I need help to remove the trojan, I’ve attached the Hijackthis log and combo fix log.
Will appreciate your help.
I need help to remove the trojan, I’ve attached the Hijackthis log and combo fix log.
Will appreciate your help.
Hi
Unfortunately, you ran combofix more than once. I don’t know what was removed.
But we can clean up the remnants.
Open HJT, run a system scan only, check mark these lines if present
O2 - BHO: (no name) - rsion - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
Close all other browsers/windows, click fix, close HJT.
Submit this file to virustotal.C:\EDNETW~1\wh_exec.exe
Please submit these files for analysis
To submit a file to virustoal, please click om this link
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\EDNETW~1\wh_exec.exe
C:\EDNETW~1\wh_hook.dll
scroll down a bit and click “send file”, wait for the results and post then in your next reply.
Thank you for taking the time in helping me, really appreciate it.
Additional info - it’s found in C:\Windows\System32\capico.dll[upx]
I forgot to save the log file for combofix the first time I run it. I hope I didn’t do any damage.
Thanks again.
File wh_exec.exe received on 02.29.2008 13:38:57 (CET)
Current status: finished
Result: 0/32 (0%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.67 2008.02.29 -
Authentium 4.93.8 2008.02.29 -
Avast 4.7.1098.0 2008.02.28 -
AVG 7.5.0.516 2008.02.29 -
BitDefender 7.2 2008.02.29 -
CAT-QuickHeal 9.50 2008.02.28 -
ClamAV 0.92.1 2008.02.29 -
DrWeb 4.44.0.09170 2008.02.29 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.02.29 -
FileAdvisor 1 2008.02.29 -
Fortinet 3.14.0.0 2008.02.29 -
F-Prot 4.4.2.54 2008.02.28 -
F-Secure 6.70.13260.0 2008.02.29 -
Ikarus T3.1.1.20 2008.02.29 -
Kaspersky 7.0.0.125 2008.02.29 -
McAfee 5241 2008.02.28 -
Microsoft 1.3301 2008.02.29 -
NOD32v2 2911 2008.02.29 -
Norman 5.80.02 2008.02.28 -
Panda 9.0.0.4 2008.02.28 -
Prevx1 V2 2008.02.29 -
Rising 20.33.41.00 2008.02.29 -
Sophos 4.27.0 2008.02.29 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.02.29 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.28 -
Webwasher-Gateway 6.6.2 2008.02.29 -
Additional information
File size: 81920 bytes
MD5: ad31f55cf96938b8d8665d76e2b89081
SHA1: 47560cf9a8c23b07ae50fdfa32551642330f65bc
PEiD: Armadillo v1.71
File wh_hook.dll_ received on 02.29.2008 13:55:55 (CET)
Current status: finished
Result: 0/32 (0%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.67 2008.02.29 -
Authentium 4.93.8 2008.02.29 -
Avast 4.7.1098.0 2008.02.28 -
AVG 7.5.0.516 2008.02.29 -
BitDefender 7.2 2008.02.29 -
CAT-QuickHeal 9.50 2008.02.28 -
ClamAV 0.92.1 2008.02.29 -
DrWeb 4.44.0.09170 2008.02.29 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.02.29 -
FileAdvisor 1 2008.02.29 -
Fortinet 3.14.0.0 2008.02.29 -
F-Prot 4.4.2.54 2008.02.28 -
F-Secure 6.70.13260.0 2008.02.29 -
Ikarus T3.1.1.20 2008.02.29 -
Kaspersky 7.0.0.125 2008.02.29 -
McAfee 5241 2008.02.28 -
Microsoft 1.3301 2008.02.29 -
NOD32v2 2911 2008.02.29 -
Norman 5.80.02 2008.02.28 -
Panda 9.0.0.4 2008.02.28 -
Prevx1 V2 2008.02.29 -
Rising 20.33.42.00 2008.02.29 -
Sophos 4.27.0 2008.02.29 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.02.29 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.28 -
Webwasher-Gateway 6.6.2 2008.02.29 -
Additional information
File size: 36864 bytes
MD5: f4699625a0ec6b193584a2ff9702ea5e
SHA1: 7a1501abd9eca891e07890060b0d3045ea9cb2f1
PEiD: Armadillo v1.xx - v2.xx
No,no damage, it’s just more difficult without knowing what combofix removed.
The only other thing I see are signs of an autorun infecion. Did you have one before?
The only place I see it is in a couple of reg keys. I don’t see the associated file though.
I don’t see the BHO either.
Can you see if there is a log of some sort here
ComboFix-quarantined-files.txt It would be on your C:\
Thanks
I found some files, see attachments.
Thanks.
Perfect, thank you, it was what I was looking for.
The BHO was removed by combofix as well as a couple of other files.
Do you have any type of usb devices, drives, phones pendrives, etc? As I mentioned there is evidence of an autorun innfection.
We can remove the mountpoints now, and the rest, if there is any, after you reply.
REGISTRY FIX
REGEDIT4[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{836c8104-3378-11db-8814-0008027f8d3c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d95ea864-4980-11db-8866-0008027f8d3c}]
Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
Make sure the box at the top is set to Desktop Click save.
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
I’ve done the registry fix. What should I do next?
What do you mean by type of usb devices, drives, etc? Sorry I’m not certain, do you mean like our digicam is connected to usb?
Thanks.
Any type of storage device that can be connected via usb. Camera, phone, thumb drives, external hard drives, pen drives…
The mountpoints show something was attached with an autorun that points to a bad file.
Right now, devices that are connected to usb are camera, mouse, and printer.
Do you have any others? The only one in that group that could be infected is the camera. Now, someone could have plugged in an infected device and it would show up in your log, even if the device is no longer atteched.
The week it got infected, a friend used a diskette - but when I scan it for viruses - it said there’s no virus. Could that be it because a few days after that a popup keeps appearing from trustedantivirus everytime I opened up the computer.
I don’t believe the mountpoints would come from a floppy drive. We can protect your system some what with this program.
Download this program, Flash Drive Disinfector by sUBs from
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.
Now then, on to the next problem. I don’t see any thing related to trustedantivirus. You said it pops up when you start the computer? Is it still doing this? We can use a different scanner if the problem is still there.
I’ve used the Flash_disinfector.exe. The pop-ups from trustedantivirus doesn’t appear anymore, I think it has been removed before when I downloaded those anti-spyware programs.
The antispyware programs where Super antispy, spybot and adaware?
We can do a quick run with combofix and see if the file from the auto run is there.
Please follow all previous instructions regarding security programs.
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File:: C:\WINDOWS\system32\netsvcs.exe
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Yes, all those spyware programs, but I’ve already uninstalled spybot and spyware doctor.
I’ve also used Smitfraudfix before and CCleaner.
Here are the attachments: log is the log before “CFscript.txt”
logafter is the log after “CFscript.txt”.
Thanks.
Looks good. The file may never have reached your computer or was removed by one of the scans you did, online perhaps.
Any problems now?
If not, you can clean up the tools now. You can keep flashdrive disinfecter or delete if you wish.
ComboFix /u
Open HJT, click misc tools button, slide the slider down, click uninstall. You will have to delete hijackthis.exe
Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
Click the download button on the right.
If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.
You do not have to install the Java Web Start ActiveX Control
Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.
When the download is complete, Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.
Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Reboot your computer.
Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
There’s no problem that I can see, does this mean that my computer is clean again?
I just want to say thank you for taking the time to help me, I appreciate it very much.
Thank you.
Can’t you test it with on-line scanning? I suggest Kaspersky and BitDefender ones.
Gooing by your logs, I would say yes. You can use tech’s suggestion if you wish.
And you are welcome.