Hello everyone -
So i have inherited a laptop with a malware infection. It advised on startup of being infected With Trojan.dloader via the system tray, and attempted to hijack my browser to get me to buy Spyware Knight and/or SpySoldier to fix the problem.
i do not know what activity prompted this. The machine was running Ad-Aware & AVG 7.1 at the time of infection in late 2006.
i disabled System Restore, updated definitions and ran both programs. Then booted into safe mode & ran both programs again - not much was found, but i quaranteed/deleted/cleaned whatever was there.
Then i uninstalled them both & switched to NOD32 & SpySweeper 5.3.1, downloaded full updates & discovered this thread which had a similar situation: http://www.bleepingcomputer.com/forums/t/80657/infected-with-trojandloaderlx-spyware-knight-etc/
So i downloaded SmitFraudFix, CCleaner 1.39 & Hijack This, booted into safe mode, and ran them. SmitFraudFix ran (i saved the log) and then the system rebooted itself without my intervention.
i then ran a full NOD32 virus scan, a full SpySweeper scan & CCleaner to clear files & clean the registry. SpySweeper found three adware elements: Antispyware soldier fakealert, comet cursor & fakealert fake infection, plus a system monitor called Tattletale.
i then rebooted into normal windows and found the popups to be gone, but i couldn't connect to Windows Update or sites like PandaVirus' online system scan. i checked the hosts file & it was clean. The system tray icon was gone, but i did occassionally get a browser semi-hijack, as it would send me to the SpySoldier sell page but it had no graphics. Clearly i had removed some of the infection but perhaps not everything.
So i ran Hijack This and got a report that looked fairly clean. i ran SmitFraudFix again in safe mode but no results. i still have access to my two SmitFraudFix logs & my HijackThis log.
i was at this point going to ask for help, but i saw your sticky on the Hijack this posting log - and wonder of wonders, i read it and decided to follow it first. But i cannot run the online virus scanners you recommend because my browser simply won't connect to those sites. It starts to, then simply terminates.
So, i delete the SpySweeper quarantine & run it one more time - all clean. Uninstall it, and install McAfee Stinger - nothing found.
So i move onto Spybot. Installed, updated & ran Spybot. Spybot comes up with 47 problems, including the following:
2. Avenue A, Inc.
5. Comet Cursors
15. Smitfraud-C (this i left alone)
i fix everything except SmitFraudFix, exit & run CCleaner, and then reboot into safe mode for a second Spybot run. i also noted that i ran my first HijackThis scan from the desktop, and that is a no-no, so i created a c:\HijackThis folder and put the .exe file in there for any future runs.
My second run with Spybot only turns up the 19 values in SmitFraudFix.C - i left them alone for now. Before exiting safe mode, i run a Hijack This scan and save the log, and reboot into normal windows hoping that the problems are gone.
However, i still cannot connect to my initial IE7 start page (runonce.aspx) or pages like Windows Update. i reckon i still can't access online virus scanning pages & their ilk too.
Can someone help me clean the remnants of this off this system?