Trojan and worm issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by Larsdeltanu194, Jun 23, 2007.

  1. Larsdeltanu194

    Larsdeltanu194 Private E-2

    It was a couple of days ago that my Norton started blocking numerous hijack attempts. I ran a scan of my computer and it determined I had a number of viruses.

    I have since worked through the "Read & Run me first - malware removal guide". By working through the process the programs identifed I had Adware.TTC, Downloader.Agent.brf, Trojan-Downloader.Matcash, Trojan-Downloader.Win32.VB.fn present on my computer.

    My computer is running better and I haven't had any recent hijack/intrusion attempts. I would like assistance to determine if there are still malware-virus-trojan's on my computer.

    Thanks for any help you can provide!
     

    Attached Files:

    Larsdeltanu194, Jun 23, 2007
    #1
  2. Larsdeltanu194

    Larsdeltanu194 Private E-2

    more information:
    (edit: to include bdscan)
     

    Attached Files:

    Larsdeltanu194, Jun 23, 2007
    #2
  3. Larsdeltanu194

    Larsdeltanu194 Private E-2

    Hijackthis log:

    Thanks,
    Andrew
     

    Attached Files:

    Larsdeltanu194, Jun 23, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You are in pretty good shape. We just have a little to do.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {58B844D6-35CC-4111-B8B5-A754E9EE0070} - C:\Program Files\Online Services\hoqezifoq58441.dll (file missing)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now reboot in normal mode
    Now locate the below folders and delete them if found:
    C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\o09PrEz
    C:\WINDOWS\system32\S1
    C:\WINDOWS\system32\S2
    C:\WINDOWS\system32\S6
    C:\WINDOWS\system32\S7
    C:\WINDOWS\system32\T1QaSQ
    C:\WINDOWS\system32\win

    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.
    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Jun 23, 2007
    #4
  5. Larsdeltanu194

    Larsdeltanu194 Private E-2

    I followed your procedue and did not have any problems with the exception of removing the C:\WINDOWS\system32\win:

    When I attempted to remove it, I received a "cannot delete file: cannot read from the source file or disk".

    Attached are the requested logs.

    The computer has been running much better from yesterday. I have not received any notices from AVG or Norton re:virus activity or hijack attempts. The checks I've run through AVG and counterspy were clean. My access to the internet has been smooth and I would say that this are pretty much as they were (i.e., speed and accessability).

    I really appreciate the information that you provide on this website and am grateful for the personal attention!!!

    -Andrew
     

    Attached Files:

    Larsdeltanu194, Jun 23, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was deleted anyway.

    Now uninstall the CounterSpy trial and then delete the below folder which it may or may not remove:
    C:\Program Files\Sunbelt Software

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 23, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds