Icky Trojan Thingy

Idiophreak

Hi All,

Just after a quick spot of guidance...

My dad's managed to *completely* screw up his main PC...

I think he was after a new shed (this story's legit, honest ) and came across "dodgy dave's big shed of pawn" or something like that...Needless to say, a couple of minutes and a few button clicks later he's managed to get the thing *plagued* by all kindsa viruses, spywear etc...

I've come across a few "infections" in my day, but this is on a scale I'm not used to dealing with - wallpaper's been changed, task manager's disabled, all the usual stuff...then there are two programs that keep on restarting themselves (no matter how often you kill them, uninstall them, etc) - one is Windows XP AntiVirus 2008 or something - telling me it's found 16000 viruses and I should click this link and buy the full version to get rid of them...Needless to say, I'm not touching that...The second bit of software is the "main" bit, I guess...that has one central form controlling 8 others (sorry, I'm working from memory atm...can't remember the name of it) - each of the forms has a different website in it, all pawn related, basically ticking through generated URLs checking for images, I think. I've taken it offline for the most part to stop it accessing this stuff - just plug it in when I need to download AVG updates etc. Anyway, it also completely forked up the router - had to factory reset it to get access again - needless to say I'm not using the default password there anymore I also noticed last night that all the HDDs aside from the C drive seem to be missing - but they're not even shown as existing under disk management, so it might just be a coincidence and there might be something else causing that.

Anyway, have updated and ran AVG and SpyBot about a million times - they make no difference whatsoever. Is there anything else I can try to shift this thing, or is it time for a reformat? It's only really my dad's mailbox I'm worried about saving from the disk, I think - could I stick the HDD into another machine as a slave and just nick the stuff I want to keep first?

AdvTHANKSance

Jon_S_4

I recently had a nasty virus on my PC.

I downloaded a file called SDfix from http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

It sounds like i had a similar virus, it tries to trick you into thinking youve got loads of viruses by changing your desktop wallpaper to one that shows a fake 'windows virus found' screen.

It may also run a fake 'blue screen of death' screen saver, you may think the PC has crashed, but its just a screen saver.

After you run SDfix it will save a log file, this file can be sent to the programs author who will give you further advice.

Its a free program, i was so happy that it cleaned my PC that i made a donation to the author via paypal.

good luck!

Jon_S_4

Also from kaspersky is a virus scanner that scans your system and removes viruses, then uninstalls itself after.

Its free and from top anti virus programmers Kaspersky.

http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/

Browntoa

this will remove Antivirusxp 2008 completely , follow all the instructions

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Mac_Sami

From memory, Antivirus XP 2008 installs some sort of a rootkit, too.

I used F-Secure's Blacklight Scanner (for rootkits) from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe, which removed the rootkit.

You'd still need to do the other stuff in this thread, too, but that should hopefully do the trick.

Reluctant_spender

After you have run Malware Bytes - post 5

You may want to run Hijack this, details below. You may also want to check your host files. Also can you get to google or do you get redirect? If you do then you have a specific infection which will show in your hijack log.

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.

Host File reset.

Download HostsXpert.zip

• Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
• Double-click HostsXpert.exe to run the program.
• Click "Make Hosts Writable?" in the upper left corner (Only If available).
• Click "Restore Microsoft's Hosts file" and then click "OK".
• Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.