Help With Removing Trojan Horses

Hello, all!

I've been reading around on some of the existing threads, but I can't find a situation exactly like mine.

About 2 weeks ago, AVG Free Edition detected a threat. After healing the first threat, I received additional threat warnings--some of which indicated back-up copies of the original.

I did a manual search in safe mode and removed many of the identifiable problem files. This greatly reduced the number of threat warnings I received, but did not eliminate the problem. I went about a week without having any problems until neither IE nor Firefox would load pages properly. Thus, I examined the Startup Configuration Settings and unselected several programs that had unknown authors--all other programs were either written by Microsoft of AVG. This eliminated my browser problem; however, the threat warnings immediately began to reappear as the virus program is apparently trying to reinstall itself.

Thus, today I manually removed many .dil files from my System 32 folder. All of the files I deleted were dated either the date of the original attack or later and none of them were authored by Microsoft--or any known software company for that matter. Furthermore, I also discovered and deleted many backup .bin files from an IE5 Temp. Internet Folder (these files had the same name as several that AVG has already detected and removed).

Anyway, after deleting all of these files, the initial .exe file tried to reload, and it was followed by several new .dil files--all of which AVG intercepted.

My question is: Given all that I've already done, how do I locate the source file and remove all threats?

Any help is greatly appreciated!

Attached is a listing of all of the virus files that AVG has in the virus vault. Thanks!:wave

Edit by bjgarrick: Inline log attached!

 

Welcome! to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Thank you, bjgarrick, for your reply post and help! I have downloaded and run the various programs listed in the READ & RUN ME FIRST Malware Removal Guide.

The various programs detected numerous trojans ans infections of malware, and the programs removed the infected files. I have run the last step, which produced the following logs. In addition, I have a HiJack This log file that I will attach. Thank you!

 

I'm particularly concerned about these entries from the attached HijackThis log. Each of these files was initially identified as being a threat by AVG. Also, these files are listed on my system config. list, and they represent the programs that I deactivated once my browser would no longer connect.

O20 - Winlogon Notify: vtUomKaX - vtUomKaX.dll (file missing)

O23 - Service: Ms File Manager Services (mscecosd) - Unknown owner - C:\WINDOWS\system32\msceco.exe (file missing)

O23 - Service: Data Management Service (mscjcosd) - Unknown owner - C:\WINDOWS\system32\mscjco.exe (file missing)

O23 - Service: Windows Host Services (SVCHOSTS32) - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)

O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

In addition, these files were also known infection files. However, unlike the files above, these aren't listed as "file missing."

O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll bcjxmt.dll


Thank you so very much for your help! I appreciated it so very much!

 

Update:

This morning, while AVG was conducting a scheduled scan, another infected file was detected. The details are:

Trojan horse SHeur2.DDY C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\627026Q4\i2[1].x 11/27/2008 8:35:18 AM i2[1].x 55 KB

In addition, I decided to run Super Anti-spyware. It detected the following:
Trojan. System Driver, C:\32788R22FWJFW\CREG.DAT

I thought I would post these latest developments. Thank you!:wave