Trojan horse virus

Welcome to TSG

Where does it say the trojan is located at?

Than

Go to http://majorgeeks.com/download3155.html and download 'Hijack This!'.

First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder.
Then doubleclick the Hijackthis.exe.

Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.

Someone here will be happy to help you analyze the results.

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.subratam.org/?page=removal
Spybot - Search & Destroy from http://security.kolla.de
Download Adaware SE http://www.lavasoftusa.com/support/download/

then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you have all of Microsoft security updates

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
then post a new hijackthis log

run hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {8235A87F-2AF9-4B3B-8B9C-66DFEDCE9E40} - C:\WINDOWS\System32\ifsautil.dll (file missing)
O2 - BHO: (no name) - {FB2F93E0-E804-41DB-8586-A9DF14CF604B} - C:\WINDOWS\System32\cea.dll (file missing)
O2 - BHO: (no name) - {FEF3DFC6-6524-45DE-5008-4D26242F6090} - C:\WINDOWS\System32\trhi.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari.../EGDHTML_XP.cab

How to boot in safe mode

Reboot in safe mode and delete the following folder

C:\WINDOWS\isrvs\desktop.exe

Reboot and post a new hijackthis log

Per my e-mail I sent you.

You are running hijackthis from a temp folder. Please move that to a permanent folder so you don't loose your backups.

Create a permanent folder on your hard drive like c:\hijackthis

run hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

Restart to safe mode.

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete this folder

C:\WINDOWS\isrvs\sysupd.dll

Reboot and post a new hijackthis log

Ok it is still in your system.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

When you are sure you are clean turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


Lets try this

In Windows Explorer, find and delete these files, by manually navigating to the folders they are in, delete all you can find but continue if you do not find one or more--don't stop in the middle!!


C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe

Now, delete this folder.

C:\WINDOWS\isrvs

Reboot and post a new hijackthis log

While we are waiting lets try this

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Double-click on "Killbox.exe" to run it. Now put a tick by "Delete on reboot" In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe

When in Safe Mode, open notepad and paste in the following Boldedlines:

del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f

Save to your desktop as 'clean.bat'.....Before you save,set 'file types' to all types. ( *.*)

DoubleClick on "clean.bat", and say Yes to the prompt.

Re-boot again into safe mode.

Locate this folders and delete it:

C:\WINDOWS\isrvs\sysupd.dll

Boot back into normal mode,re-scan with HijackThis and post the new log.