Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Removal


  • This topic is locked This topic is locked
22 replies to this topic

#1 rickylad

rickylad

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 19 April 2008 - 11:04 AM

Hi

I'm usually pretty savvy with knowing what to click and what to ignore, but in a moment of madness I clicked an MSN link from a friend without even lookinng and my computer is now riddled with infection.

Please could you tell me how to remove the nasties as avast and normal spyware removal softweare won't touch it.

My Hijack this log is attached.

Many thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 26 April 2008 - 10:39 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
_____________________

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -
  • Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, so we may continue cleansing the system -

- the Combofix log (C:\ComboFix.txt)
- the CCleaner Uninstall List (install.txt)
- a new HijackThis log

Edited by Simon V., 26 April 2008 - 10:39 AM.

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 30 April 2008 - 12:30 PM

Do you still need help?
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#4 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 01 May 2008 - 11:58 AM

Hi Simon...sorry, haven't looked at this for a few days.

Yeah I still need help and thanks for your advice. I'll get on to this asap although having internet connectivity probs at the moment too.

Cheers.

#5 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 07 May 2008 - 03:44 PM

Hi :thumbsup:

It will be impossible to clean this system if you do not respond in a timely manner. If no logs are posted within two days, this topic will be closed.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#6 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 08 May 2008 - 03:15 AM

Hi Simon....really sorry to be slow on this and I understand that you need to get moving with this.

Luckily enough I managed to get connectivity back last night so will follow the steps you provided me and will post the results later today.

Thanks for your patience.

#7 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 08 May 2008 - 03:04 PM

Ok....just noticed that I will have to print out the combofix tutorial in work tom then will follow this tomorrow after work.

#8 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 May 2008 - 01:02 PM

Hi...ok sorry for the delay. I finally have everything sorted. Hope you can still help.

I've run ccleaner and combofix and my logs are attached along with a new hijack this.

Many thanks so far as I know i'v been pretty slow but will reply right away from now on.

Attached Files



#9 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 18 May 2008 - 09:39 AM

Hi :thumbsup:

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3


Then download and install Java Runtime Environment (JRE) 6 Update 6.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
"BMe312ab7f"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOgDsT]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOgeBs]

FileLook::

C:\Program Files\sharpsrv.dll
C:\sharpsrv.exe
C:\wintroll.exe
C:\Program Files\sharpsrv.exe

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Step 4

In your next reply, please post:
  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#10 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 20 May 2008 - 05:23 PM

Thanks Simon,

OK, latest logs are attached.

Rick

Attached Files



#11 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 21 May 2008 - 12:30 AM

Hi :thumbsup:

I'm still not sure about a few files... Do you know what these are for? -

C:\Program Files\sharpsrv.dll
C:\Program Files\sharpsrv.exe
C:\sharpsrv.exe
C:\wintroll.exe

_____________________________

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/142653/trojan-removal/?p=830194

Suspect::[1]

C:\Program Files\sharpsrv.dll
C:\Program Files\sharpsrv.exe
C:\sharpsrv.exe
C:\wintroll.exe

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.

* When CF finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
It will create a log. Please post it in your next reply.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#12 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 22 May 2008 - 03:36 PM

Hi Simon..I sent the combo fix reply through the browser and also attached the log here as requested.

Cheers Rick

Attached Files



#13 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 23 May 2008 - 12:23 AM

Hi :thumbsup:

Please let me know whether you know what these files are for -

C:\Program Files\sharpsrv.dll
C:\Program Files\sharpsrv.exe
C:\sharpsrv.exe
C:\wintroll.exe


Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#14 rickylad

rickylad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 May 2008 - 07:54 PM

Nah...no idea what these are

#15 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 24 May 2008 - 08:14 AM

Hi :thumbsup:

Almost done, just a few things -

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\Program Files\sharpsrv.dll
C:\Program Files\sharpsrv.exe
C:\sharpsrv.exe
C:\wintroll.exe

Driver::

sharpsrv

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Post it back here. Also let me know how your computer is currently running.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users