HELP!!! teenage daughter has infected the PC with a virus/trojan.

Spent hours and days on this already, help me reclaim, my cpmputer and what's left of the weekend

HELP!!! teenage daughter has infected the PC with a virus/trojan.

Processor Intel® Pentium® 4 CPU 2.80GHz

Running Windows XP Home Edition SP2, IE6 AVG 8.5.339, SpyBot S&D SpywareBlaster, Adaware

Initial symptoms when launching IE7 slow to load then get 'fake windows?' security warning messages of unsafe site continue to site or block Clicking on the later redirected to a fake download AV software sites. The computer hard drive makes ‘hammering’ noise on start up

Intermittently a separate 'windows security' box opened stating Win32. two options greyed out the third was to block [I think]

Could not launch AVG or SpyBot S&D, or update Adaware I tried to reinstall SpyBot but when it came to downloading the programme would not connect to the download site also Adaware update blocked

I have downloaded and Run Spyware Terminator it found several files which it is blocking.

Adaware.CFD
Adware.ShowBehind.a
Backdoor.W32.Delf.SCV
C:\E18773C7E207CB4f9Af5\SETUP.EXE
C:\WINDOWS\SYSTEM32\ gxvxcdaiynyutnmoqvplwasrfqkxwylwmqtan.dll
Trojan.Downloader.Small.jqv
Unknown name
Unknown name
ViewPoint.Toolbar

Now I could manually delete the file afuya1119762.exe

I could now open browsers without fake 'windows' security messages and the security box stating Win32.Bonchok? [I can’t remember exact name now] has stopped popping up

And now no longer prevented of visiting Antispyware sites such as downloading a new version of SpyBot,

Tried online Scans Housecall won't start hanging on file load up and I have downloaded Malwarebytes it won’t open/run

Panda located two infected files but could not disinfect them
;********************************************************************
ANALYSIS: 2009-06-05 19:56:32
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;********************************************************************
PROTECTIONS
Description Version Active Updated
;============================================================
AVG Anti-Virus Free 8.5 Yes Yes
;============================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;============================================================
01054371 W32/TDSS.BF.worm Virus/Worm Yes 1 Yes No globalroot\systemroot\system32\gxvxcdaiynyutnmoqvplwasrfqkxwylwmqtan.dll
01055526 W32/TDSS.BF.worm Virus/Worm Yes 1 Yes No globalroot\systemroot\system32\gxvxcvvrjikhbmuirqpladedoghxwswvwkrwx.dll
;============================================================
SUSPECTS
Sent Location
;===========================================================
VULNERABILITIES
Id Severity Description
;============================================================ 108742 MEDIUM MS06-006
;============================================================

Second Scan

;********************************************************************
ANALYSIS: 2009-06-05 21:18:52
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;********************************************************************
PROTECTIONS
Description Version Active Updated
;============================================================
AVG Anti-Virus Free 8.5 Yes Yes
;============================================================ MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;============================================================
01055526 W32/TDSS.BF.worm Virus/Worm Yes 1 Yes No globalroot\systemroot\system32\gxvxcvvrjikhbmuirqpladedoghxwswvwkrwx.dll
;============================================================ SUSPECTS
Sent Location J
;============================================================
VULNERABILITIES
Id Severity Description J
;============================================================
108742 MEDIUM MS06-006 J
;============================================================

F-Secure found and removed the following 3 Spyware files

TrackingCookie.Revsci (spyware) System (Disinfected)

TrackingCookie.Xiti (spyware) System (Disinfected)

Trojan.JS.Fav.n (virus)
C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DL6P9D62\DEFAULT[1].JS (Renamed & Submitted)

Symantec Security Check

C:\WINDOWS\system32\rn.tmp is infected with Trojan.Dropper I could remove with AVG
C:\Recover\ONB00034.PPT is infected with Bloodhound.Exploit.139
C:\Recover\ONB00069.PPT is infected with Bloodhound.Exploit.139

Active Scan

W32/TDSS.BF.wo... Virus Active Hide + Info
1. globalroot\systemroot\system32\gxvxcdaiynyutnmoqvplwasrfqkxwylwmqtan.dll [this is the file Spyware Terminator is blocking]

W32/TDSS.BF.wo... Virus Active Hide + Info
1. globalroot\systemroot\system32\gxvxcvvrjikhbmuirqpladedoghxwswvwkrwx.dll

Spyware Doctor located these
Trojan Downloader Agent [2]
Trojan Downloader Renos [12]
Adware BHO.Gen [8]
Torjan.TDSServ [3]
Adware SpyGame [7]
Trojan-Pws Bancos. PWN [1]
HeurEngine.Packed.Themida.RGa [1]


Something however is still hijacking IE browser and diverting it to other sites

SpyBot S&D [I can update it] but it won't launch followed the tips from the web site http://www.safer-networking.org/en/faq/23.html [no luck]and Hijack this still won't launch. I can not boot up in safe mode or use the restore discs. I have run out of ideas Can anyone HELP!!

Finally got Malware to run by renaming setup.exe and directories and folder did a full scan it detected it detected five threats, three were registry keys associated with Adware [I think] ,one was for a file with labelled hoax virus and I can’t remember 5th. However the compuer locked when I asked it to fix the problems!!

The two files globalroot\systemroot\system32\gxvxcdaiynyutnmoqvplwasrfqkxwylwmqtan.dll detected by Panda were not located

HOWEVER I have now solved the safe boot up by swapping my keyboards over from wireless to hard wired, so rescanning now and seeing what programmes I can access/open

HELP would really be appreciated!!

Started system in safe mode re ran Malware Bytes it detected six files [as descirbed above] and deleted them all.

I have now got spy bot S & D running by changing the setup exe, directories and folder name, then going into porgarmme files to rename the app so I now have this scanning.

I hope to do the same with HJT once Spybot has finished and thn I will be able to produce a log to see if all the problems have gone/what is left lurking

Spybot S&D detected and removed 3 instances of Win32.TDSS.rtk two of which were detected but unable to be disinfected with Panda Security and 1 virus Virtumonde.sdn



IE hijacks seemed to have ceased and HJT has now started working without me renaming it, though IE is running slow, this may be done to all the anti spyware, malware, virus scanners I downloaded to fix the problems, I'm not sure if restore point is working yet!! SO I am Just carrying out several online scans to triple check everything is OK then I hope to post a HJT log to make sure all the nasties have gone!!

Hello Linclass and a belated to Bleeping Computer.

Apologies for taking so long for someone to respond to your topic. The delay was likely due to you replying to your own topic.

Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another helper is already assisting you and not open the thread to respond.

If you need to provide additional information you can use the "Edit" button at the bottom right of your post.

I am glad to hear that you have managed to resolve most of the symptoms plaguing your machine. I will continue monitoring this topic for a couple days. If you need additional assistance, please respond here and I will be happy to help you, or direct you to where you can receive help.

One exception to the above. If you decide that the next step to take is to submit a log for analysis, do not post the log here, but I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread. It would be helpful if you would then post a note here once you have completed the steps in the guide and have started your topic in malware removal, so that I'll know that I can stop watching this thread.

Hi Blade Zephon
Thanks for taking the time to repsond, although I hadn't recieved any direct help, reading all the help and tips on the forums has helped me indirectly to clean up my PC.

I read the message re zero responses after I posted my first reply

I thought updates on my progress may help someone else!

Anyway Spy Bot, AVG, Malware Bytes and Spyware Terminator are all returning 0 results, though I think the computer is still running a little slow and I want to make sure everything has been remoed so I will now post my HJT log.


Thanks

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/232620/recovering-from-trojan-attack/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom