Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse [RESOLVED]


  • This topic is locked This topic is locked

#16
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Now to remove these elements of LOP
  • Open Notepad and copy and paste the content of the code box in it:

    C:\
    cd C:\Windows\Tasks
    attrib -r -s -h A84C989B91EF0F6F.job
    del A84C989B91EF0F6F.job
  • Save this Notepad file as remjobs.bat , choose to save as *all files
    and place it on your desktop.

  • Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

  • Afterwards, doubleclick on findjobs.bat again and paste the content of the textfile you get into your next reply.
Trevuren
  • 0

Advertisements


#17
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Trevuren,
Everytime I double click remjobs.bat, I get the same dos screen that disappears, never got a text file!
  • 0

#18
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You are not supposed to. If you read further on in the post. It says that the screen will come on shortly and the disappear. It had done its job.

To get the log that we want, look at its name.:

findjobs.bat

That is the first one we first used. By using this one we are trying to find out if there are any malicious jobs left to delete.


Trevuren
  • 0

#19
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
SORRRRYYYY.. :tazz:

If I got you right this time, I ran findjobs.bat again, and here is the log:

Volume in drive C has no label.
Volume Serial Number is 04D8-88A5

Directory of C:\WINDOWS\tasks

28/06/2005 02:06 PM <DIR> .
28/06/2005 02:06 PM <DIR> ..
31/03/2003 07:00 AM 65 desktop.ini
28/06/2005 02:46 PM 482 McAfee.com Update Check (YOUR-BM7ACOQIYX-Scorpion).job
29/04/2005 08:00 PM 536 Norton AntiVirus - Scan my computer - Scorpion.job
28/06/2005 09:21 AM 6 SA.DAT
28/06/2005 02:22 PM 370 Symantec NetDetect.job
5 File(s) 1,459 bytes

Directory of C:\Documents and Settings\Scorpion\Desktop


I hope that's the right thing to do ;)
  • 0

#20
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
If you look closely, there are no strange looking jobs anymore. Ther is Norton Stuff etc... but those are good ones.

That was a success.

Now we are going to make sure that there are not any of these strange jobs in other profiles on your computer. With this infection, every user's profile can carry this infection.

* Please click this link to download Silent Runners.

* Save it to the desktop.

* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.

* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)

* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Regards,

Trevuren

  • 0

#21
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
It is good to hear that things are getting better..Thanks ;)

When I am trying to run Silent Runners, I am getting this error message:

Windows Script Host
Error: Could not create object named "WScript.Shell".

:tazz:
  • 0

#22
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run


Trevuren
  • 0

#23
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
but there is no text file appearing on my desktop.
The error message doesn't ask me to allow or not the script to run, it just says that the file will not run. :tazz:
  • 0

#24
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please send a new HJT log for review.

Thanks,

Trevuren

  • 0

#25
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:50:35 PM, on 28/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#26
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We will now work on your Isearch infection:

1. Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select the following files and click on "Kill process". Answer Yes to the "Are you sure..." question. (If you don't find them, don't worry).
  • desktop.exe
  • edmond.exe
  • ffisearch.exe
2. Launch Notepad, and copy/paste the text in the codebox below into a new text file. Save it as fixme.reg and "All Files" as type on your Desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-


3. Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

4. Restart your computer.

5. Launch Notepad, and copy/paste the text in the codebox below into a new text file. Save it as Unreg.bat and "*All Files" as type on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll


6. Locate Unreg.bat on your Desktop and double-click on it.


7. Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
  • delprot.ini
  • delprot.log
  • desktop.exe
  • isrvs (delete the entire folder)
If you have trouble deleting any of these files, rightclick on them, choose Properties and ensure that the boxes at the bottom are unchecked. If it still doesn't work, please take note of the files that you are not able to delete and include them in with your next log.


8. Delete the following file: C:\Windows\System32\Drivers\Delprot.sys


9. Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop . (If they are not there, don't worry)
  • anal exploits.url
  • big d*** school for 2.95.url
  • evidence eraser.lnk
  • popup blocker stops popups.lnk
  • spyware avenger.lnk
  • virus hunter security.lnk
  • your platinum visa.lnk
10. . REBOOT your system

11. . Run HJT, click SCAN, produce a LOG and Post it into this thread for review.

Regards

Trevuren

  • 0

#27
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Trevuren,

I did what you asked me to do. I couldn't delete:

delprot.ini (access is denied)
isrvs (it contains edmond and access is denied to the latter)
delprot.sys (Norton pops up its virus alert once I click on this one and it gets hard to get rid of the alert windows!)

Here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:56 PM, on 28/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Is it still as bad as it used to be?? :tazz:
  • 0

#28
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
No change, unfortunately.

Please go to this site, register and where they ask for a corporatin name just put anything.

Let the program scan your full system and delete everything it finds. If there is a report available please submit it in your next reply.

Regards,

Trevuren

  • 0

#29
JuJu

JuJu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Trevuren,

I ran Kaspersky, and I got the following report: (15 VIRUSES ;) ) (It doesn't allow me to clean them! just send then to their lab for analysis..which I didn't do because I am not sure what confendtial info they might contain!):

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, June 28, 2005 21:08:57
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 128187
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61796
Number of viruses found: 15
Number of infected objects: 43
Number of suspicious objects: 6
Duration of the scan process: 4308 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Scorpion\Application Data\noun ping kind\Else multi defy.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\Documents and Settings\Scorpion\Application Data\noun ping kind\Iso that fast axis.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\Program Files\Norton AntiVirus\Quarantine\00881C00 Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\017B56E4 Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\0CCB3856 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\0D7C1394/[From 00000e75@hotmail.com][Date Wed, 23 Mar 2005 14:37:02 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0D7C1394/[From 00000e75@hotmail.com][Date Wed, 23 Mar 2005 14:37:02 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\0D7C1394 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\10063428.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\103729F2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\1085199C.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10B36569.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10CD354D.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\10FB011A.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\111550FD.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\13946B2B Infected: Trojan-Downloader.Win32.Ieser.a
C:\Program Files\Norton AntiVirus\Quarantine\1B976A5A Infected: Trojan-Downloader.Win32.Qoologic.d
C:\Program Files\Norton AntiVirus\Quarantine\1BA16850 Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton AntiVirus\Quarantine\1BA73C48 Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton AntiVirus\Quarantine\1BCF341D Infected: Trojan-Downloader.Win32.Qoologic.d
C:\Program Files\Norton AntiVirus\Quarantine\1C9C37F3 Infected: Trojan-Downloader.Win32.Stubby.c
C:\Program Files\Norton AntiVirus\Quarantine\2B977B79 Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\2E98202C Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\2FD8760C Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\30B10ED0 Infected: Trojan-Downloader.Win32.Wintool.f
C:\Program Files\Norton AntiVirus\Quarantine\3B9472C4 Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\3D6C5167/thanks7.exe Infected: Trojan.Win32.StartPage.tv
C:\Program Files\Norton AntiVirus\Quarantine\3D6C5167 Infected: Trojan.Win32.StartPage.tv
C:\Program Files\Norton AntiVirus\Quarantine\415465E6 Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton AntiVirus\Quarantine\4ABB7B3F Infected: Trojan-Downloader.Win32.Wintool.f
C:\Program Files\Norton AntiVirus\Quarantine\55206FE5 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\554E3BB3/[From 000343d9@hotmail.com][Date Sun, 20 Mar 2005 12:04:19 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\554E3BB3/[From 000343d9@hotmail.com][Date Sun, 20 Mar 2005 12:04:19 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\554E3BB3 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\5A7775F8 Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton AntiVirus\Quarantine\6AA73D7C Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton AntiVirus\Quarantine\6D3D049A/data0008 Infected: Trojan-Downloader.Win32.Ieser.a
C:\Program Files\Norton AntiVirus\Quarantine\6D3D049A/data0010 Infected: Trojan.Win32.Delprot.a
C:\Program Files\Norton AntiVirus\Quarantine\6D3D049A/data0011 Infected: Trojan.Win32.Delprot.a
C:\Program Files\Norton AntiVirus\Quarantine\6D3D049A Infected: Trojan.Win32.Delprot.a
C:\Program Files\Norton AntiVirus\Quarantine\733623C9 Infected: Trojan-Downloader.Win32.Stubby.c
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP19\A0004790.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP19\A0004791.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP19\A0004792.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP24\A0008173.dll Infected: Trojan-Downloader.Win32.Agent.br
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP40\A0011214.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP40\A0011215.exe Infected: Trojan-Downloader.Win32.Swizzor.ca
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP40\A0011216.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP48\A0014083.exe Infected: Trojan-Downloader.Win32.Swizzor.bo

Scan process completed.


I think the situationis really bad :tazz:
  • 0

#30
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Before we start, make sure that you backup all your important data in case we run into major trouble.

The following link will provide you with all the information concerning the virus/trojan itself as well as the best description around as far as how to use the programs. CalamityJane's Treatment

I would advise you to print the article out so as to have it at your fingertips. Follow the instructions to the letter. When they mean SAFE MODE do it.
When they say DISCONNECT FROM THE INTERNET do it.

When you are all finished your chores, return to this thread and post a fresh HJT log. We will start cleaning up the remnants.

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP