Trojan Horse - Need help to clean it

I have a trojan horse on my laptop and Avast it’s always informe me that its there and no other actions required.

Can someone here help me to remove it ?

Location C:\User\Name\AppData\Local\Temp\iswizard\wuaudit.exe

Thanks,

Paulo Pereia

Hi,

Please download zoek.exe (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this instruction.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



process;
srinfo;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
filesrcm;
startupall;
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
skipfix-iedefaults;
firefoxlook;
chromelook;


  1. Save notepad as zoekscript.txt

http://www.mcshield.net/personal/magna86/Images/zoekscript_big.gif

[*]Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named “zoek-results.log

Please attach it to your reply.

Thanks for your help,

I’m running zoek now for a few minutes. Do you know how long it takes to produce the log file ?

regards

PJP

The log file.

Zoek.exe Version 4.0.0.4 Updated 10-July-2013
Tool run by Dv7-7003 on 12-07-2013 at 14:21:52,58.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected

==== System Restore Info ======================

12-07-2013 14:22:25 Zoek.exe System Restore Point Created Succesfully.

==== File Information Results ======================

— C:\windows\SysNative\services.exe —
Company: Microsoft Corporation
File Description: Aplicação de serviços e controlo
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name: Sistema operativo Microsoft® Windows®
Copyright: © Microsoft Corporation. Todos os direitos reservados.
Original Filename: services.exe.mui
File type: ----a-w-
File size: 328704
Created time: 2009-07-13 23:19:46
Modified time: 2009-07-14 01:39:37
MD5: 24ACB7E5BE595468E3B9AA488B9B4FCB
SHA1: A5B16A7D28D2BA79A9CCFC16ED480AD75A757166

Thanks again.

The log file attached.

Re-run Zoek Script:

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this instruction.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


emptyclsid;
C:\Users\Dv7-7003\AppData\Local\Temp\tsiVi032.dll;f
C:\Documents and Settings\Dv7-7003\AppData\Local\Temp\iswizard;f
resethosts;
[HKEY_USERS\S-1-5-21-2502020565-2437927774-3813257311-1001\Software\Microsoft\Windows\CurrentVersion\Run];r
"tsiVideo"=-;r
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"ApnUpdater"=-
C:\Program Files (x86)\Ask.com;fs
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run];r
"tsiVideo"=-;r
resetIEproxy;
toolbar@ask.com;ff
{411beae9-8c58-477c-8903-201536f61512};ff
FFdefaults;
dhkplhfnhceodhffomolpfigojocbpcb;chr
C:\Users\Dv7-7003\AppData\Roaming\BabylonToolbar;fs
gladcbhcbkdeddbidiblppadjdjalidb;chr
autoclean;
C:\Program Files (x86)\DownTangoFTToolbar;fs
chrdefaults;
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}];r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}];r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AE3600F4-C3C5-42A3-BDF3-D63EF757AB44}];r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}];r
emptyalltemp;


  1. Save notepad as zoekscript.txt

http://www.mcshield.net/personal/magna86/Images/zoekscript_big.gif

[*]Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named “zoek-results.log

Please attach it to your reply.

Dear,

The log file attached.

thanks

Hi,
Zoek did fantastic job…again. :slight_smile:

On your Desktop you should have file named:
C:\Users\Public\Desktop[b]sample__2220.zip[/b]
[zip file is under the password for your own safety]
Can you please upload that file at http://www.wikisend.com and paste here download link.

Tell me, after running this second Zoek scripts, how your computer is runnign now?

Re-check:

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

the link to download

http://wikisend.com/download/392770/sample__2220.zip

here are the txt files requested.

regarding the question about the computer is going, i can say that since this second script still no warnings from avast.

you said that zoek have done a fantastic job, but my friend, you have done an amazing job.

i did not understand nothing of what you have done, but that works, yes… great job. thanks a lot for your help.

We will re-run FRST now with it’s script just to remove some leftovers. After that we checking the possible USB based malware.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
MountPoints2: H - H:\Setup.exe
MountPoints2: {6fc8e465-7d6f-11e1-a8d4-806e6f6e6963} - F:\Autorun.exe
MountPoints2: {94f4bdd2-bc42-11e1-89f5-7ce9d3d05a61} - G:\AutoRun.exe
MountPoints2: {94f4bdf0-bc42-11e1-89f5-7ce9d3d05a61} - G:\AutoRun.exe
HKLM-x32 SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
End

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

=========== THEN ===========

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

the files requested.

Looks good. How is your computer running now?

Dear friend.

Since yesterday no warnings from Avast. i think that its absolutely clean.

Fantastic job from your side.

Thanks for your help. Glad to have someone like you to help guys like me. Im using computers about 10 hour by day, but mostly in design software. I dont understand anything about programing and so… so it’s really nice to have someone to help us on this matters.

Once again please accept by thanks, and whenever you need some help in electrical projects or IT, please dont hesitate to ask… :wink:

Thanks. :wink:

We will remove used tools:

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to you to keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

Done. thanks