Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans and Infections present - how do I clean them out?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Joga!

Joga!

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 October 2009 - 01:41 AM

I'll try and keep this short - I've already done a few things, so a short history:

I run Win XP with SP2

I went to sleep, and woke up with 7 alerts about 3 different trojans. So, one by one, I would ask AVG to put them in the virus vault.

The culprits are:
Crypt.HSM (which made copies of itself as a.exe, b.exe and c.exe)
SHeur2.BILQ
SHeur2.BIHT

Only Crypt.HSM was a recurring problem because of the copies that I was unaware of. After moving them to the V-Vault, I couldnt help but feel a little vulnerable to the Sheur2 trojans - which seem....a little too quiet.

After some consultation from someone much more well versed in technology - I was directed to Spyware Doctor, HijackThis, and here.

First, I ran a log of HijackThis, and my friend saw some suspicious items - confirming my fears.

I then ran Spyware Doctor - and it came up with 4 threats and 92 infections (no mention of my trojans, but 32 reports of trojans.FakeAlert). I want to rid myself of these, but there doesn't seem to be a free program to just make these files disappear! I am an amateur in meddling with the insides of my computer - and have no way of paying through the internet. I don't want to have them annoying me again.

Should I post the HijackThis log here?


Sorry if I'm not following the regular protocol

Edited by Joga!, 03 October 2009 - 01:45 AM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:37 PM

Posted 03 October 2009 - 08:25 PM

a.exe, b.exe and c.exe

indicate a rootkit infection. HJT alone will not fix it


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Joga!

Joga!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 October 2009 - 10:29 PM

Thanks for the reply. Just for reference's sake, I found the trojans I stated in my Temp folder - but I just got a small alert about one in the \System Volume Information\_Restore..... area. Should I be more concerned than I was?

These are the contents of the Win32Kdiag.txt file:

------------
Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

--------

I have a strange feeling that the above text is not too helpful :thumbsup:

as for the results of the code:

--------

Volume in drive C has no label.
Volume Serial Number is BCB7-4900

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 9,651,511,296 bytes free


-----------------------

Hope I helped provide some information

Edited by Joga!, 04 October 2009 - 12:09 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:37 PM

Posted 04 October 2009 - 01:40 PM

System Volume Information is mostly System Restore Points
Try this scan



-- Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Joga!

Joga!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 05 October 2009 - 04:16 AM

So...I believe I ran peek.bat (the scan you spoke of?) without any problems, but this information it gives in the log file is identical to the stuff posted above. Was this to be expected? Also, was peek.bat supposed to remove itself from my desktop automatically after finishing?

Log results of peek.bat:

Volume in drive C has no label.
Volume Serial Number is BCB7-4900

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 08:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 9,701,900,288 bytes free

-------------------------------

Sorry for being a helpless infant and asking so many questions - I'm just anxious I guess.

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:37 PM

Posted 05 October 2009 - 07:37 PM

I was just hoping it would reveal a little more
You already have a HJT log so let's go ahead and post in the HJT forum



Now that you were successful in creating those two logs you need to post them in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users