Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

help please backdoor trojan keeps coming back

6322 Views 28 Replies 3 Participants Last post by  seth69
S
help please it keeps coming back when ive cleaned deleted it many times
http://img366.imageshack.us/img366/7034/trojanov9.jpg

together with this error
http://img373.imageshack.us/img373/5444/mutexpn6.jpg
Save
Like
Status
Not open for further replies.
1 - 13 of 29 Posts
sjpritch25
Welcome to TSG :)

Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.
Save
Like
sjpritch25
Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
See less See more
Save
Like
sjpritch25
There are some things in the Combofix that i don't like. It failed to delete one file and i am going to contact the developer. Please be patient while i wait to recieve a message.
Save
Like
sjpritch25
You have a flash/removal drive infection!!!!

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. You will more than likely need to use Windows Search to find those files.

Boot.exe
Ravmon.exe
. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt, Scan2.txt". Save the text file "Scan.txt and Scan2.txt" to your desktop. Please include the file in your next post.
Save
Like
sjpritch25
Ok, lets make sure the infection is gone

Download and scan with Sysclean Package.
1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files (lptXXX.zip).
4. Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
5. Close all open applications and DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first. DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 . To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
7. Open the Sysclean folder and double-click on sysclean.com to run.
8. It will take some time to complete. Be patient and let it clean whatever it finds.
9. Exit when done, reboot normally and re-enable your anti-virus program.

Note: This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations resulting in Access is denied log entries.
See less See more
Save
Like
sjpritch25
Do you have a F: partition on your hard drive???? I think the F:is probably related to your CD drive or flash drive. If you can find F:\autoplay.exe

Please go to Virustotal, click on Browse, locate the file and then post the results.

What did Norton find????

Next, please run Combofix again the post the results. Thanks.
Save
Like
sjpritch25
I have attached a file named Seth69.zip, please Extract/Unzip Seth69.reg to your Desktop. Double-click on Seth69.reg and allow it to be merged into Windows Registry.

Download KILLBOX, extract it to your desktop.

Open killbox.exe.

First

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit(Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.
C:\WINDOWS\system32\grdupdater.exe
C:\DOCUME~1\ADMINI~1\taskmgr.exe
Click to expand...
Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

========================================

What is located in your G:\ Drive????

Attachments

See less See more
Save
Like
sjpritch25
Did you do the regfix?????
Save
Like
sjpritch25
Currenly, is your thumb drive connected to your computer????
Save
Like
sjpritch25
Ok, run this because you shouldn't be getting that error.

Download the file HERE and unzip it to your desktop. When unzipped it will be named allstart.bat. Doubleclick it to run it. It will create a folder on your desktop called files. Inside the folder will be a text file named look1.txt. Copy and paste the contents of that into your reply.
Save
Like
sjpritch25
While i am doing some more research. Go into msconfig (Start > run > type msconfig and press enter). Under the General tab, Click on Selective Startup and uncheck Startup Items. You shouldn't recieve that error. Let me know if you do. Thanks.
Save
Like
sjpritch25
did you disable all Start up items?????
Save
Like
sjpritch25
go back into msconfig and click on Diagnostic Startup and see if you still get the pop up.
Save
Like
1 - 13 of 29 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top