Trojan/Spyware removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by Tolahouse, Sep 16, 2012.

  1. Tolahouse

    Tolahouse Private E-2

    Hey Guys,

    I've gone through the appropriate steps but still cannot visit any anti-virus website. So I know I'm still infected. Attached are the needed files. The system is Windows XP.

    Thank You.
     

    Attached Files:

    Tolahouse, Sep 16, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1098811492-1310901148-4208882753-1106\$a49f23a4cef20b73bfc186a9663745cd\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\n.) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.


    And the same for Files/Folder tab please.

    • [ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\n --> FOUND
    • [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1098811492-1310901148-4208882753-1106\$a49f23a4cef20b73bfc186a9663745cd\n --> FOUND
    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\@ --> FOUND
    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1098811492-1310901148-4208882753-1106\$a49f23a4cef20b73bfc186a9663745cd\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1098811492-1310901148-4208882753-1106\$a49f23a4cef20b73bfc186a9663745cd\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$a49f23a4cef20b73bfc186a9663745cd\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1098811492-1310901148-4208882753-1106\$a49f23a4cef20b73bfc186a9663745cd\L --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.


    Rerun HitmanPro and have it delete everything except for C:\WINDOWS\system32\mftp32.ocx
    Attach new log once done.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    Re run RogueKiller and attach that log too.
     
    Kestrel13!, Sep 17, 2012
    #2
  3. Tolahouse

    Tolahouse Private E-2

    Thanks for the quick reply.

    I have gone through the directions and logs are attached. I have not been able to get TDSSKiller to run. Tried the zipped as well as the .exe versions with no luck. Any way to get around this problem.

    Thanks
     

    Attached Files:

    Tolahouse, Sep 17, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's check for MBR infection which I feel you may have consider TDSSKiller will not run.

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    Kestrel13!, Sep 17, 2012
    #4
  5. Tolahouse

    Tolahouse Private E-2

    I didn't get a proper run of HitmanPro previously so I have attached the correct logs here. I have also run MBRCheck, logs attached. Still no joy in running TDSSKiller.
     

    Attached Files:

    Tolahouse, Sep 17, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It is as I suspected. Do you have your Win XP boot CD?
     
    Kestrel13!, Sep 17, 2012
    #6
  7. Tolahouse

    Tolahouse Private E-2

    I have the installation CD if that is what you're referring to. Is that the same as boot CD?
     
    Tolahouse, Sep 18, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.

    You need to use your Windows XP CD to boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command then boot back to normal mode Windows and try running TDSSkiller now. Then attach the log. Re run MBRcheck afterwards, and attach that log too. Also explain if you are still having any malware problems.
     
    Kestrel13!, Sep 18, 2012
    #8
  9. Tolahouse

    Tolahouse Private E-2

    Ok Thanks a lot.

    I have run the FIXMBR but still cannot run TDSSKiller. I have rerun MBRCheck and the logs are attached.
    Malware issue seems to have been solved. I can now browse to McAfee, Eset and the like now and run updates.
     

    Attached Files:

    Tolahouse, Sep 19, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Afraid not, seems like it was not done correctly. If it was MBRcheck would no longer indicate this faked MBR. Try again.
     
    Kestrel13!, Sep 19, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds