Jump to content

Trojan infection pls help!


Recommended Posts

  • Replies 171
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Please save the attached file CFScript.txt to the same location as Combofix.   Then drag and drop it onto combofix to run it and when its done it will create a new log file.  Post that back when ready.

 

I'm not feeling well so going to get some rest and check back on  you tomorrow.

 

CFScript.txt

Link to post
Share on other sites

And I want to say that there is stll plenty of processes in my task manager, that were not there before I caught the virus.

When the computer is reboot, SPOOLSV.EXE always come back in task manager but like I said I never use a printer; I dont have one. I had never saw this spool in task manager before the virus. :(

Link to post
Share on other sites

  • Root Admin

Please start an Admin command prompt and type or copy/paste the following and run it.

tasklist /V /FO TABLE >"%USERPROFILE%\Desktop\MyCurrentTasks.txt"

That should create a file named MyCurrentTasks.txt on your desktop.   Then ATTACH that file to your next reply..   Do not copy/paste it as it will be formatted text that won't paste properly on the board.  Use the More Reply Options button and you'll have an opportunity to attach the file.

 

 

Link to post
Share on other sites

Hi M. :)

 

Here some problems again :(...I don't know what happens with my machine but this afternoon, I went to see "services.msc" "tasklist" and "tasklist svc" in the run command; I had no problems. It was just curiosity, to see what programs were running under some processes and what was in the startup. I did nothing. And now, when I type "tasklist" the black window appear just a few second and desappear! Same with tasklist svc and with the command I copy/paste from you.. the window won't stay!

 

It's like something or someone don't want me to go there!

 

The "services.msc" and "cmd.exe" still work but not "tasklist" :(

 

What can we do? Waiting for your instructions.

Link to post
Share on other sites

  • Root Admin

Sorry, perhaps my fault for not better explaining myself. You can't just type that in the run line.

You need to click on START - RUN -> and type in CMD.EXE and click OK.

Then inside the DOS prompt you type that information.
 

tasklist /V /FO TABLE >"%USERPROFILE%\Desktop\MyCurrentTasks.txt"

That should work for you and create the file on your desktop. Once the file is there you can close the DOS console prompt.

Link to post
Share on other sites

I tried something else, when I try the beggining of your command: tasklist /V /FO TABLE  in the cmd; it worked. I can see the infos.

 

But now I'm trying to copy that to send you the infos....

It seems I cant copy/paste those kind of infos in notepad. I'll try to put it in txt maybe just in writting:  > C/Desktop/MyCurrentTasks.txt......nope.

Cause when I add the other part of your command it said path not found..

 

Continuing to find a way to send you that while waiting for more infos! :)

Link to post
Share on other sites

Ok thanks, so we're done? :)

 

But if so, may I take a few more time from you and ask you why before I caught the 3 trojans many of the processes now showing were not there?

 

When I am on my computer, I always have the taskmanager open to see my cpu use and I check my processes running everyday, thats how I found out that I was infected, cause I opened it to see the processes running under the usage; and I saw all these new processes!

So I ran malawarebytes scan and it found the 3 trojans.

 

Why spoolsv.exe always come back? If I end it in taskmanager its ok until the next reboot. And some, I end them and they come back few seconds after! :P Like the : wmiprvse.exe. I can end spool by going in ' services msc' in run command, but I was not obligated to go there before.

 

I want to be sure that my computer is safe, I use my credit card on that computer. May it be useful that I run the tools from your steps that are not run yet?

 

Hehe, and for the stubborn Avira? Are we letting go? Seriously, I don't recommand this anti-virus to anyone! It's worst than a virus, not removable from computers! I don't like that cause it must interfere with my other AV...

 

Thank you Mister for your help and have a nice day. :) I'm waiting for your answer.

Link to post
Share on other sites

  • Root Admin

You should not just delete tasks as some are legitimate and you can potentially corrupt the memory space which can cause unexpected issues.
 
You should be careful running some of these tools as they can cause potential damage too and you may or may not have a backup.  I'll provide you with more information on this when we're done here.
 
I'm not done with the Avira but you seemed a bit hell bent on these tasks so that's why I had you run that.
 
There is no harm in allowing the print spooler to load.  If it does bother you then open the SERVICES from your Admin Tools menu and scroll down to the Print Spooler and set the Startup Type to Disabled.
 
 
Now, please run the following again.  Delete the current version you have and any current logs for FRST and download a new fresh copy and run a new scan and post that back please.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

  • Root Admin

Do not run this until after I review your FRST log.

After I review your log we'll decide if further action is needed or not.

Then at that time I'll have you run this for me.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe and to run it.
  • Copy the contents of the following code box into the main text field:

    :filefind*avira*:folderfind*avira*:regfindavira
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post or attach this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Link to post
Share on other sites

Hi M. :)

Thanks for your patience with me!

OK, I don't run anything unless you tell me; I thought we were done.

... Yeah sometimes, it's getting late here and I try to do what you ask me but I have some difficulties to understand..I'm really sorry for taking more time from you than other users :( And yeah, I know that those tasks are legits but why they were not there before? My cpu use is ok, maybe I'm just a little bit paranoïd. :(

I ran the FRST. I erased the old one and download the new but when I ran it, it gave me the old fixlog from august 21th.(?!) Here the results... waiting for more instructions :)

FRST.txt

Link to post
Share on other sites

  • Root Admin

No worry about the language gap or the time taken as long as your communicating and working with me all is good.

Okay well something is a bit screwy here. If you're using a paid version of COMODO antivirus please make sure you have the registration information to reinstall it. Then please go here and download a new installer for Microsoft Security Essentials

http://windows.microsoft.com/en-us/windows/security-essentials-download

Don't install it just yet. Save the installer to your computer.

Then, uninstall COMODO and reboot the computer.

Then at this time go ahead and install Microsoft Security Essentials (so that you're not without an antivirus while we do more testing)

Once that is done then please once again run the following.

Please download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

fixlist.txt

Link to post
Share on other sites

Ok thx M. :)

I uninstalled Comodo from my computer. But can you suggest me another free AV for my computer?

I don't want to put Microsoft security essentiel cause when I read before the installation, it says that it will put updates not just in the AV but in my windows xp and programs; and I don't want that.

I know it's not safe to do so but I know that some windows update make problems with old machines.

So I'm not protected anymore and I'Ll wait for your AV suggestion before continuing. Thanks.

Link to post
Share on other sites

Aww here's some problems again!

I try to download FRST and nothing happens! It wanted to upgrade the version and it removed it from desktop but the new doesn't appeared. I try again your link but it doesn't work.

But the good new, since I remove Comodo, I have less processes running and the wmiprvse.exe is gone! Yay!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.