Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected by 2 Trojans. One in system32/drivers file


  • Please log in to reply

#1
Piku

Piku

    New Member

  • Member
  • Pip
  • 1 posts
I'm currently being attacked by 2 trojans. I got them over AIM when a bot, pretending to be my friend, sent me a link. I really shouldn't have clicked but, I did. It downloaded some sort of picture-viewing program. Now I'm stuck with these two trojans. One is SSDT-Hook, but I'm not sure where in my system it is. The other is in the windows\system32\drivers file and when I google it's name(3f345d50.sys), it comes up with nothing. The file won't let me move it or delete it.

The symptoms are: changing my desktop, changing the log-in screen, IMing my friends on both AIM and MSN and sending them links to the same virus ,program icons to go missing, my picture files were associated with the virus picture program (but I fixed that, it still tries to install itself however even though I deleted it). It caused Tablet.exe, svchost.exe and Services and Controller app to error, and it caused the entire system to have a fatal error, shut down, and restart. Not only that but, I can't open some programs (such as my MMORPGs) and ctrl+alt+delete has stopped working.

I've run McAfee. It says it quarantined both of them, but it obviously didn't work completely. I've run Spybot-Search and Destroy. It found several things and it said it removed it all. But that didn't work totally either.
I've also run Glary Utilites and CCleaner several times.

Before I had another trojan from this, but I managed to find it , bring it to the desktop and shred it. I had to try a few times because it was protected somehow, but I hope it's gone now.


I hope this isn't too confusing. I'm getting really frustrated over this. I was up to 3 AM trying to get it out.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,139 posts
  • MVP
You don't give us much to go on. We really would like the logs that are called for in the top post in this forum. If you have XP the following may help a bit. If you have Vista I think only Combofix and MalwareBytes AntiMalware will run and you will have to run them by right click and run as administrator. If you have a 64 bit system then only MBAM:

Download The Avenger by Swandog46 from
http://swandog46.gee...r2/download.php
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK.
* Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
* Copy all of the text between the stars to the clipboard by highlighting it and then pressing Ctrl+C.
*******************************************************

Files to replace with dummy:
C:\WINDOWS\system32\drivers\3f345d50.sys

Drivers to delete:
3f345d50

******************************************************
* In the avenger window, click the Paste Script from Clipboard icon, Image button.
* :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
* Click the Execute button.
* You will be asked Are you sure you want to execute the current script?.
* Click Yes.
* You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
* Click Yes.
* Your PC will now be rebooted.
* Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
* If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). I would like to see the log in your next post.

Download rooter.exe and save to your desktop
http://eric71.geekst...ools/Rooter.exe
# Double click it to start the tool.
# A Notepad file containing the report will open, also found at %systemdrive%(usually C:)\Rooter.txt. Copy and paste it to a reply.


Run:

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

1. Avenger Log

2. Rooter log

3.Contents of C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

4. Contents of C:\Combofix.txt;


Ron
PS If you can't get to the download sites, have a friend download the files and put them on a CD. Don't use a USB drive unless it's never been on your PC and you can leave it in until we finish. Copy the tools to your desktop and then proceed as above.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP