Need help after trojan attacks

You need to remember to stay in one thread. I had just answered your first thread today tell you to try some special steps. I'm going to go close the first thread now since merging it back here would put things out of order.

 

I will give you somethings to do but I stongly recommend that you start backing up all necessary personal data before your PC becomes totally unbootable. Your Windows system files have become infected which is why you are having so many problems. Many executable files on your PC may be infected which could mean you will have to perform a totally clean reinstall. DO NOT back up any executable files because they could be carrying the infection and will reinfect your PC if reinstalled. I'll will try to repair some of these files from backups that are on your PC, but I can already see that the below files are infected:

C:\WINDOWS\system32\ctfmon.exe
c:\windows\explorer.exe
c:\windows\system32\userinit.exe

and so are all backups. Since the last two are required to run your PC, they will run at startup and thus the infection will always load. Do you have your Windows XP SP3 boot CD?

I also have to warn you that even if we appear to get your PC fixed, it will still be unreliable/untrustworthy.

First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer
Then you need to run MSconfig and put your PC into normal startup mode as requested in step 1 of the READ & RUN ME. You should not be using MSconfig like this.
The below files do not belong in this folder. Never save files here. Only installed program folders belong here. Move them somewhere else if you want them otherwise delete them:

Code:

C:\Program Files\
proces~1.db   Mar 17 2009     1128432  "PROCESSLISTRELATED.DB"
proces~2.db   Mar 17 2009    14358888  "PROCESSLIST.DB"

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Spybot - Search & Destroy 1.4


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Have you backed up important data as I suggested? If not, you better do this now before doing my next steps because at any point in time your PC could become unbootable.

Now put your Windows XP SP2 CD into your CD drive. If any window opens up about installing Windows, just close it. I want you to copy each of the below files from the Windows CD into the C:\MGtools folder. Yes the underscore is part of the filename. I'm assuming in the below that drive D is your CD ROM drive.

D:\i386\ctfmon.ex_
D:\i386\explorer.ex_
D:\i386\spoolsv.ex_
D:\i386\userinit.ex_

Once you have copied these files to the C:\MGtools folder, continue with the below.

Download and save this WinFix to your C:\MGtools folder. You must download it (your browser may call it Save)! Do not Run it. And you must save it there. After you download and save it there, you should see a WinFix.bat file in your C:\MGtools folder. Double click this WinFix.bat file. A black command prompt window will open up briefly (too fast to read) and then disappear. After this finishes, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip file.


We have not fixed anything yet!!!!! The above is preparation for my next fix. I need to verify that all of the above was completed properly before continuing.

 

As soon as you can do what I requested, I can give you the next step which will can be quickly run. If it works, it might fix some of your problems but I'm not sure about the Windows Activation since that has nothing to do with any of these fixes.[/quote] Since we are restoring some files from SP2, it would mean that a later time that you would have to reinstall the SP3 update.

 

You can do the below in either safe boot or normal boot mode (which ever works). At the end though, I want you to try booting normally to see what happens too.




Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

After the reboot from running ComboFix, continue with the below. If it doe snot reboot your PC, reboot it yourself.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It didn't change. ComboFix ran in reduced functionality mode which is why. Did you get a notice about ComboFIx needing to be updated. Delete the current version of combofix.exe from your Desktop and download and save the current version there: combofix.exe

Then before trying the fix again, make sure you disable AVG.

Attach the two new logs again.

Don't worry about the error with processdll.exe.

 

You messed up the script and thus it still did not work. You now have the CFScript file named:

CFscript.txt.lnk

It has to be named

CFscript.txt


You cannot have the .lnk on the end.

You need to run the procedure again.

 

Okay here is what I see.

The initial fix worked as desired and the files were copied to replace the infected files with versions from SP2. However the fix was short lived because either the infection is running in memory or there are many other infected files which we are not seeing. Thus the infection almost immediately started spreading back to the files we just replaced again.

Sorry but you have only one option. Format and reinstall. Too many system files are infected and there is no scanner that can cure them.

However I would appreciate it if you could do the below before you move on to the format of your PC. This may help with our investigation of exactly what this infection is doing to other files.

Download and save this WinFiles to your C:\MGtools folder. You must download it (your browser may call it Save)! Do not Run it. And you must save it there. After you download and save it there, you should see a WinFiles.bat file in your C:\MGtools folder. Double click this WinFiles.bat file. A black command prompt window will open up with a note telling you to be paitent and the window will close when the scan finishes. After this finishes, attach the C:\MGlogs.zip file which will have a new log in it.

 

Things we recommend are all in the below link which you should work thru now:

How to Protect yourself from malware!

You will see that Avast is one of the programs in there. I would stick with Avast or Avira but make sure you only use one.

If you are referring to SUPERAntiSpyware then it is not an antivirus program. It is an antispyware program as stated in the name.