Member Panel

Hi,

I am not sure whether my notebook has been infected or not. However, my server is badly infected with trojan horse until it has to be formatted.

I have tried to update the window but not successful. From the checking by window update via internet, it detected that I have one update but the update files is 0kb! I try to install anyway, it show the file to update is service pack 2. However, when I try to install it, it just hang when checking my system.

Attached my hijack log.

JOHN

Hi Thankyou1st,

Welcome to PCHF. Let me take a look at your HJT log and I'll get right back to you.

TTFN

T

:-) Hi John,

I see just a couple of things in your HJT log. You certainly have the right protection on your PC

Let's get you cleaned up completely and see if we can't get your update to run.

To start with I would like you to do this:


First disable system restore to prevent re-infection.
(you can turn it back on when youre pc is clean).


How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Then please delete your temporary files by deleting all files and folders that are in those folders:
(do not delete the temp folder itself)
(if there are "files in use" then empty these folders in safemode(hit f8 when booting up)

empty the C:\windows\prefetch folder ,
empty the C:\windows\temp folder ,
empty the C:\Documents and Settings\Your Account\Local Settings\Temp folder ,
empty the C:\Documents and Settings\Your Account\Local Settings\Temporary Internet Files folder EXCEPT the content.ie5 folder (may be hidden).


And close all instances of IE and OE ,then go to: Control Panel / Internet Options / General tab.
Click the "Delete Files" button.
When prompted place a check in: "Delete all offline content", click OK. This removes the junk files such as downloaded files, zero byte files created by Outlook Express and many other hidden files that reside in your cache.

Then please do this since it?s better to use automated tools to get rid of the bad stuff use these programs first before doing the final cleaning with HJT.

Open ewido and update, then click on scanner, then settings, make sure all options are selected and that scan all files is also selected. Run your ewido scan fixing everything it finds.

Spybot: Search And Destroy:
If you do not have version 1.4 please;
1.Download the new version (1.4) of 'Spybot: Search And Destroy'.

2. Install it according to the instructions in 'How To Setup Spybot SD'.

3. Next, 'Search for Updates' as the definitions are not likely to be up-to-date.

4. Close ALL windows except Spybot SD.

5. Click the "Check for Problems" button.

6. Click 'Fix Selected Problems' and fix only the RED items.

7. REBOOT to finish removing what Spybot SD found and clear memory.


Ad-Aware SE by Lavasoft:
If you do not have the most recent update please;
1. Download 'Ad-Aware SE'.

2. Install according to the instructions in "How To Setup Ad-Aware SE"

3. Next, 'Check for Updates' by clicking on the 'world globe' second from the right at the top of your Ad-Aware SE window.

4. Install the updates.

5. Close ALL windows except Ad-Aware SE.

6. Click on 'Start' and choose 'full scan' for a full scan.

7. Quarantine anything that it finds and SAVE the log file.

8.REBOOT to finish removing what Ad-Aware SE found and clear memory.

Then rerun HijackThis and fix any of these items that are still showing

R3 - Default URLSearchHook is missing
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm119YYMY
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Then we'll look at some things that could also be blocking your install.

Look forward to your reply.

TTFN

T

thank for your prompt reply.

Let me try out first.

JOHN

:-) OK Great,

I have to log off for tonight. Joe and Merlin are on right now and more than likely one of them will follow up with you on this tonight. If not I will check back in the morning and see how it worked out.

TTFN

T

Hi,

Done.

But noted 3 things.

1. while deleting temp folder, one file could not be deleted and finally it get deleted, the file recreate itself with the aphabet JET infront eg. JET9D41, JET3D5C

2. Ad ware seems to have problem to remove spyware.. websearch..keep on coming back
3. if u look at the hijackthis log, there linking to //red.clientapps.yahoo/customise.. is this a problem? I notice that my infected server auto link to this shortcut via IE.

Thanks for your assistance

Attached is my log.

We can go this route as well..


Please download ewido Security Suite[list] [*]Install ewido security suite [*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu." [*]Launch ewido, there should be a big "E" icon on your desktop, double-click it. [*]The program will prompt you to update click the "OK" button [*]The program will now go to the main screen

You will need to update ewido to the latest definition files.
[*]On the left hand side of the main screen click update [*]Click on Start

The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

Once the updates are installed do the following:
[*]If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
[*]Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
[*]Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
[*]Click on scanner [*]Click on Settings

• Under "How to scan" all boxes should be selected
• Under "Possibly unwanted software" all boxes should be selected
• Under "What to scan" select scan every file
• Click OK

[*]Click on Complete system scan [*]Let the program scan the machine
[*]If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
[*]Click Save report [*]Save the report to your desktop [*]Exit ewido

And post the Ewido log back here...