Solve : trojan horge sheur2.gas?

1.	Solve : trojan horge sheur2.gas?
Answer» Getting closer... Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the WORKINGS of your system Now download The Avenger by Swandog46 and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your Desktop Run avenger.exe by double-clicking on it. Do not change any check box options!! Copy everything in the Code box below, and paste it into the Input script here window: Code: [Select]Comment: Files to delete: c:\windows\Tasks\akqxrtmb.job Now CLICK the Execute button. Click Yes to the prompt to confirm you want to execute. Click Yes to the "Reboot now?" question that will appear when Avenger finishes running. Your PC should reboot, if not, reboot it yourself. A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot. Add the Avenger log in your next post. Below is the log. When the computer rebooted this warning popped up: Exception Processing Message c0000013 Parameters 75b6bf7c 475b6bf7c 75b6bf7c and it has Cancel try againor continue as options Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! File "c:\windows\Tasks\akqxrtmb.job" deleted successfully. Completed script processing. *************** Finished! Terminate.OK this should fix the images problem. Reset Web Settings & Default Security Settings Open Internet Explorer and go to Tools > Internet Options then the Advanced tab and then the Reset button under Reset Internet Explorer Settings. Restart Internet Explorer. Is it working correctly now? ---------- Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- 1. Double click OTMoveIt2.exe to launch it. Vista users RIGHT click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt2 ---------- Delete temporary files Go to: Start Run type: CLEANMGR.EXE Press Enter. . When prompted select the C: drive and click OK. Check the boxes for: Temporary Internet Files Downloaded Program Files Recycle Bin Temporary Files . Click OK or Enter ---------- Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe and then click Start. An Express Scan of your PC NOTICE will appear. Under Start the Express Scan Now Click OK to start. This is a short scan that will scan the files currently running in memory. If or when something is found, click the Yes button when it asks you if you want to cure it. Once the short scan has finished, Click Options > Change settings Choose the Scan tab and UNcheck Heuristic analysis and click OK Back at the main window, select the Complete scan button. Then click the Green Arrow Start Scanning button on the right and the scan will start. Click Yes to all if it asks if you want to cure/move any file(s). When the scan is done. In the Dr.Web CureIt menu on top left, click File and choose Save report list. Save the DrWeb.csv report to your Desktop. Exit Dr.Web Cureit. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. [/COLOR] After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad Copy and paste that log in the next reply Yep. Pics are showing. I did this step Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. But not sure where to find OTMoveit2.exe for the next step. Doesn't it say that the first step deleted it? Sorry, here ya go. Download OTMoveIt3 by OldTimer OTMoveIt3.exe and place it on your desktop. 1. Double click OTMoveIt3.exe to launch it. If using Vista Right-Click OTMoveIt and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) When finished exit out of OTMoveIt3 hihosove.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.; kukolare.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.; ludoyuja.dll;C:\WINDOWS\system32;Trojan.Siggen.568;Deleted.; miwajiho.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.; 00068281.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.; 00072968.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.30;Deleted.; 00297046.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.; 02665515.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.; 02666750.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.; 02666828.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.; 02666921.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.; 02666953.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.; 02667000.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.; 03300937.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.; 03305218.FIL;C:\$VAULT$.AVG;Trojan.Siggen.568;Deleted.; A0000008.dll;C:\System Volume Information\_restore{C4634337-28E5-40ED-A7C7-6667EC712853}\RP1;Trojan.Siggen.568;Deleted.; That found a few more infected entries. How is the computer running now? Let me know if you have any questions. Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.** Concerned about BROWSER Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Wow! You must never sleep!! For that I am thankfull! You have been such an incredable help and I learned along the way. I am so glad I came upon this site! I'm working on your last few steps. The computer is already running just about like new. It had been really slow. Thanks!Your welcome. Safe surfing...

Answer»

Getting closer...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the WORKINGS of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]Comment:

Files to delete:
c:\windows\Tasks\akqxrtmb.job

Now CLICK the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add the Avenger log in your next post.

Below is the log. When the computer rebooted this warning popped up:
Exception Processing Message c0000013 Parameters 75b6bf7c 475b6bf7c 75b6bf7c
and it has Cancel try againor continue as options

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\Tasks\akqxrtmb.job" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.OK this should fix the images problem.

Reset Web Settings & Default Security Settings

Open Internet Explorer and go to Tools > Internet Options then the Advanced tab and then the Reset button under Reset Internet Explorer Settings.

Restart Internet Explorer. Is it working correctly now?

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt2.exe to launch it.
Vista users RIGHT click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Delete temporary files

Go to:

Start
Run
type: CLEANMGR.EXE
Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

.
Click OK or Enter

----------

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An Express Scan of your PC NOTICE will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

Yep. Pics are showing.
I did this step
Click START then RUN

Now type Combofix /u in the runbox

Make sure there's a space between Combofix and /u
Then hit Enter.
.
.
The above procedure will:
Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

But not sure where to find OTMoveit2.exe for the next step. Doesn't it say that the first step deleted it?
Sorry, here ya go.

Download OTMoveIt3 by OldTimer OTMoveIt3.exe and place it on your desktop.

1. Double click OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt3

hihosove.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
kukolare.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
ludoyuja.dll;C:\WINDOWS\system32;Trojan.Siggen.568;Deleted.;
miwajiho.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
00068281.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
00072968.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.30;Deleted.;
00297046.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.;
02665515.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
02666750.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02666828.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02666921.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.;
02666953.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02667000.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
03300937.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
03305218.FIL;C:\$VAULT$.AVG;Trojan.Siggen.568;Deleted.;
A0000008.dll;C:\System Volume Information\_restore{C4634337-28E5-40ED-A7C7-6667EC712853}\RP1;Trojan.Siggen.568;Deleted.;
That found a few more infected entries.

How is the computer running now?

Let me know if you have any questions.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about BROWSER Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Wow! You must never sleep!! For that I am thankfull!
You have been such an incredable help and I learned along the way. I am so glad I came upon this site!
I'm working on your last few steps. The computer is already running just about like new. It had been really slow. Thanks!Your welcome.

Safe surfing...

Solve : trojan horge sheur2.gas?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment