Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan problem, need help please


  • This topic is locked This topic is locked
20 replies to this topic

#1 darkchild101

darkchild101

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 12 July 2010 - 08:32 PM

Detected trojan and removed it but my computer still not running properly since then. When try play videos in youtube or such site it keeps rebuffering, sometimes it just reboots on its own and at other times the browser page just keeps scrolling down even when try to moce it back up

Have run malwarebytes anti malware as well as Windows Defender and they say nothing found yet im 100% sure its acting same way as when i last had infection

Now the wireless connection wont work even thogh tried reetting and everything


Desperate

Edited by Orange Blossom, 12 July 2010 - 10:08 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 12 July 2010 - 11:35 PM

Hello,for the connection.... Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


If you cannot use the Internet,you will need access to another computer that has a connection.
From there save [the programs below to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD .
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Now a Safe Mode scan with SAS:
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 July 2010 - 09:40 AM

Thanks for your reponse Boopme.


However on entering netsh winsock reset in the dos windows it comes back saying "The requested operation requires elevation"

What do i need to do to proceed

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 13 July 2010 - 10:08 AM

Hi, looks like we have Vista here,,,and need Administrative rights.
The Windows (UAC),User Account Control,is blocking it.


Now do this to run it.
Click Start
In the Search bar type cmd, which should locate the cmd shortcut, right-click this shortcut and click Run as administrator.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 July 2010 - 11:10 AM

Hi, looks like we have Vista here,,,and need Administrative rights.
The Windows (UAC),User Account Control,is blocking it.


Now do this to run it.
Click Start
In the Search bar type cmd, which should locate the cmd shortcut, right-click this shortcut and click Run as administrator.



Thank you thats worked, so i shall proceed to reboot and follow instructions.


Btw i already have mbam installed so do i uninstall and reinstall or what

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 13 July 2010 - 12:20 PM

Just update MBAM and rerun it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 July 2010 - 01:50 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2010 at 07:13 PM

Application Version : 4.40.1002

Core Rules Database Version : 5191
Trace Rules Database Version: 3003

Scan type : Complete Scan
Total Scan Time : 01:07:33

Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 8329
Registry threats detected : 0
File items scanned : 44983
File threats detected : 66

Adware.Tracking Cookie
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ads.bleepingcomputer[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@server.lon.liveperson[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@atwola[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@collective-media[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@track.adform[3].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@adviva[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@server.lon.liveperson[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ehg-eset.hitbox[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ads.cnn[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ads.whaleads[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@illicitencounters[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@test.coremetrics[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@2o7[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@247realmedia[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@adinterax[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@www.googleadservices[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@content.yieldmanager[3].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@tradedoubler[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@statsadv.dada[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ads.gmodules[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@mediaplex[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ad.wsod[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@adtech[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@content.yieldmanager[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ar.atwola[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@revsci[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@adserver.adtechus[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@www.googleadservices[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@statse.webtrendslive[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@advertising[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@track.adform[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@msnportal.112.2o7[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ad.yieldmanager[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@bizrate[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@adxpansion[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@carphonewarehouse.112.2o7[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@tacoda[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@uk.at.atwola[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@statcounter[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@yieldmanager[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@at.atwola[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@xm.xtendmedia[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@hitbox[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@server.lon.liveperson[3].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@ads.ad4game[2].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@media6degrees[1].txt
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Cookies\user1@rotator.adjuggler[1].txt
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.atdmt.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.atdmt.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.atdmt.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\aqkfxw2r.default\cookies.sqlite ]

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 13 July 2010 - 02:11 PM

After you rerun MBAM let me kow if there are any issues left.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 July 2010 - 02:15 PM

After you rerun MBAM let me kow if there are any issues left.



So just a quick scan in MBAM yeah

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 13 July 2010 - 02:28 PM

Yah because we look pretty good.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 July 2010 - 03:52 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4309

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

13/07/2010 21:52:09
mbam-log-2010-07-13 (21-52-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 232460
Time elapsed: 1 hour(s), 36 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 13 July 2010 - 07:50 PM

So how are things now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 14 July 2010 - 06:18 PM

So how are things now?



Slight improvement though the internet still continues to freeze and i have to reboot for it to work again. Couldt it be a trojan not detected by the above processes

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 14 July 2010 - 07:18 PM

It is possible something is hidden or protected by a driver. We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 darkchild101

darkchild101
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 14 July 2010 - 08:29 PM

Hi, sorry how do i attach a zip, sorry

Edited by darkchild101, 14 July 2010 - 08:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users