I need some help with a stubborn trojan

C

Canadian 2.5RS

n00b
Joined
Sep 12, 2006
Messages
63
I got a trojan and a homepage hijacker on my laptop that I cant seem to get rid of.

Homepage Hijacker:
It is some MSNmessengerforums hijhacker that I should be able to get rid of if I could use Hijackthis (read below for why I cant)

Trojan:
I run spybot, adaware, and AVG but everytime AVG scans and picks it up i try to heal it and it comes back when I reboot, I move it ot the vault and delete it and it comes back. It actually intalls on my desktop with two files (one called install, and one called TC*something*) it also installs in c>windows>system32>drivers

I installed hijackthis but everytime I try to open it, it is as if someone is actively clicking closed the program remotely (ie sometimes it closes right away other times i get more play out of the program) I was able to get a quick scan from hijackthis but everytime I try to open IE to post it to that site that analyses it, IE shuts down on its own. It shuts down pretty much anything related to hijackthis.

Also, when I got my scan log, I tried to save it in word but it said my permissions were denied. I didnt want to send the log to any more of my computer in case it would infect them so I dont really have a way to post it.

Does anyone have any suggestions as to what I can do?
 
reboot into safe mode with an account that has admin privileges. Locate the file in System 32, right click, Security, turn off inherited permissions, reboot into normal mode, delete, reboot run scans, fix
 
I know it really isn't standard around here, but maybe provide us with a Hijack This log?
 
I forgot you can't run HJT, sorry.

Stupid Question: You're doing all of this scanning in Safe Mode, right?
 
Are you running you scans in safe mode? Have you disabled windows restore points because most of the nasty spycrap hides in there. It sounds like Smitfraud or Vundo to me so you can try these

Smitfraud
http://www.bleepingcomputer.com/forums/topic17258.html

Vundo fix
http://www.bleepingcomputer.com/forums/topic18610.html


If AVG shows you what file is infected but can't clean it, try downloading and running killbox on the file since you have the path.

This is a good resource

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
 
I think I got rid of the trojan by using a program called prevx1 (i was able to get a 30 day trial. It looks as though it has found and deleted it. I do however, still have the msnmessenger homepage hijacker going on. I was doing all of my scanning in safe mode and I disabled windows restore points.

I am able to run hijack this now and got a log and posted it to one of the sites that analyses it. This is what it came up with.

HJTlogfile.jpg


What do I do now? How do I get rid of this stuff?


Thanks everyone for you help/suggestions. Trust me it is greatly appreciated!.
 
Those two winlogon.exe entries look bad. That is not the correct path for winlogon.exe.

I would disable those with Autoruns.
 
From what I've seen Prevx is badass, and that was going to be my next recommendation:cool: Are you going to continue the subscription after the 30 days? I remember looking at it a while back and its only like $25 a year iirc
 
You must log in or register to reply here.
Back
Top