Trojan horse Generic27.PN & .ARZX removal?

Hi,

Can you point me in the direction of a good start point to remove these?

Trojan horse Generic27.PN & .ARZX

I have read through the related threads but am confused! Attached are the mbam log and AVG (free) log.
Should I disable AVG while running the mbam scan? And, does it require a 'Full scan'?

Can I not remove the hdd from the pc tower and scan/remove using a different machine/hdd connector?

Many thanks in advance!

 

Oops, AVG anti-rootkit scan attached as pdf...

 

Hi and welcome to Major Geeks, flydog

Please read and follow this this guide including the Read and Run Me first thread: How to Remove TrojanOS/Alureon.A

 

Thanks for the welcome and link, very much obliged.
I'll get to that tomorrow as away from pc today & tonight!
Thanks again,
flydog

 

Oops!

Ran TDSkiller 3 times, copying items to quarantine. The third time it find only one, the zeroaccess. Said to reboot to remove which I did but now will not get past a blue 'stop error screen'

What now?

 

Do you by chance remember what you quarantined with TDSSKiller?

Do you have a blank CD, a working computer with a CD Burner, and a USB flash drive handy?

 

Sadly no, there was a lot of entries quarantined - 175 or more...

Yes I do have a working laptop with cd burner, a blank cd, and a usb drive handy

Being a UK resident though I am just away to bed, would greatly appreciate any ideas!

 

From a clean computer:

Download xpud-0.9.2.iso (64MB) from one of the download locations below:

• Mirror #1
• Mirror #2
• Mirror #3
• Mirror #4

Burn this file as an Image to a blank CD. You can use ImgBurn for this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Once you have successfully made this bootable CD, insert the CD and a USB flash drive into the computer with the issue.

Boot FROM the CD (instead of your hard drive). See here for help on how to do this.

You will be asked to choose your language, default is English.
On the left hand side of the screen, there will be 4 buttons:

• Home
• Menu
• File
• Setting

Left-mouse click on File
Its sub-menu opens
There is a long list of folders here in alphabetical order - Look for mnt
Left-mouse click the arrow by mnt to collapse its contents.
Now look for sda1 - This is your hard drive.
Also you should see sdb1 - This is your USB flash drive
Left-mouse click on sda1 to view the contents on the root of your hard drive.
The TDSSKiller log files should be here. If you ran TDSSKiller 3 times, there should be 3 TDSSKiller logs.
Please copy and paste them to your USB flash drive (sda1).
Once you have completed this task - Left mouse click the Home button -> Power off the machine -> Turn off
Insert the flash drive into the working computer and attach the TDSSKiller logs. (How to attach)

 

Hi thisisu and thanks for your continued help!

I have a linux live cd, understand your instructions. So booted with that, looked for the tds logs but can only find one. On trying to copy it to usb it gives an error box and says the file is read-only.
I opened the log, there is only 3 characters, nothing else - a y with a colon above it, then a b combined with a p, then 2. Believe this means the text program can't read the file properly. I've noticed that an mbam log is also unreadable (but is readable in windows) but yorkyt.exe.log is readable. Tried renaming theTDSSkiller file to .log but still unreadable and not able to copy to usb.

There is a TDSkiller_Quarantine file with the files in. rtkt0000, rtkt0001 and rtkt0002 plus susp0000 to susp0488, 492 files in all. I guess something here has caused the boot issue but without a readable log I don't know what can be done.

When I ran TDSkiller I don't think I rebooted between scans. Ran once, it found many entries. I copied to quarantine. Ran a second time, found more, I copied to quarantine again. Ran a third time and it just found zeroaccess, said a reboot reqd, then will only boot to blue error windows has been shut down screen.
Plus, I didn't change any of the parameters in TDSkiller as I now realise the guide you pointed me to says, just went mad and ran it! Sheesh, you just can't help some people...

Oh well, hope all this means something to you?

 

It sounds like you deleted many essential Windows drivers. Even though they were reported by TDSSKiller as unsigned, they should not have been deleted. The instructions in the "TDSSKiller - How to run" explain this in detail.

At this point I think the best course of action would be to perform a Repair installation of Windows as there is no way to DeQuarantine using TDSSKiller.

See this guide for instructions on how to do so: How-to repair Windows XP

Best of luck to you

 

Thanks,

Will try the repair route and kick myself too, doh!

 

Oh dear, even using the repair disc it goes to the blue stop error screen!

*** STOP: 0x0000007B (0xF78D2524,0xC0000034,0x00000000,0x00000000)

As you say, probably deleted essential files but might it not also be the boot sector infected? If so I don't know how it would be possible to virus scan it...

 

You should not be receiving BSOD when booting from the CD.
Double check that you are actually booting from the CD.

 

I agree re BSOD, definitely booting from the cd. Noted while googling the stop error code that there might be a BIOS prob - RAID is enabled even though there is only a single hdd. PC is a standard dell dimension E520. Have set this to auto-detect rather than RAID = ON
That allows the recovery console to run, but gets to 'Which Windows installation would you like to log onto'
1: C:\WINDOWS
2: F:\minint (no idea what this is maybe a ghost/factory recovery partition?)
I enter 1 - nothing happens. Press enter, C:\WINDOWS appears on next line but nothing happens.
Weird.

 

You are going into the Recovery Console.
This is not how you perform a Repair installation of Windows XP.
Refer back to this guide: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

 

How embarassing! Doing it now, will post how I get on...

 

Ok