Hi there - dunno for certain how it got on my machine - i guess that's the whole idea. Anyway, I downloaded some stuff on limewire, then limewire started up on its own repeatedly. Thinking that strange, i did adaware, spybot s&d, and ran AVG. stuff was found, specifically the Trojan Horse IRC/Backdoor SdBot oo.exe. Since then i have tried many different ways to rid my box of this malarkey.

I went through all the steps posted by the moderators (if that's the correct term). Downloaded and ran ccleaner. Downloaded eiwdo, safe mode, ran it. Then spybot s&d.

My new hijackthis log is attached in a .txt file. The eiwdo scan report was too big, even in .txt (149 KB or so), to attach - lots of TrojanDropper /Video.exe files were removed. Thanks for your time!

Welcome to PCHF , heavingReaction.



Before using HijackThis Please Do the Following:



Show hidden files and folders:

For XP:

1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
4. If you see a warning message, click Yes.
5. Click Apply.
6. Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Then uninstall DuDu Accelerator For Internet Explorer and MsMovies in add and remove programs.

Then boot in safemode (hit f8 when booting up) and fix these with hjt:

Then delete the files in bold.
Now do a search for "winlogi.exe" and delete all you find , and also delete:

C:\WINDOWS\system32\lass.exe
and:
C:\Program Files\DuDu

After that run ccleaner again and reboot.



Dont fix/remove these yet but do you know and use these apps?


C:\Program Files\ChinaNet\VnetClient.exe
O2 - BHO: VnetCookie Class - {4E83D567-4697-4F7B-B1F0-A513B01DB89A} - c:\PROGRA~1\chinanet\VNETTR~1.DLL

and

O4 - Startup: ÌÚѶQQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: ÉÏ´«µ½QQÍøÂçÓ²ÅÌ - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Program Files\Tencent\QQ\SendMMS.htm


Then please post a new hjt log to check.

Thanks - went through the steps, but for some reason i can't attch my new hjts log - "hijackthis.log" invalid file name. I tried to change the file names and types, to no avail. but "oo.exe" is no longer in my C: drive,

lots o thanks

Hi,

You need to attach the log as a .txt file please.

Thanks for all your help, first of all. My machine was running pretty well after all that, untill....

With regards to attaching the fixed log, what I meant in my second post was that I did try to change the file into a .txt file by changing names, which didn't work. Then I tried to copy and paste the document into MS notepad, which didn't work either. Regardless, I'm sure it was my problem anyway, as it was late night and I was a little out of it.

On another note, I have continued to experience problems - my computer no longer works (I'm writing this from work). After going through all the steps, etc., I re-ran eiwdo in safe mode. I continued to come up with multiple "viruses" (in quotes because I'm not sure that is what they are): the files were recognized as "WinAd Trojan Dropper AhD" - or something to that effect. These files are .zip files with /Video.exe extensions, and have completely rediculous file names. These files are found and removed by eiwdo (not AVG, which I also have on my computer). I then run Ad Aware and come up with the "Trojan Dropper" malware, which i then remove. But every time I reboot, its back. At any rate, during my last cycle of safe mode, removing/cleaning, I ran Spybot S&D and left for a while. When I came back, there was a message on a black screen that said my "hal.DLL" file was corrupt and had to be repaired. Could this have something to do with removing the "virus"? I have a windows disk, but haven't had the time to try to see if the file can be repaired.

Anyway, the "trojan dropper" files are downloaded onto my computer by some means which I am not certian - i run a program called "Process Explorer" and cannot see anything out of the ordinary when hooked up to the net. The trojan dropper files are always downloaded into C:\Documents and Settings\jh[that's my username]\Complete\. The funny thing is that this file cannot be seen, even when I select to view all folders and files, hidden or otherwise. I log on to my computer, and the file is empty. After a few moments on the net, i get a message that my C:\ is filling up. I use Windows Explorer, type in this file name, and can see all the .zip /Video.exe files.

I suppose I am babbling, but this is a mystery to me. Does anyone perhaps have some insight to this matter? I will post another hjt log after i repair that file (if i dont have to wipe the drive, that is!).

Best-
hR

Give that a go first , if it works then do a few online AV scans to. see for a link below.

Also do you know what these are and do you use them?

It sounds like there is some pretty bad stuff on there and you might even be hacked... Do you see any strange activety in youre firewall?

Hi guys

Can I just point you in the direction of this thread...

http://castlecops.com/postlite137240-hal.html

...after the user had problems with this HAL.DLL and subsequently attempting a reinstall, bigger problems begun. Whilst I'm sure that simply repairing BOOT.INI won't pose such a problem, I think that thread should be read before attempting a restore/repair/reinstall. Something went horribly wrong and it's difficult to assert whether it was a human or Windows error, or even a malware issue.

Regards,
M_M