1. The Trojan Horse was found on my computer one time I started up the computer. it started about a week ago.
2. I have no idea. I haven’t gone to any porn site, nor have I downloaded anything recently.
3. Exact file name is:
4. It said "A TROJAN HORSE was found. But there are no reason to panic. try the following “move to chest, delete file.” and reccomendation said “move to the chest”.
5. I did exactly what the recommendation said. And i restarted to Computer, and same thing happened. I seems though that whenever i delete this file, windows update crashes. WHich means the file infected was Windows Update file. However, it seems that it comes up EVERYTIME i start up a computer (though not from stand by mode) no matter i delete it or not.

I don’t know what i should do. it doesn’t make sense. Maybe there is another file infected that is infecting another file. I scanned my PC but nothing happened.

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

sorry, thanx for the info but i don’t know what ur really talking about…can you explain it easier? and how do i scan it with Archives as well?

I’ll try to post more specifically:

1. Disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run SUPERantispyware or Spyware Terminator. Some users recommend AVG Antispyware or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
   About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).

6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

thanx! how do i disable system restore?

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

okay? so then how should i enable it again?

If you followed my instructions it wasn’t disabled just flushed leaving one restore point that you created

Sorry guys, thank you for the help, but nothing changed. everytime i start up the PC, the same trojan horse comes up.

infected file name: ntload.sys
location: c/WINDOWS/system32
Virus: Win32:NTRootKit-B [trj]

Did you try the steps I’ve posted before?

Hi tech, yet again my favourite tool has this in its change log ;D

But first we must run SDFix as it is a blended delf/haxdoor infection

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

PRIOR TO THAT POST

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Logs required : SDFix and Combofix

okay. Thank you. i’ll do that then.

Okay, i did as you said, but the 3 log files are too long to post here. what should i do?

I restarted the PC, nothing wrong happened, so supposively, the bad stuff are gone, and the virus/torjan/spyware thingy were successfully removed. I’ll keep an eye on it, and if anything happens again, I would post here.

Hi

You can either copy and paste them into multi posts or use the additional options button on the reply page to attach them.

Here are the 3 .txt of the report for ADfix, Combofix, and hijackthis.

Well that has got rid of that and now revealed a wareout infection

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure “Run fixit” is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don’t let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

There will be other stuff to remove from SDFix but I will do that next

Hi,

Currently the Spyware program had run it regular scan and something I am not sure has shown it the final report.

Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DXDIIRegExe=dxdllreg.exe

Could anyone please advise what it is and how its effecting my system/computer,

Welcome to the forums, shaba13.

Please start a new thread for your problem. Using this thread might confuse the help given to another and to yourself.

Oh, i already had that program and ran it after SDFix and ComboFix.

Since you already had fixwareout, it may not have been the latest version and when cleaning up it would be best to be working with the latest versions of the tools.