Virus / Trojan Horse removal

CantGetNoSleep · 17-05-2010 08:01PM #1

Laptop has a virus / trojon horse. It's one of those ones that tells you computer is infected and tries to get you to buy some type of anti-virus software.

When you start Windows normally you just get the desktop background with no taskbar or icons. In safe mode I have tried a virus scan and system restore but neither of these will work. Anyone have any idea what to do without having to reinstall operating system?

Its a Dell Inspiron 6400 running Windows XP

ASJ112 · 17-05-2010 08:19PM

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.pif to run the tool.
When done, two DDS.txts will open.
Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

CantGetNoSleep · 17-05-2010 10:03PM

How do I disable the script blocking the program?

ASJ112 · 17-05-2010 10:15PM

just close as many security programs as you can, don't worry bout that part too much

CantGetNoSleep · 17-05-2010 10:21PM

ASJ112 wrote: »

just close as many security programs as you can, don't worry bout that part too much

Thanks for your help

CantGetNoSleep · 17-05-2010 10:27PM

Think it is the Worm win32 netsky virus

ASJ112 · 17-05-2010 11:19PM

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
c:\windows\system32\18467.exe
c:\windows\system32\smss32.exe
c:\windows\system32\ES15.exe
c:\windows\system32\41.exe
c:\windows\system32\helpers32.dll
c:\windows\system32\warnings.html
c:\windows\system32\drivers\hzpcib.sys
c:\windows\system32\winlogon32.exe
c:\docume~1\paulca~1\applic~1\avdrn.dat

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

CantGetNoSleep · 17-05-2010 11:40PM

Can only run in Safe mode and won't access the internet so may not be able to install Windows recovery console - is this a problem?

CantGetNoSleep · 18-05-2010 10:35AM

Was able to get System Restore to run and that seems to have fixed the problem.

Nonetheless thank you for your assistance ASJ112, greatly appreciate it

CantGetNoSleep · 18-05-2010 11:39PM

Edit - it is back despite my system restore and doing a new scan with a fully updated Microsoft Security Essentials!

ASJ112 · 19-05-2010 11:31AM

run combofix above

Virus / Trojan Horse removal

Comments