Having some probs getting rid of some system32 backdoor trojans, there are also some strangle files that i'm not sure should be there e.g. winworld, spools, svphost etc.
Any help much appreciated.
Hijackthis log below.
Logfile of HijackThis v1.97.7 Scan saved at 16:50:26, on 11/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I have scanned and downloaded new hijackthis, new file below
Bullguard is telling me they the backdoor trojans are in system volume, i also have a sasser worm too
Thanks again in advance.
Logfile of HijackThis v1.98.2 Scan saved at 23:43:45, on 12/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
C:\WINDOWS\System32\SVPHOST.EXE
It will prompt you to reboot, do so.
After restarting, with only HijackThis running, scan and when complete, remove the following entry by checking the box to the left and clicking 'fixed checked':
Go to task manager – ctrl+alt+del, and find if present: 1D.tmp.exe
Rightclick on it-end proces
Scan with Hijacktis, close all other windows, put a checkmark to these, and fix: O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\adam\LOCALS~1\Temp\1D.tmp.exe Show hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html=
Reboot into Safe Mode (hit F8 key until menu shows up). Find and delete: C:\DOCUME~1\adam\LOCALS~1\Temp\1D.tmp.exe
Followed your instructions 1d.temp.exe thing now doesn't appear to run in task manager or the temp file where i deleted it from but it is still in the hijackthis log even after i have checked it for deletion???
Anyway here is my new log:
Logfile of HijackThis v1.98.2 Scan saved at 12:39:10, on 13/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Ok, this re-occurring entry is part of the W32/Lemoor-A virus. I hoped we could do it the easy way
We need to manually remove this entry from the registry while disconnected from the internet. First print out these instructions or save them in a text file so you can reference them while the internet is down. Then disconnect your system from the internet (physically unplug it). Reboot your system (leave unconnected from the internet).
When back up, click on Start -> Run -> type in REGEDIT and hit the "Enter" key. When the Registry Editor opens up, navigate to this Folder (on the left hand side of the window) under the HKEY_LOCAL_MACHINE entry:
Then find this key in the right hand side of the window:
[[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\adam\LOCALS~1\Temp\1D.tmp.exe
Highlight the key and delete it. Then exit the registry editor. Run "Hijack This!" and verify that the entry is no longer there. Re-connect your system to the internet, then reboot once more. Once back up, run "Hijack This!" and post a new log so I can verify that the entry is gone as well.
I have deleted that entry from the registry. New log below:
Logfile of HijackThis v1.98.2 Scan saved at 22:42:10, on 13/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
The nasty stuff, comes from "everywhere", when you have installed these programs, you are well protected, update Spywareblaster once in a week, and spywareguard when you have downloaded it
Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"
Currently it is Saturday, November 21, 2009 3:35 PM (GMT +1) There are a total of 73.034 posts in 17.116 threads. In the last 3 days there were 14 new threads and 71 reply posts. View Active Threads
Who's Online
This forum has 30334 registered members. Please welcome our newest member, sushil. 40 Guest(s), 2 Registered Member(s) are currently online. Details Windows, Dickens
|