Need help with Trojans & Spyware

Hi, I followed the directions in the read & run me first sticky. I was hoping that would fix most of my problems but I still have quite a few Trojans. I seem to be infected with Trojan Horse Lop.DM ? and a few others.

Took a while to complete all these scans but here are the logs. Any help appreciated!

Oh I also did the VundoFix before but I'm not sure it worked :confused

 

The rest of the logs..

 

Hi missa!

Welcome to MajorGeeks!


1) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\Compaq_Owner\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


2) Please reboot your computer now!

3) After you've rebooted, please install Java Runtime Environment vs. 6.2

4) Then I want you to run this utility below:

1. Download this file - Combo Fix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply and

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.



6) Please post the following new logs:

- combofix
- hijackthis
- newfiles (from Shownew)
- runkeys (from GetRunKeys)

abri

 

Please be sure you're in normal startup mode before you begin the instructions in Post 3. To make sure, go to Start/Run and type in msconfig. On the general tab, makes sure normal startup is checked.
abri

 

I'm kind of stuck on step 4. Does combofix normally take a really long time? If not then I think I might be doing something wrong. First time I tried to run it over an hour passed and nothing happened (combofix says it should take 10-20 min) Now I'm running it again but it's taking long. Should I just wait it out? If it goes on for another hour or two does that mean something is wrong?:confused

Thanks

 

Missa,
Try disabling your internet connection and antivirus. If that still doesn' t work, leave it, but please tell me. (Don't let it run more than a half hour). If you can't get Combofix to run that way, please reconnect both antivirus and internet and then rerun ShowNew, GetRunKeys and HijackThis (analyse.exe) and post the following logs: (your previous scans got rid of a lot of bad stuff, I want to see what the ATF did even if you can't get Combofix to run)

newfiles.txt
runkeys.txt
hijackthis.log

Thanks!
abri

 

Ok skipped ComboFix since it won't run or create logs.
Used ATF Cleaner & here are the new logs;

ok FireFox won't let me attach things, the Manage Attachments button is non-existent so I had to use IE

-BTW when I'm doing the scans AVG pops up a "Threat Detected" box constantly, detecting the same Trojan horse lop & a few others

 

Also ComboFix seems to have done something to my time settings, whenever I mouse over the time on my pc I remember it would say "Monday" and what not as the date. Now I just see "2007-09-04" Is there a way to fix this? or am I stuck this way?

 

Hi Missa!

Did you create the folder named "winlogon.exe" under C:\WINDOWS\ and did you put the following file into that folder?

Are any of these files on your desktop familiar to you? Did you download them or load them from a camera or anthing? If not, please delete them. The two wmv files have very long number names. What you see here is a shortened form of the real name.

Below are instructions for you to follow. Please ask if you have any questions.

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Please download RogueRemover Free from the one of the links, unzip the file, and run the installer. Start the program and select Scan and the program will walk you through the remaining steps.

3) Now please run
Process Explorer.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\fccaaww.dll

After you have killed all instances of any of the above DLL's or exe's under winlogon click ok.
(If you do not find these DLL's or exe's, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\fccaaww.dll

After you have killed all instances of any of the above DLL's or exe's under Explorer click ok.
(If you do not find these DLL's or exe's, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\fccaaww.dll

After you have killed all instances of any of the above DLL's or exe's under iexplore click ok.
(If you do not find these DLL's or exe's, just continue on.)

Now just exit Process Explorer.

4) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

5) Please copy the bold text below (including the word REGEDIT4 ) to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) After you have completed All of the above, please attach the Avenger log, and after running new scans for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and analyse.exe (hijackthis.log) please attach fresh logs for them as well. Also, please remember to answer the two questions at the very beginning about the strange folder under C:\WINDOWS AND, please let us know how it went and how your computer is running now.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

To answer the first two questions , no I did not create any winlogon.exe folder or put any txt file in it, and I do know all the files that where located on my desktop (I've moved them to different folders and deleted some)

Ok I followed the instructions, ran the Windows Messenger uninstaller. I ran Process Explorer and scanned with HijackThis and added the registry file. Ran Avenger & ATF Cleaner.

So far no new trojans have popped up under AVG but It might be a matter of time, ran a few spybot scans and just got some spyware that was deleted easily. I hope this fixed all my malware issues.

Here are the logs.

BTW - Is there anyway I can fix what ComboFix did? It changing my time settings to just numbers??

 

HiJackThis Log :major

 

Oh sorry! Meant to get back to you!
Right click on the lower right task bar and go to properties and make sure "show clock" is ticked. Also, go to Start / System Settings / Region and Language and see, if you change it in there, if it turns back to what it was. It doesn't do that to everyone's computer, but sometimes it happens. If neither of those help, please remind me and I'll see if there is another solution.

I'll get back to you about your logs. Thanks for being patient!
abri

 

Hi Missa!

First, I wanted to ask you if you got your clock back and if the date is now gone?

Next, please scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Finally, please attach the odd file we asked you about with your next post along with a new hijackthis log. The file should have the following path:

- Hijackthis.log
- Readme.txt


Thanks!
abri