Jump to content

Trojan infection pls help!


Recommended Posts

  • Replies 171
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

That looks fine.  Click OK and then fix or repair or whatever button comes up that looks right.  I've not personally used the tool for a removal so I'm not sure what it will say.

 

Don't worry we're not done and we have other tools that can help us find and remove left over elements of that antivirus too.

 

I'll check back on you again sometime tomorrow then as it's getting late here for me as well.

Link to post
Share on other sites

Hi M. and thx again for your help and patience! :)

I'm now running the Avira tool, and the scan is done it find 38 keys but I will not delete all of them cause for exemple those ones:

HKEY_LOCAL_MACHINE/SOFTWARE/classes/*/shellex/ContextMenuHandlers/Comodo Antivirus

HKEY_LOCAL_MACHINE/SOFTWARE/classes/*/shellex/ContextMenuHandlers/Shell Extension for Malware scanning

It looks like it found some of my Comodo keys and until I buy your AV, I want my comodo to work fine so I'll leave them alone for now.

So I selected 31 to be deleted and it said that some were not deleted succesfully; so now i still have 12 Avira keys resistent! Here the log.

I'll continue later with the FRST like you said

REGCLEAN_21.08.2013_10.19.24.LOG

Link to post
Share on other sites

Hi M. :)

I ran FRST here the log...

And I have a question, in this log and some other places, I saw things named "bigfish" it's the place where I played some games the day I got my virus; I don't think its from them, but can we erase file or even key with that name inside?

And "jollybear" I dont know what it is, never heard of that, I don't know what it is doing in my computer.

And Just for info, I'm sure I caught my virus from "S4 LEAGUE", it was free and when I tried to run it that day my comodo reacted and put it in sandbox...

Waiting for more instructions, thanks :)

FRST.txt

Link to post
Share on other sites

  • Root Admin

Like peeling an onion - getting closer and closer to the core.
 
Where you actually got infected is difficult to say and don't really have the time for that type of analysis as it takes way too much time and doesn't provide much benefit overall for the time invested.
 
Let me have you run the following please and then later tonight I'll have you run another tool to help us track down some more Avira junk.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

Woo! :D The reset button worked. The download was super fast after that and it looks like my Explorer 8 is at the upper level.

 

... :( But now, problem with FRST... I put the fixlist just below the FRST, I ran FRST and it rebooted my computer. But when my desktop appeared, this window appeared (the same when I ran FRST before the reboot) IT's supposed to be ran already, its ok?

 

But the fixlog seems to be there though..here

 

Waiting for more instructions :)... And I like your comparison with the onion hehe!

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

There was an error trying to remove the service for some reason.
My guess is it's probably registry permission issue but let me have you run the following and we'll see what it says.

Click on START and type in CMD.EXE and click OK
Then type in the following line by line and then press the Enter key after each line and then copy or write down what it says on your next reply.

SC QC AntiVirSchedulerService
SC QUERYEX AntiVirSchedulerService


SC QC AntiVirService
SC QUERYEX AntiVirService

SC QC AntiVirWebService
SC QUERYEX AntiVirWebService

SC QC avgntflt
SC QUERYEX avgntflt

SC QC avipbb
SC QUERYEX avipbb

Link to post
Share on other sites

I copy it in note pad and I tried to "save as" on my desktop but I was not able to save i dunno why so here the copy/paste:

 

Microsoft Windows XP [version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\home>SC QC AntiVirSchedulerService
[sC] GetServiceConfig SUCCESS

SERVICE_NAME: AntiVirSchedulerService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Avira\AntiVir Desktop\sched.exe"

        LOAD_ORDER_GROUP   : NetworkProvider
        TAG                : 0
        DISPLAY_NAME       : Avira AntiVir Planificateur
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Documents and Settings\home>SC QUERYEX AntiVirSchedulerService

SERVICE_NAME: AntiVirSchedulerService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Documents and Settings\home>SC QC AntiVirservice
[sC] GetServiceConfig SUCCESS

SERVICE_NAME: AntiVirservice
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Avira AntiVir Guard
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Documents and Settings\home>SC QUERYEX AntiVirService

SERVICE_NAME: AntiVirService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Documents and Settings\home>SC QC AntiVirWebService
[sC] GetServiceConfig SUCCESS

SERVICE_NAME: AntiVirWebService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EX
E"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Avira AntiVir WebGuard
        DEPENDENCIES       : AntiVirService
        SERVICE_START_NAME : LocalSystem

C:\Documents and Settings\home>SC QUERYEX AntiVirWebService

SERVICE_NAME: AntiVirWebService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 1068       (0x42c)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Documents and Settings\home>SC QC avgntflt
[sC] GetServiceConfig SUCCESS

SERVICE_NAME: avgntflt
        TYPE               : 2   FILE_SYSTEM_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\DRIVERS\avgntflt.sys
        LOAD_ORDER_GROUP   : FSFilter Anti-Virus
        TAG                : 4
        DISPLAY_NAME       : avgntflt
        DEPENDENCIES       : FltMgr
        SERVICE_START_NAME :

C:\Documents and Settings\home>SC QUERYEX avgntflt

SERVICE_NAME: avgntflt
        TYPE               : 2  FILE_SYSTEM_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Documents and Settings\home>SC QC avipbb
[sC] GetServiceConfig SUCCESS

SERVICE_NAME: avipbb
        TYPE               : 1   KERNEL_DRIVER
        START_TYPE         : 1   SYSTEM_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\DRIVERS\avipbb.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : avipbb
        DEPENDENCIES       :
        SERVICE_START_NAME :

C:\Documents and Settings\home>SC QUERYEX avipbb

SERVICE_NAME: avipbb
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Documents and Settings\home>

 

I hope its ok, and thanks a lot for your help, its very appreciated, but I need to leave for now I'll be back tomorrow to continue your instructions. Good night :)

Link to post
Share on other sites

  • Root Admin

No problem.  When you do get back let me have you run this program and we'll see if we have it force the removal for us.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

Combofix done. :) It still disabled my atomic clock from my taskbar. Why?, Is this program illegal?

 

When I ran it, still warned me about the Avira still running and the risks for my computer. In the same time a window appeared about update... is this window legitimate? Since a while they often appear...

 

And sorry I just saw that the combofix logs are in french( maybe cause I have a french computer) Do you want me to translate it for you and post it back?

 

P.S. Your last avatar picture was so cute but this one is very adorable! :D Great picture taken at the right moment!

post-144080-0-42580700-1377223832_thumb.

ComboFix.txt

Link to post
Share on other sites

Oh and I'M surfing on the internet right now, like reading some stuff here... and I want to mention that sometimes it freezes and in the down-left corner where it's showing what the internet does, it shows something like: ....static.ak.facebook...

 

I'm not sure about the ak, but I'm 100% sure about the facebook. My concern is I'm seeing that when changing page here; so what is the link with facebook here? It's weird I think... What do you think?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.