Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Having a problem with multiple trojans


  • Please log in to reply

#1
Welshdragon

Welshdragon

    Member

  • Member
  • PipPip
  • 17 posts
Ive been having multible popups from AVG recently saying i have Trojan horse agent, Downloader, Generic and Cryptor. I only went on one website and it all started happening, i didnt even click anything! how annoying.

Not sure if the Hijack this log should be posted, here it is anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:52:32, on 19/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winlogin.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spotify\spotify.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\PROGRA~1\Grisoft\AVGFRE~1\avgvv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask-yoda.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co...t=true&query=%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: C:\WINDOWS\system32\jsdf8j3dgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: WWE Toolbar - {A057A204-BACC-4D26-B2F2-48F8CCAB3ED4} - C:\PROGRA~1\PRODEG~1\PRODEG~1.DLL
O3 - Toolbar: Mirar - {759BF46C-E39F-402A-906A-D4367B45C070} - C:\WINDOWS\system32\winpm77.dll
O3 - Toolbar: Mirar - {D2D11E4C-5E0B-4830-80F3-78B143801A91} - C:\WINDOWS\system32\windi77.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [ugkhnqocbiql] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ssjqssuucuthmxpyh.dll"
O4 - HKLM\..\Run: [NI.GSCNS] "C:\DOCUME~1\user\LOCALS~1\Temp\winvsnet.tmp"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: csti.lnk = C:\WINDOWS\system32\setup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11519 bytes


Thanks in advance for anyone who helps me out, :)

Edited by Welshdragon, 19 December 2008 - 03:55 AM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Welshdragon

Welcome to G2Go. :)
=====================
Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
===========================================
Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • File - Lop check
      File - Purity Scan

      Under Basic scans:
      Rootkit Search -Yes
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Attach the information back here. I will review it when it comes in.
  • 0

#3
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done everything you said, :) thanks.

The file is attached :)

Attached Files


  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{759BF46C-E39F-402A-906A-D4367B45C070}" [HKLM] -> %SystemRoot%\system32\winpm77.dll [Mirar]
YY -> "{D2D11E4C-5E0B-4830-80F3-78B143801A91}" [HKLM] -> %SystemRoot%\system32\windi77.dll [Mirar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\"{759BF46C-E39F-402A-906A-D4367B45C070}" [HKLM] -> %SystemRoot%\system32\winpm77.dll [Mirar]
YY -> WebBrowser\\"{D2D11E4C-5E0B-4830-80F3-78B143801A91}" [HKLM] -> %SystemRoot%\system32\windi77.dll [Mirar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "NI.GSCNS" -> %SystemDrive%\DOCUME~1\user\LOCALS~1\Temp\winvsnet.tmp ["C:\DOCUME~1\user\LOCALS~1\Temp\winvsnet.tmp"]
YN -> "prunnet" -> %SystemRoot%\system32\prunnet.exe ["C:\WINDOWS\system32\prunnet.exe"]
YN -> "ugkhnqocbiql" -> %SystemRoot%\system32\ssjqssuucuthmxpyh.dll [C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ssjqssuucuthmxpyh.dll"]
YY -> "xsjfn83jkemfofght" -> %UserProfile%\Local Settings\Temp\winlogin.exe [C:\DOCUME~1\user\LOCALS~1\Temp\winlogin.exe]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> "Flag" -> []
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "gadcom" -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139]
YN -> "Jnskdfmf9eldfd" -> %SystemDrive%\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe [C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe]
YN -> "prunnet" -> %SystemRoot%\system32\prunnet.exe ["C:\WINDOWS\system32\prunnet.exe"]
YY -> "xsjfn83jkemfofght" -> %UserProfile%\Local Settings\Temp\winlogin.exe [C:\DOCUME~1\user\LOCALS~1\Temp\winlogin.exe]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\twext.exe -> %SystemRoot%\system32\twext.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{C5BF49A2-94F3-42BD-F434-3604812C897D}" [HKLM] -> %SystemRoot%\system32\jsdf8j3dgf.dll [mcb7uehuj3n8weuhejsw]
[Files/Folders - Created Within 30 Days]
NY -> Mjcore -> %ProgramFiles%\Mjcore
NY -> windi77.dll -> %SystemRoot%\System32\windi77.dll
NY -> jsdf8j3dgf.dll -> %SystemRoot%\System32\jsdf8j3dgf.dll
NY -> NI.GSCNS -> %AppData%\NI.GSCNS
NY -> gadcom -> %AppData%\gadcom
NY -> akpdvjqngtifcrfm.exe -> %SystemRoot%\System32\akpdvjqngtifcrfm.exe
NY -> winpm77.dll -> %SystemRoot%\System32\winpm77.dll
NY -> up -> %SystemRoot%\System32\up
NY -> tdi -> %SystemRoot%\System32\tdi
NY -> ma1 -> %SystemRoot%\System32\ma1
NY -> ko3 -> %SystemRoot%\System32\ko3
NY -> .# -> %UserProfile%\Local Settings\Application Data\.#
[Files/Folders - Modified Within 30 Days]
NY -> winlogin.exe -> C:\Documents and Settings\user\Local Settings\Temp\winlogin.exe
NY -> winpm77.dll -> %SystemRoot%\System32\winpm77.dll
NY -> windi77.dll -> %SystemRoot%\System32\windi77.dll
[File - Lop Check]
NY -> NI.GSCNS -> C:\Documents and Settings\user\Application Data\NI.GSCNS
[Custom Items]
:zipfilestoupload
%SystemRoot%\System32\akpdvjqngtifcrfm.exe
:SENDTOMRC
channel=44
link=www.geekstogo.com/forum/Having-problem-multiple-trojans-t221439.html#entry1404870
:end

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ive pasted that in and tried it, but it keeps coming up saying "Cannot find about blank, address might not be correct" or something like that. Ive closed the program now to restart it and it keeps coming up saying "OTScanIt2 has encountered a problem and needs to close. We are sorry for the inconvenience."
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

  • 0

#7
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Just now when i was shutting down my pc, it wouldnt shut down so i had to hold the button down and now when it boots it goes stuck on the blue, Windows XP screen, im not sure whats wrong, but i cant do anything. This was before the combo fix, i was restarting before doing it. Not sure whats going on.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi when you turn on the computer please do the following:
Hit the F8 key near the top of your keyboard until you see a boot options menu.
Then choose Last known good configuration.
See if it will load then.
  • 0

#9
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ive chosen that and its still stuck on that part. Dont know why this has happened.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Were you able to install the Recovery Console?

See if you can boot into Safe Mode.
*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Let me know about these options please.
This has happened because the malware hooks into the system causing issues like this.
When it get's removed sometimes it can cause booting issues.
  • 0

Advertisements


#11
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Recovery console?

Ive tried to go into safe mode but no success still on the blue screen XP logo page.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Do you have the Recovery Console installed?
Combofix will prompt you to install it when you run it.

Do you have a Windows xp disk?
  • 0

#13
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Not yet not able to get one, not on me, seems like places you buy pc's from dont give disks out anymore. Probably use a friends, should i try the repair windows function?
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No not yet I was going to see if you could use the sytem restore feature first.
Do you have a computer that you can use to burn cd's ?
  • 0

#15
Welshdragon

Welshdragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I have my laptop ye
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP