Trojan Horse Dropper.Small.8.D and Trojan Horse Downloader.Agent.AS Log File please help delete

Posted 1/21/2005 8:29 AM
#8459
User avatar

onesmileynurse Member

Date Joined Nov 2016
Total Posts: 2
[color=red>Logfile]Scan saved at 6:57:22 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/color]
[color=red>Running]C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe[/color]

[color=red>R1]https://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.mchsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.mchsi.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url=https://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*https://my.yahoo.com]https://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*https://my.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = https://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Grokster] C:\PROGRA~1\Grokster\Grokster.exe /SYSTRAY
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [Sys Ren] C:\WINDOWS\SysRen.exe /S
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: RemindU - https://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - https://dm.cometsystems.com/dm/dm_299.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - https://www.silvercrk.com/php/hwspades_scecab_12.215.99.83.320961074359984842_2500000.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - https://download.websearch.com/Dnl/T_50169/QDow_AS2.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - https://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - https://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C877779-240B-4162-A2C6-F41D8340B0D9}: NameServer = 208.255.3.1 208.255.3.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[/color]
Posted 1/22/2005 9:42 AM
#8505
User avatar

anon_ink Advanced member

Date Joined Nov 2016
Total Posts: 84
Read over the fix before doing anything to get a feel for what needs to be done, then proceed as outlined.



Before doing anything else, I'll need for you to unzip the hijackthis.exe file with a program like Winrar into a folder of its own - preferable location = C:\HijackThis\hijackthis.exe. This is very important! Doing this enable us to use its backups should we need it. Its current location is not secure since we will have to delete the contents of the temp folder sometime during the fix and backups can't be made within a zip file. Once that is done...


Download CWShredder.exe to a permanent folder.


-= Reboot into SAFE MODE:
.:: Start – Logoff – Restart

  • Immediately begin tapping the F8 key repeatedly.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
    * You’ll be greeted by a black screen. Wait for it – something should appear in a minute or two...

Double click on the CWShredder icon from where you’ve saved it.
Click “I AGREE” to accept the terms of service. Note: Please do read over their terms of service.
Click FIX as opposed to Scan Only or Make Report.

Let it do its thing. When done, go to the next step.

Cleaning up.
-= Go into Internet Options - General tab.
-= Delete temporary internet files, and
-= Choose to delete all Offline content.
-= Clear history;
-= and cookies.

-= Also, go to Start - Search – All Files or Folders - in the named box, type: *.tmp and choose Edit - select all - File - delete.

-= Empty only the contents of the folders [DO NOT DELETE THE FOLDER ITSELF!]
C:\Windows\temp folder\...
C:\temp folder\ ...
Empty Recycle bin

This will, hopefully, get rid of the CoolWebSearch infection that you have.
REBOOT into SAFE MODE once again to complete the fix and do the next step.



Add/Remove Programs.
.: Start - Control Panel - Add/Remove Programs - *Might not be there*




Comet cursor

Websearch ToolBar

MYSEARCH

MYSEARCH BAR

MY WEB SEARCH BAR

MY WEB SEARCH ASSISTANT

zSearch

MemoryMeter

SpeedBlaster


Click Add/Remove [for each of those in the list above].
When asked if "Are you sure you want to completely remove [such and such programs] and all of its componets?"
Click Yes. Follow the prompts to finish uninstallations.

Go into C:\Downloaded Program Files\--- and delete any mention of:

TVMedia


zSearch

MemoryMeter

SpeedBlaster



-= Reboot normally - no need for SAFE MODE this time.



[color=purple>[b]Run][/color]
Spybot – Search & Destroy & Ad-aware
Please update BOTH and run [/b]Spybot-Search&Destroy and Ad-Aware SE; they are the standard programs for finding and cleaning adwares and malwares off your system. Doing this also cleaned up some minor registry entries left behind by the uninstalls. Here are links to both programs, and instructions for their use. Reboot between each scan.

1.1 Install and how to use Ad-aware SE – delete ALL those that it found.
[color=#000000>https://www.lavasoftusa.com/software/adaware/[/url]]NEW Version 1.05

https://pcpitstop.ibforums.com/index.php?showtopic=67373[/color] - Read Tutorial

1.2 Install and how to use Spybot s&d if you don’t already have one and – delete all those that it found in RED only.
[color=#000000>https://security.kolla.de/[/url]]NEW Version 1.3
https://www.bleepingcomputer.com/forums/tutorial43.html[/color] - Read Tutorial

Reboot.

Disinfection
If you have a resident antivirus program, please disable it and run run a couple of online virus scan below seeing as how viruses can disable your resident scanner. This step is important to your PC’s health because these scanners will get rid of the majority, if not all, of the viruses found.

-= Check Autoclean or Auto-delete for it to clean whatever it finds.
-= Remember to disable your resident AV before doing the online virus scan so that there won’t be any conflict.

TrendMicro Housecall
BitDefender Scan

Reboot when done, rescan with HijackThis and post a new log here. These are the appetizers. We'll deal with the main course after you posted the next log.



Sincerely,
Posted 1/23/2005 6:38 AM
#8555
User avatar

onesmileynurse Member

Date Joined Nov 2016
Total Posts: 2
ok I did everything you had written to do, and I hope that I did it all correctly. The only thing was when I ran the scan for Ad-Aware I couldn't get it to download. But I did dcan with Spybot S & D and I did turn off my AVG and go to the websites you mentioned. I ran the scan for Trendmicro Housecall and it said that there were 43 infections found. I still don't think that I have unzipped the Hijack this properly and when I clicked on the icon all it did was went to the last file I printed for you on 01-20 therefore I am currenty downloading it again and will get another log and see if I can at least get that posted! The microtrend housecall you have to purchase at $49.95 to clean all of the viruses and I am a nurse who injured my back and a single mom of a 6 year old boy, I developed a serious spinal infection after steroid injections in the spine for the injury 2 years ago. I am on an extremely low income and just had my farm foreclosed on, so I am unable to purchase the program at this time, although it looks like a great one! Here are a few of the ones that it showed were in the computer and their location:

ZSearch-start up Dynamic toolbar hijacker-registry

XXX porn dialer-hard disk CWS hijacker-startup

TV Media-hard disk Bullguard Parasit-hard disk

Pyware Trusted Zone (browser hijacker) registry Booked Space-hard disk

Spy Trojan registry Altnet Parasite registry-hard disk

IE Plugin hijacker-registry A Better Internet hijacker hard disk

Funweb products registry

euniverse-hard disk

I am not sure how to get around the computer well enough to get into the hard disk and try to delete these and when I ran ther regedit I didn't see anything close to any of these things. I greatly appreciate your help. If it would be easier and you have Yahoo messenger my ID name is onesmileynurse and you could add me to yours and then I can accept and maybe we could talk personally about the situation and my computer illiteracy! Thank you!
Posted 1/23/2005 7:44 AM
#8557
User avatar

anon_ink Advanced member

Date Joined Nov 2016
Total Posts: 84
Sorry for the late reply [color=purple>onesmileynurse.



No]There's no need to pay for anything!! The AVG7 that you have right now is enough!!! I won't ever tell you to purchase anything to fix this problem of yours. It's not my job to promote other products' sales. My job is to get you clean. I do hope your personal and hijack situation gets better, definitely not worse.



...So what you're saying is you've run the:

-= CWShredder[/color]? Did it find anything?

-= Did the [color=red>Add/Remove] of the programs I mentioned to uninstall? Did you uninstall all 9 programs or only a few?

-= You couldn't do Ad-aware[/color]? Another download link: https://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

-= [color=red>Spybot]Fix checked all the RED[/color][/b] entries when Spybot's scan was done?






[code]
ZSearch-start up

Dynamic toolbar hijacker-registry
XXX porn dialer-hard disk

CWS hijacker-startup
TV Media-hard disk

Bullguard Parasit-hard disk
Pyware Trusted Zone (browser hijacker) registry

Booked Space-hard disk
Spy Trojan registry

Altnet Parasite registry-hard disk
IE Plugin hijacker-registry

A Better Internet hijacker hard disk
Funweb products registry
euniverse-hard disk
[/code]

-= Those are some serious hijacks. We'll get through to them until you're clean once again.

TrendMicro was supposed to delete those things that it can delete. Did you check Autodelete or AutoClean? Ditto with the BitDefender.



The previous fix is just to minimize the infection. To kill the infection off altogether, I will use hijackthis and it couldn't be done without the new log. If you can provide me any of the above info, I'd really appreciate it.



Download Hijackthis.exe from there if you haven't already. This download link is already unzip for you so just download and do the moving.

Move that hijackthis.exe icon to C:\Hijackthis\Hijackthis.exe. <-- you might need to create the new folder in C:\ and named it Hijackthis and place the hijackthis.exe into that folder.



Oh! And you're not as illiterate as you're saying you are because it seems like you handle the regedit pretty well.



Hoping to hear from you soon. Take your time to do the fix from the previous post once more with the adjustments just for good measure, okay?
Posted 2/14/2005 2:34 PM
#9738
User avatar

Aladin Member

Date Joined Nov 2016
Total Posts: 4
anon_ink your thorough reply leaves a computer dumie like me in awe. Well done!


May I refer you to this link and ask if the problem can be as they've determined?



https://www.ozzu.com/ftopic37085.html



Keep up the excellent work.



Regards,

Jay



I get this Trojan on AVG scans too. But do not seem to have a problem.. that I know about.
Posted 2/15/2005 9:10 AM
#9800
User avatar

anon_ink Advanced member

Date Joined Nov 2016
Total Posts: 84
Well, AVG gave you the location for the infected file right?



If it's in the root C:\Windows\Temp\AAWTMP\C59193\2A49A5\counter.exe

You can go ahead and delete the folder AAWTMP within the C:\Windows\Temp\ root directory. As a matter of fact, you can and should delete everything within that root directory except for these three folders:



Content

Temporary Internet Files

Cookies



Sometimes viruses downloaded itself into your temp folders, so it's wise to delte the contents of the Temp folders regularly.



The one located in C:\counter.cab:\counter.exe, you can just delete the file/folder counter.cab: within the C:\ local drive.

Empty Recycle Bin after the deletes to clear the files off your computer.

Reboot.

Do another AVG scan if you wish.



If your infected file is located in a different location than the above, would you post it here? You can just delete the files manually those that the scanners cannot delete.



As for the matter of whether it's a false alarm...that depends on the file itself. If we know for a fact that it's a useless/unknown file, it's always best to just delete it. There are very rare cases of these far as I can search up. There's not much that is known of its power to harm...



Since your computer still works fine, there's not much to worry about then. Just do the above only if you'd wish to.
Posted 2/15/2005 5:31 PM
#9824
User avatar

Aladin Member

Date Joined Nov 2016
Total Posts: 4
Thanks for the thoughtful reply. I'm going to print out your post and give it a good looksee this eve.

Regards,
Jay
Posted 2/23/2005 7:29 PM
#10306
User avatar

tgs586 Member

Date Joined Nov 2016
Total Posts: 2
I saw a posting from a couple days ago that you (anon_ink) replied to about a "trojan backdoor small 14.am". I have that too. Just got it but it's not in my restore system, it's in "c/windows/system32/config/systemprofile/local settings/temp internet files/content" I found it in an AVG scan and it was un-removable and my ad-ware didn't pick up the same trojan name. I ran the AVG again after the adware and it didn't show the trojan anymore. Is is hiding? How do I find it and kill it?



"anon_ink" wrote:




Read over the fix before doing anything to get a feel for what needs to be done, then proceed as outlined.


Before doing anything else, I'll need for you to unzip the hijackthis.exe file with a program like Winrar into a folder of its own - preferable location = C:\HijackThis\hijackthis.exe. This is very important! Doing this enable us to use its backups should we need it. Its current location is not secure since we will have to delete the contents of the temp folder sometime during the fix and backups can't be made within a zip file. Once that is done...


Download CWShredder.exe to a permanent folder.


-= Reboot into SAFE MODE:
.:: Start – Logoff – Restart

  • Immediately begin tapping the F8 key repeatedly.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
    * You’ll be greeted by a black screen. Wait for it – something should appear in a minute or two...

Double click on the CWShredder icon from where you’ve saved it.
Click “I AGREE” to accept the terms of service. Note: Please do read over their terms of service.
Click FIX as opposed to Scan Only or Make Report.

Let it do its thing. When done, go to the next step.

Cleaning up.
-= Go into Internet Options - General tab.
-= Delete temporary internet files, and
-= Choose to delete all Offline content.
-= Clear history;
-= and cookies.

-= Also, go to Start - Search – All Files or Folders - in the named box, type: *.tmp and choose Edit - select all - File - delete.

-= Empty only the contents of the folders [DO NOT DELETE THE FOLDER ITSELF!]
C:\Windows\temp folder\...
C:\temp folder\ ...
Empty Recycle bin

This will, hopefully, get rid of the CoolWebSearch infection that you have.
REBOOT into SAFE MODE once again to complete the fix and do the next step.



Add/Remove Programs.
.: Start - Control Panel - Add/Remove Programs - *Might not be there*




Comet cursor

Websearch ToolBar

MYSEARCH

MYSEARCH BAR

MY WEB SEARCH BAR

MY WEB SEARCH ASSISTANT

zSearch

MemoryMeter

SpeedBlaster


Click Add/Remove [for each of those in the list above].
When asked if "Are you sure you want to completely remove [such and such programs] and all of its componets?"
Click Yes. Follow the prompts to finish uninstallations.

Go into C:\Downloaded Program Files\--- and delete any mention of:

TVMedia


zSearch

MemoryMeter

SpeedBlaster



-= Reboot normally - no need for SAFE MODE this time.



[color=purple>[b]Run][/color]
Spybot – Search & Destroy & Ad-aware
Please update BOTH and run
[/b]Spybot-Search&Destroy and Ad-Aware SE; they are the standard programs for finding and cleaning adwares and malwares off your system. Doing this also cleaned up some minor registry entries left behind by the uninstalls. Here are links to both programs, and instructions for their use. Reboot between each scan.

1.1 Install and how to use Ad-aware SE – delete ALL those that it found.
[color=#000000>https://www.lavasoftusa.com/software/adaware/
[/url]]NEW Version 1.05
https://pcpitstop.ibforums.com/index.php?showtopic=67373[/color] - Read Tutorial

1.2 Install and how to use Spybot s&d if you don’t already have one and – delete all those that it found in RED only.
[color=#000000>https://security.kolla.de/[/url]]NEW Version 1.3
https://www.bleepingcomputer.com/forums/tutorial43.html[/color] - Read Tutorial

Reboot.

Disinfection
If you have a resident antivirus program, please disable it and run run a couple of online virus scan below seeing as how viruses can disable your resident scanner. This step is important to your PC’s health because these scanners will get rid of the majority, if not all, of the viruses found.

-= Check Autoclean or Auto-delete for it to clean whatever it finds.
-= Remember to disable your resident AV before doing the online virus scan so that there won’t be any conflict.

TrendMicro Housecall
BitDefender Scan

Reboot when done, rescan with HijackThis and post a new log here. These are the appetizers. We'll deal with the main course after you posted the next log.



Sincerely,
[/quote]
Posted 2/23/2005 7:35 PM
#10308
User avatar

tgs586 Member

Date Joined Nov 2016
Total Posts: 2
I have the "trojan backdoor small 14.am" virus hiding in my computer. It was in "c:/windows/system32/config/systemprofile/local settings/temp internet files/content" -I found it in an AVG scan that said it was embedded and could not be fixed. Next, when I ran ad-ware, it didn't report the same trojan. I deleted the bad files that ad-ware picked up then I ran AVG again and it didn't report the trojan...is it hiding? How do I get rid of it?


"anon_ink" wrote:




Read over the fix before doing anything to get a feel for what needs to be done, then proceed as outlined.


Before doing anything else, I'll need for you to unzip the hijackthis.exe file with a program like Winrar into a folder of its own - preferable location = C:\HijackThis\hijackthis.exe. This is very important! Doing this enable us to use its backups should we need it. Its current location is not secure since we will have to delete the contents of the temp folder sometime during the fix and backups can't be made within a zip file. Once that is done...


Download CWShredder.exe to a permanent folder.


-= Reboot into SAFE MODE:
.:: Start – Logoff – Restart

  • Immediately begin tapping the F8 key repeatedly.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
    * You’ll be greeted by a black screen. Wait for it – something should appear in a minute or two...

Double click on the CWShredder icon from where you’ve saved it.
Click “I AGREE” to accept the terms of service. Note: Please do read over their terms of service.
Click FIX as opposed to Scan Only or Make Report.

Let it do its thing. When done, go to the next step.

Cleaning up.
-= Go into Internet Options - General tab.
-= Delete temporary internet files, and
-= Choose to delete all Offline content.
-= Clear history;
-= and cookies.

-= Also, go to Start - Search – All Files or Folders - in the named box, type: *.tmp and choose Edit - select all - File - delete.

-= Empty only the contents of the folders [DO NOT DELETE THE FOLDER ITSELF!]
C:\Windows\temp folder\...
C:\temp folder\ ...
Empty Recycle bin

This will, hopefully, get rid of the CoolWebSearch infection that you have.
REBOOT into SAFE MODE once again to complete the fix and do the next step.



Add/Remove Programs.
.: Start - Control Panel - Add/Remove Programs - *Might not be there*




Comet cursor

Websearch ToolBar

MYSEARCH

MYSEARCH BAR

MY WEB SEARCH BAR

MY WEB SEARCH ASSISTANT

zSearch

MemoryMeter

SpeedBlaster


Click Add/Remove [for each of those in the list above].
When asked if "Are you sure you want to completely remove [such and such programs] and all of its componets?"
Click Yes. Follow the prompts to finish uninstallations.

Go into C:\Downloaded Program Files\--- and delete any mention of:

TVMedia


zSearch

MemoryMeter

SpeedBlaster



-= Reboot normally - no need for SAFE MODE this time.



[color=purple>[b]Run][/color]
Spybot – Search & Destroy & Ad-aware
Please update BOTH and run
[/b]Spybot-Search&Destroy and Ad-Aware SE; they are the standard programs for finding and cleaning adwares and malwares off your system. Doing this also cleaned up some minor registry entries left behind by the uninstalls. Here are links to both programs, and instructions for their use. Reboot between each scan.

1.1 Install and how to use Ad-aware SE – delete ALL those that it found.
[color=#000000>https://www.lavasoftusa.com/software/adaware/
[/url]]NEW Version 1.05
https://pcpitstop.ibforums.com/index.php?showtopic=67373[/color] - Read Tutorial

1.2 Install and how to use Spybot s&d if you don’t already have one and – delete all those that it found in RED only.
[color=#000000>https://security.kolla.de/[/url]]NEW Version 1.3
https://www.bleepingcomputer.com/forums/tutorial43.html[/color] - Read Tutorial

Reboot.

Disinfection
If you have a resident antivirus program, please disable it and run run a couple of online virus scan below seeing as how viruses can disable your resident scanner. This step is important to your PC’s health because these scanners will get rid of the majority, if not all, of the viruses found.

-= Check Autoclean or Auto-delete for it to clean whatever it finds.
-= Remember to disable your resident AV before doing the online virus scan so that there won’t be any conflict.

TrendMicro Housecall
BitDefender Scan

Reboot when done, rescan with HijackThis and post a new log here. These are the appetizers. We'll deal with the main course after you posted the next log.



Sincerely,
[/quote]
Posted 2/23/2005 7:42 PM
#10310
User avatar

anon_ink Advanced member

Date Joined Nov 2016
Total Posts: 84
c/windows/system32/config/systemprofile/local settings/temp internet files/[color=purple>content[/b]\...



The]content[/color] and clean out everything within that folder. [color=black>
[color=black>

-= Reboot into SAFE MODE: to delete the files.
.:: Start – Logoff – Restart


  • Immediately begin tapping the F8 key repeatedly.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
  • You’ll be greeted by a black screen. Wait for it – something should appear in a minute or two...
[/color]
Clear out that directory.

If you cannot delete any files, check its properties [right-click - select Properties] to see if the Read Only box is checked. If it is checked, please uncheck it and then try to delete the file once again.

Reboot.



I also suggest that you delete your Temp folders frequently. Use CCleaner to do this automatically for you!
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, January 27, 2022, 3:06 AM (GMT +1)
There are a total of 61,946 posts in 13,685 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,663 registered members. Please welcome our newest member, H H.
39 Guest(s), 0 Registered Member(s) are currently online.
×

Just a minute

Privacy has never been so important.

Nearly 50% of online users are now using a VPN to protect their privacy.

Find out why

…and if it grabs you bag yourself a VPN bargain.