trojan-downloader-ruin

Hey all,

Been through the preliminary READ & RUN ME FIRST Before Asking for Support routine as best I could. The used system I got for $100 seems to be teeming with malware. Can anyone help with regard to a a nasty named Trojan-downloader-ruin?

Many thanks,
Tao

 

See the below then attach a HJT log.

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Here it is.

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.

 

Here it is.

 

That log appears to be from Safe Mode, if so please attach a fresh one from normal mode.

 

From normal mode.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {FA741EB8-2839-DFA0-00E5-4D86BF6A6478} - (no file)
O2 - BHO: (no name) - {1A264AC9-2381-8AF5-4412-1FA65E5E70C2} - (no file)

O4 - HKLM\..\RunServices: [NTHU.EXE] C:\WINDOWS\SYSTEM\NTHU.EXE /s
O4 - HKCU\..\Run: [Itmu] C:\WINDOWS\Application Data\nmrd.exe
O4 - HKCU\..\RunServices: [Itmu] C:\WINDOWS\Application Data\nmrd.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system\nthu.exe

C:\WINDOWS\Application Data\nmrd.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Thanks. I followed the instructions to the letter with the exception of Spybot S&D. I get "Error retrieving update info file! Socket Error # 11001 Host not found." Here is the Hjack This log so far:

 

Your HJT log is clean, are you having any further problems?

 

Yes. I'm still having problems. I'm being redirected when going to sies I know. Performance is unusually sluggish. trojan-downloader-ruin and trojan secdrop still show up when I Spysweep.

 

Attach me the log from SpySweeper and a fresh HJT log.

 

Here you go bjgarrick:

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, reboot and see if it comes back.

 

Did it. Ruin showed up again in my Spysweeper scan.

 

- Download, install and update Spy Sweeper Run it once while you are in normal boot mode.

- The boot in safe mode from and run SpySweeper one more time.

Now reboot in normal mode.

Save and attach the logs from both runs.

 

Here they are:

 

Does SpySweeper actually fix it or what does it do after the scan is complete?


Lets try this, please Download TrojanHunter 4.2

• Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Click YES to update TH!

• Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

• After you have completed the scan and removed all found infections reboot and scan with SpySweeper again and see if it comes back.