like Like
Status
Not open for further replies.
You have insufficient privileges to reply here.
Tech Support Forum
posts
4.8M
members
966K
Since
2002
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Hard Drive & SSD Support PC Gaming Support