Please Help With Removal Of Many Trojans

Viruses and worms
21

Yes my hrad drive has been dying for 3 years now. I have kept it running by daily using Ccleaner, Spybot S & D, Disk Clean Up, and Disk Defrag, and running Disk Check once a week. The loud clicking noises have only been happening since the trojans appeared on my computer. I don’t think we have removed the dialer trojan or the on that shuts down the computer. (I had a few mini strokes several years ago and today is one of those days when it is very hard to think.) I don’t know were the trojans are located I just have the names. I’ll check back tomorrow to see if you have any suggestions.

22

Sorry to hear your feeling under the weather.I would start from the begining,scan with one program at a time and report the findings.All programs produce logs.You could copy/paste them if any malware is found.There is no need to run programs that have found nothing, and your HJT log produced nothing.

Kaspersky online http://www.kaspersky.co.uk/virusscanner

Run a full scan of MalwareBytes Antimalware

Drweb Cureit latest download http://www.freedrweb.com/

Nod 32 Online http://www.eset.co.uk/ThreatCenter/OnlineScanner

Avira anti roorkit ( second from the bottom, of downloads ) http://www.avira.com/en/support/support_downloads.html

If any files are infected post there names and loctions. Best of luck :wink:

23

Thank you micky77. I turned on System Restore. I will run all the scans again. I have everything I want to keep the the external hard drive. I am thinking of buying a new/used (new to me) computer in the next few months and I don’t want to take and trojans with me. So, I have to make sure there aren’t any on the external hard drive.

24

Yesterday, Kaspersky released a new anti-virus scanner and removal tool. I found it while looking for something else on majorgeeks.com.
http://majorgeeks.com/Kaspersky_Virus_Removal_Tool_d4515.html
The scan took 5 hours. Whe it found the trpjan it made a noise. When it tried it disinfect the trojan, the trojan squealed like a pig(the sound effects are cute). It was unable able to disinfeat or move the traojan or move it so it deleted it. The log is too large to paste here. Is there a way to attach the log? I think my problem is solved but I thought you may want to see the log. Anyway, thank you one and all for your help.

25

You can post the log here by using the “copy & paste” method over 2 or more posts

OR

you can attach it to one post as I have done by clicking on “Additional Options” below the posting box.
Click the image below to enlarge.

26

My computer is telling me this file is 93 mb. I attached a screen shot.

27

There isn’t any way to post that log. Here is a log from Arovax Antispyware:

Scan log. Started at 03.21.2009 11:55:47

Start Processes scan
Completed Processes scan
Total items scanned: 39
Items found: 0

Start Registry scan
Name: Adware.Emusic
Software\Microsoft\Internet Explorer\Toolbar

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.Skin

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.Skin.1

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.SkinLabel

Name: Spyware.Realspy
SOFTWARE\Classes\ActiveSkin4.SkinLabel.1

Name: Spyware.WALogger
SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{ADB880A6-D8FF-11CF-9377-00AA003B7A11}

Name: Spyware.SnoopStick
SYSTEM\ControlSet001\Services\WS2IFSL

Name: Spyware.EmailSpy
SYSTEM\CurrentControlSet\Services\VxD

Name: Spyware.SnoopStick
SYSTEM\CurrentControlSet\Services\WS2IFSL

Name: UNKNOWN - ehTray [ c:\windows\ehome\ehtray.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - dldtmon.exe [ "c:\program files\dell v305\dldtmon.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - dldtamon [ "c:\program files\dell v305\dldtamon.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - a-squared [ "c:\program files\a-squared anti-dialer\a2adguard.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - a-squared Anti-Dialer [ "c:\program files\a-squared anti-dialer\a2adguard.exe ]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: UNKNOWN - DllName [ %systemroot%\system32\dimsntfy.dll ]
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy

Completed Registry scan
Total items scanned: 25139
Items found: 15

Start Hosts file scan
Completed Hosts file scan
Total items scanned: 1
Items found: 0

Start Cookies scan
Completed Cookies scan
Total items scanned: 441
Items found: 0

Start File system scan
Name: Email-Worm.Win32.Kipis.u
C:\WINDOWS\REGEDIT.COM

Completed File system scan
Total items scanned: 5014
Items found: 1

Scanning Finished. 03.21.2009 11:57:15

I have installed an anti-dialer which I hope will help, my phone bill had an extra $100.00 added to it, I’ll call the phone company Monday to find out why. I think I will go down the list on majorgeeks.com until I feel I have finally removed all the trojans. These things seems to be a master of disguise.

28

Well everything related to ActiveSkin4 to put it bluntly is rubbish as that is the skinning software used by avast for the skins in the simple user interface, etc.

I’m none to familiar with Arovax Antispyware I tend to stick with the known and what I consider to be the main contenders, SAS and MBAM. So I can’t say how accurate the results are other than the ones relating to ActiveSkin4 a\s I mentioned.

However, the c:\windows\regedit.com is suspect as the normal file in that location would be regedit.exe so it could quite easily be malware.

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

29

Is it ?

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112917-4626-99&tabid=2

Have you installed a commercial keylogger?

30

I believe so yes.

It is on my system and since the security response mentions this in relationship to File Names: Winrsm.exe,getyahoo.dll and that would be the key to a correct detection and neither of those were found by arovax antispyware in DebbieR’s scan.

Neither of those files mentioned are on my system either but the legitimate use of the activeskin4 software by avast are in my registry and both SAS and MBAM haven’t batted an eyelid.

31

Debbie
Malware Bytes Antimalware( free) seems like pretty good software to me… i got it off download.com

32

No offense 8) but your usual ways to get rid of malware hasn’t gotten rid of the problem. I can’t do as you suggested DavidR because Arovax Antispyware corrected those problems. I do have the dialer shield now and I hope it works ;D, I’ve never had so many problems gettings rid of bugs before!

33

I would have hoped that a good anti-spyware would have quarantined it or had the option to restore any changes it made ???

A very good advert for having a robust Back-up & Recovery Strategy ;D

34

:frowning: I thought i did.

35

Check out this post, I did on another topic relating to back-up and recovery.

36

I was looking through my C drive to see if anything was new when I found this, anyone know what it is:

WHATSNEW.TXT

version 7.1.1

  1. fix incorrect virus name I-Worm.Opasoft to Worm.Win32.Opasoft
  2. added Worm.Win32.Opasoft.a (Brasil)

version 7.1.2

  1. fixed uncommon problem when some PC (Windows NT/2000/XP) can not enumerate
    processes and performed illegal operation (infrequent falure).

version 8.2.0

  1. added unpacking .EML files with BASE64 format and checking attached files.
  2. added I-Worm.Lentin.h,i,j and Worm.Win32.Opasoft.e,a(some modification).
  3. fixed function of finding infected registry.
  4. fixed function of deleting used files on Windows 9x OS.
  5. added I-Worm.Avron.a,b,c
  6. added /mirc command line switch to delete/disinfect mIRC scripts.
  7. fixed incorrect parsing of some process names and registry links to make
    right file path.

version 9.0.0

  1. added Worm.Win32.Opasoft.f,g

version 9.0.1

  1. show scanned object on the screen
  2. added Worm.Win32.Opasoft.h, I-Worm.Lentin.k,l,m, I-Worm.LovGate.a,b,c,d
  3. added /nr command line switch not to reboot system automatically if utility
    needed this

version 9.0.3

  1. excluded scanning of EML files
  2. added I-Worm.Lentin.n,o,p
  3. added “I/O error” message for files which can not be opened
  4. added command line switch /Rpt[ao][=] to create report file
    a - add report file, o - report only (do not cure/delete infected files)

version 10.0.1

  1. fixed problem curing of I-Worm.Tanatos virus
  2. added I-Worm.LovGate.e,f,g,h,i,j,k,l,
    I-Worm.Avron.d,e,
    I-Worm.Fizzer,
    I-Worm.Tanatos.b
  3. improved scanning processes and modules in memory
  4. added unhooking virus hooks

version 10.0.3

  1. restored support of Windows 95 operation system
  2. added utility file sign checking
  3. changed command line switches for scanning force
    new keys /s - force scanning local folders
    /sn - force scanning local folders and network drives
  4. added I-Worm.Magold.a,b,c,d,e
  5. added checking mIRC and Pirch start scripts

version 10.0.5.2

  1. restore registry keys
    exefile\shell\open\command
    comfile\shell\open\command
    batfile\shell\open\command
    piffile\shell\open\command
    scrfile\shell\open\command
    to default value “”%1" %*" in any cases.
  2. improved starting utility from network
  3. added full curing of multiple infected files
  4. added Worm.Win32.Lovesan virus

version 10.0.5.4

  1. added Worm.Win32.Welchia and I-Worm.Sobig.f viruses

version 10.0.6.2

  1. added I-Worm.Dumaru.a-d, Trojan.Win32.SilentLog.a-b and Backdoor.Small.d

version 10.0.6.3

  1. fixed starting utility from command line without file extension.
  2. added I-Worm.Swen virus

version 10.1.0.2

  1. added Backdoor.Afcore.l-r viruses
  2. added scanning NTFS streams of files and folders

version 10.1.0.4

  1. fixed work with NTFS streams
  2. added some new variants of Worm.Win32.Lovesan
  3. fixed starting from write-protected places
  4. pack virus mask to prevent detection by other antivirus software
  5. added Worm.Win32.Opasoft.i-p and I-Worm.Sober

version 10.1.0.5

  1. added I-Worm.Sober.c

version 10.1.0.6

  1. added Backdoor.Afcore.s-ad viruses

version 10.1.0.7

  1. added I-Worm.Novarg virus

version 10.1.0.8

  1. I-Worm.Novarg virus renamed to I-Worm.Mydoom.a
  2. added I-Worm.Mydoom.b and I-Worm.Dumaru.e-m viruses
  3. fixed automatical system reboot under Windows 9x/ME

version 10.1.0.9

  1. added I-Worm.Torvid.d virus.
  2. added special file setassoc.reg to restore possibility of running
    COM application in case virus corrupts such association (and
    if there still persist REG file association)

version 10.1.1.0

  1. I-Worm.Torvid.d renamed to I-Worm.Torvil.d
  2. added I-Worm.Moodown.b virus
  3. added detection virus droppers in simple ZIP archives (created by
    viruses itself)

version 10.1.1.1

  1. added I-Worm.Mydoom.e virus

version 10.1.1.2

  1. virus I-Worm.Moodown renamed to I-Worm.NetSky
  2. added I-Worm.NetSky.c virus
  3. added TrojanDownloader.Win32.Agent.j virus

version 10.1.1.3

  1. added I-Worm.NetSky.d virus

version 10.1.1.4

  1. added I-Worm.Bagle.a,b,c,d,e,f,g,h,i,j viruses

version 10.1.2.0

  1. added I-Worm.Bagle.n,o,p,q,r viruses

version 10.1.2.1

  1. added Worm.Win32.Sasser.a,b,c viruses

version 11.0.0.1

  1. added viruses
    Backdoor.Agent.ac
    Trojan.Win32.StartPage.fw
    I-Worm.Bagle.z
    Worm.Win32.Sasser.d,f
  2. added work with original system functions (protection from virus
    stealth technology)
  3. added checking files with different security settings on NTFS
    drives

version 11.0.0.2

  1. fixed problem of starting hard drive scan process even in case
    there are no viruses in memory.