Jump to content
Perduedslesbois

Trojan infection pls help!

Recommended Posts

... your answer came while I was writing to you.. ok thanks, I'll try to remove this old AV...

I'm waiting for your advice about my other steps done. Thanks

Share this post


Link to post
Share on other sites

They've found and removed stuff but there is more to do - as the initial post said, this is not instantaneous - it takes time to clean.

It is quite late here for me so I'm heading out but I'll try to check back on you again sometime tomorrow.

 

Please run the FRST scan and post back that log.

 

Thanks

Share this post


Link to post
Share on other sites

Hi.

I just want to say that I was doing some reading here and I found a topic with someone infected with: win32:Salty .. I read the link and it was told about some problems with "winlogon"...

I don't know if its useful to you but winlogon is one of my new processes appeared in task manager that I can't removed. I'm not sure cause it becoming more complicated with time, but I think I'd found a blue virus file under that proceese and erased it. But like the others it is still running in task manager.

I'm happy though that I was able to gave you reports with the 3 trojans names! :)

Share this post


Link to post
Share on other sites

Hi M. :)

When I run a search (with the dog) about processes still in taskmanager, here what I find:

WUAUCLT.EXE-399A8E72.pf C/WINDOWS/Prefetch 71Ko pf file

wuauclt.exe C/WINDOWS/system32 53Ko Application

wuauclt.exe C/WINDOWS/erdnt/cache 53Ko Application

wuauclt.exe C/WINDOWS/ServicePackFiles/i386 110Ko Application

wuauclt.exe C/WINDOWS/system32/dllcache 53Ko Application

The last one is blue and looks suspicious... May it be useful if I delete those weird files about the processes that keep popping in my taskmanager? Or the tools would do all the work?

I want to be the more useful that I can, do you want me to run the other tools too?

Thanks again for helping me! :)

Share this post


Link to post
Share on other sites

Please do not self-medicate the computer.  The detection and removal process is going well, as explained it is not an instantaneous process and takes time.  The items seen are typically normal. 

 

I will review your logs and get back with you later today with further instructions.  In the meantime you may want to review the following topic.

http://forums.malwarebytes.org/index.php?showtopic=130154

 

I will assist you with removing the other older antivirus programs as well.

 

If I've not replied back within 24 hours please send me a PM reminder.

 

Thanks

Share this post


Link to post
Share on other sites

Hi M. :)

Thanks again for your help. Ok, I'll wait for your instructions and I will not self-medicate my computer.

I read the topic, very interesting; wow over 1 million keys! That reminds me that we didn't back-up the registry yet... I tried again this morning to do ERUNT but there is no way I can't stop it to put an entry in the start up menu....so no back-up yet.

Do you know another tool to make a registry backup before we go any further in our process?

And thx to help me with this old useless Avira AV!

Share this post


Link to post
Share on other sites

For now go ahead and right click over the erunt installer and choose to install it and go ahead and let it add an entry in the start up group.  We can fix it later on.

 

Will get back with further instructions later tonight.

Share this post


Link to post
Share on other sites

Hi M. :)

I installed ERUNT; and finally the "NO" option came after I said yes to the resumé of the installation..the installation is like stopped by a windows pop up and we can click no. Yay!

but now I'm wondering if it's better to check the 3 backup option boxes?

And I remembered too that the combofix made a recovery console...

Waiting for your answer to go on with ERUNT, and further cleaning! :D

Thanks

Share this post


Link to post
Share on other sites

.. and I just want to say that english is not my first language, so sometimes my understanding is not 100%.

So when I asked about the 2 or 3 boxes it was not to contradict the instructions; it was saying to pay attention that at least 2 boxes are checked. So I was just asking you what we neened here, cause "at least" may be confusing.

Thanks again for your help, trying to do my best here to be convenient.

Share this post


Link to post
Share on other sites

Please download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi M.

 

I ran the FRST. Phew I got  a little bit scared cause after the reboot, my desktop appeared with just my wallpaper, nothing else! It stayed like that for a few minutes I said! But finally the rest of the desktop appeared but the taskbar was beige unstead of blue and 2 windows appeared, one saying winsock error and the other comodo error. (But no Avira error, yay!)

I saw that internet connection was not working too. I run a diag and it said that it was because the winsock, that I needed a "catalogue", asked me if I wanted the one by default and I needed to reboot the computer for the repear.

 

I reboot a second time and now it was faster for the desktop to appear, and guess what, my usual taskbar with my atomic clock was back! I dont know what happened, I told you it had disappeared after the combofix if I remembered well...But I dont know if its normal, but my cpu was 50% on my desktop and taskmanager said it was svchost.exe system; this lasted a few minutes. Now its done.

The numbered processes in task manager (spool,etc) are still there though. But not jusched.

 

Now when I reboot, the avira error doesn't appear anymore. But I can still see it in my installed programs list.

 

I saw that it remove google for home page, am I allowed to choose it back?

 

Here the log, I'm waiting for your further instructions :) Thanks again.

Fixlog.txt

Share this post


Link to post
Share on other sites

Please download the Avira Registry Cleaner that should remove most of the left over parts of Avira.

Save the file to your computer and then extract or copy all the files out of the zip file into their own new folder and run the cleaner tool by right clicking over it and choose "Run as administrator"

Then reboot the computer when done and run the FRST tool again and post back the new log.
 

Share this post


Link to post
Share on other sites

Ok, i will do that, but i tried this tool when I got my computer and it was not working...let's hope this time.

 

And what about the infection? Is it cured? my taskmanager is still filled by tasks that was not there before I caught my trojans..

 

And for the FRST, you want me to run the "scan" option?

Share this post


Link to post
Share on other sites

Most things in your Task Manger are going to be normal now.   Please do the following after running the Avira tool.  Maybe it didn't work before because you tried to run it from within the zip file instead of copying all the files to their own new folder?

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Share this post


Link to post
Share on other sites

Hi M. :)

 

I tried to run the tool as administrator and here a picture of what I got. Sorry for the french, but it says that I cant cause of empty passwords or hours restrictions or user restrictions :(

 

I don't know what is wrong cause before all these procedures, my session was administrator... I know now that its not secure to use always this user but my session was administrator by default.

 

What do I do? :(

Share this post


Link to post
Share on other sites

Well unless something snuck back in there not sure.  Possibly another piece of junk that we've missed that may have set a policy to prevent you from using the computer during certain hours.  Try to reboot the computer and see if you can logon and run it and let me know.

Share this post


Link to post
Share on other sites

Hi M.

 

I rebooted and tried again.. I send you a picture of the boxe, if I need to click on the second choice it doesn't work. Is the first one the good one? It said that this option protecte me but that the program can malfunction...

ScreenShot023.bmp

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.