trojan trouble

Discussion in 'Malware Help (A Specialist Will Reply)' started by thebunk, Apr 23, 2009.

  1. thebunk

    thebunk Private E-2

    Hi new memeber here and i'll get straight to the trouble....i wanted a second opinion on my security so i downloaded kaspersky 09 (was running AVG full) i got kaspersky for free with a trail pay offer, which means i bought spydefy by bytecrusher and got kaspersky for free. when doing a full scan kaspersky detects vulnerabilties but thats it (in following your read and run instructions i have uninstalled all vunerabilities, java, exel)

    spydefy however found a whole host of trojans, backdoor agents and rogue antispyware spybouncer (i never downloaded that!!) it quarantines them all and i have deleted them from the quarintine like you said to...i will attach the logs from spydefy in a second post, hope thats cool as it contains most the info! as well as the others you ask for...around the same time as all this i was surfing and a download from the internet window appeared, which i cancelled as i had not clicked anything, was just on a google page..

    i have slow internet and the occasional crash but spydefy says, either during scan or during real time protection that..."windows host file is being modified, IP 127.0.0.1 www.007gaurd.com" and when i click on deny, i get the old, "spydefy has encountered a problem and needs to close". i have checked online and i dont seem to get any trouble like 007gaurd, homepage being changed moslty so i am confused. also kaspersky says during scans that some files are password protected...it all happens so quick i cant get the whole file name, nor can i find a log that will tell me! "c:\....sbs recovery.ini & trojanadwareBHOistbar0.zip/registry.reg" are both password protected!

    like i said i have followed your read and run instructions as best i can!! i already had malwarebytes and superantispyware, i also have spyware doc (which found trojan bbf i think) norton scanner, trojan remover 6.6.2, doc alex (which finds 2 trojans and a few bho problems, which seem to be fixed but have reappeared on occasion) a2 scanner......i only ever run ONE antivirus and ONE real time spyware software at a time, simply have the others to scan with now and then....please help as this is driving me mad, how and why did i get these, are they gone, is there something still left, backdoor agents bad i know! all logs attached as you asked plus the spydefy which caught all these nasties! thank you all and everyone, i wish i knew computers like you did!! the logs are empty except for combofix which deleted one file, not sure about mgtools log, many many thanks!!
     

    Attached Files:

    thebunk, Apr 23, 2009
    #1
  2. thebunk

    thebunk Private E-2

    help..cant find my thread!!

    i posted a new thread about 1hour ago and its not anywhere to be found!!! i attached the 4logs i was asked to by the read & run, spent all day doing as i was asked, only contact info is for the site owners and they say dont email us, use forums...argh!!!! have clicked on my user name and it says 0 posts.....anyone know why/where my thread may be..i wanna be sure my comp is infection free!!!!
     
    thebunk, Apr 23, 2009
    #2
  3. thebunk

    thebunk Private E-2

    Re: help..cant find my thread!!

    i just saw when i posted a second attempt of my problem that moderators review new threads and attachments, it goes by quiet quick so i must have missed it, apologies for not realising and posting extra threads, hope i dont get in trouble!! :p thanks to all the experts and owners, have fun, take it easy!
     
    thebunk, Apr 23, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: help..cant find my thread!!

    Please attach your logs to this thread. And refrain in the future from "bumping" your thread....it just send you to the end of the line. We are short handed and will get to you asap. :) Please be patient.
     
    TimW, Apr 23, 2009
    #4
  5. thebunk

    thebunk Private E-2

    Re: help..cant find my thread!!

    thanks timW and thanks for the reply!! i didnt "bump" my post, i added a second post to it just to say i realised my mistake and to say sorry! the below post shows that....but thanks for looking anyway! i would post the logs here but i see that my original post has been approved by the moderators and officially posted so it is all there, info and logs. its title is "trojan trouble" posted by "thebunk" seemed silly to add logs here when the explanation of my trouble, plus logs are attached to that post. hope you can look at it and give me some answers, many thanks!!!!!
     
    thebunk, Apr 23, 2009
    #5
  6. thebunk

    thebunk Private E-2

    sorry its taken awhile to add the spydefy logs i mentioned in my original starter post but here they are...i am not "bumping" simply adding the logs that i mentioned before as they have info on all the trojans and backdoors....couldn't attach more than 4logs in the original post so doing it now.hope an expert can check them when they get time, many many thanks!!
     

    Attached Files:

    thebunk, Apr 24, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Is Spyware Doctor a paid for version? If not, uninstall it. I would also suggest you uninstall ByteCrusher SpyDefy.

    Now as to your logs:

    Please download and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * [color=darkred)Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.[/color]
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


Driver::
ntcdrdrv
RoxLiveShare10
SessionLauncher
ATE_PROCMON
bdacap
GLHIDKBFILTER

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me what problems you are having now!
     
    TimW, Apr 27, 2009
    #7
  8. thebunk

    thebunk Private E-2

    Hi Tim and thanks for the reply and help!! i did everything you said to and hope it has worked, i have attached the logs you wanted...the only thing that seemed a bit odd was that i did not disable spydefy so when combofix re booted it started up, it said java runtime was trying to change the registry (kaspersky gave java a low restricted grouping on installation) and that a trojan was trying to run but i clicked ignore and disabled spydefy from running in the future...spydefy was paid for, as was spyware doctor...why do you say to uninstall them? not to question you clearly! so the infections spydefy was saying it found were fake? bit confusing esp as one of your ads is for spyware doctor when i clicked on the java download link you gave me...anyway, many many thanks!!

    i am concerend the whole thing didnt work as combofix said (to me anyway) that it only deleted one file but i guess it will tell you loads more in its logs! if it did go wrong at all please tell me and will repeat your instructions to the letter and see if anything happens, was tempted to do it all again straight away but wondered if it would alter the logs you wanted so i only followed your instructions the once, ccleaner deleted temp files and temp internet files and nothing else. i'll await your reply...keep up the amazing help to all us dingus's lol thanks again!! :)
     

    Attached Files:

    thebunk, Apr 27, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well your logs are clean. :)

    Spyware Doctor is only effective if purchased...the free version is full of FP's.
    And I think that is what spydefi was reporting as well.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Apr 30, 2009
    #9
  10. thebunk

    thebunk Private E-2

    thanks again Tim :) you guys are legends...i already had half the software you asked for and will keep the rest for sure (omar impression lol) following your instructions last time a new IE desktop icon was created after running combofix, giving me 2 on my desktop, forgot to mention that but if the logs were clean i guess its cool...please do say if its a problem! i will continue your instructions and uninstall all required in a few days if i have not heard back from you saying anything else...both spyware doc and spydefy were purchased versions from the start so maybe FP's were to make you keep them and value them? i dont know but i trust you guys...thanks again!!
     
    thebunk, May 1, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Right click each IE icon / properties / click find target. If it goes to the IE exe, then keep it, if not delete it.

    If they are both paid for versions, just be careful about removing what they find.

    I would rely more on Spyware Doctor ( the free version is worthless ) as well as MBAM and SAS.

    Let me know if you have any further issues.
     
    TimW, May 4, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds