Trojan horse help please

[jholland1964]

I note in the combofix log that maybe something installed on or PRIOR to November 15 may be where the infection lies since it is on or after that date that you seemed to have installed multiple anti-spy programs.
These are the ones I really don't know anything about;
ACT
My Wedding Companion
Interact Commerce
Global Live
xing shared

They may be legitimate programs but I really couldn't fine a lot of info about.

I also noted in your combofix log you have multiple anti-spy programs on the machine, you don't need this many.

Please uninstall the following using Add/Remove;
TrojanHunter 5.0
Comodo
a-squared Free
*NoAdware5.0
*XoftSpySE
*Anti Trojan Elite xxxx
*Please note that these have been listed at times as Rogue programs.

Once you have uninstalled those via Add/Remove then also please do a file search via Start, Search, Files and Folders in "C" drive and look for any folders or files with the above names, if you find any, delete them.

Once that is complete then reboot the computer, do another Kaspersky online scan, save the log for posting here and do another HJT scan also saving that log.
Post back with both of those new logs.

[rojo]

Hi Judy

I know that on 15 Nov I was on the internet trying to access a local newspaper - clicked on a link and up came a porn web site which would not close initially and started to open lots of other pop-ups. I have had this problem since then. Seems to be a little better but Kaspersky has found some things.

The multiple downloads were an attempt to get rid of it but I got lazy about clearing them as I used them.

I recognise all the first list at the start of your post EXCEPT for xing shared. the rest are programmes i use from reputable sources - but suppose this does not mean they are not infected now?

Cleared the anti virus programmes and did the search but a comodo and anti trojan elite seemed difficult to get rid of and showed up again within a folder that had recycler in it - but it did say the folder was empty.

thankd for all the help so far.

Posting logs and will follow up on your suggestions tomorrow - its 11.10pm in little N.Ireland and I am going to get some sleep!!

thanks again

Rosie

[jholland1964]

The three found by Kaspersky are in the backup folder for combofix. Go to "C" drive and look for qoobox and just delete the entire folder.
Be sure then to empty your recycle bin.

Next Run HJT again and put a checkmark next to the following entries;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttach File - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

Once you have placed the checkmarks then click the Fix checked button.
Exit HJT.
Reboot the system.
Run one more Kaspersky scan and one more HJT scan and post those logs.

[PhilliePhan]

Hey Judy,

Not to butt in, but you guys ought to make sure this particular baddie is not still lurking on the machine:
S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys

I really didn't give the first ComboFix log more than a cursory glance, but this jumped out because we have seen it before with rootkit type stealthed baddies.

Happy Weekend!
PP

[jholland1964]

I missed it too! Took me three tries, even after you noted it PP to find it..
Rosie you need to do the following;

Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt with a new HijackThis log
  
  

[rojo]

Carried out both steps outlined above.

cannot appear to access Kaspersky online scanner at the moment - tried a number of times??

However the other logs are attached.

thanks for all this

Rosie

[jholland1964]

These logs look ok but would like you to keep trying on the Kaspersky, though they must be having problems with their site as I cannot load it either.
How about a manual search for the file PP noted?
To do this

Show hidden files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now boot to Safe Mode and do a search in C:\WINDOWS\system32\and look for this file noskrnl.sys
If you find it delete it, just the file NOT the whole folder.

Then run another Combofix and see if it still shows.

[rojo]

Judy

carried out the manual search but nothing there (at least nothing visible)

Will keep trying the kaspersky site and will post when I manage to do this. Since everything else has been followed my laptop appears to be working ok but i do appreciate there may be something lurking in the background.

this is a great site and i really appreciate all the help

[jholland1964]

For safety reasons, by all means continue to try the Kaspersky site...OR go ahead and use one of the other online scanners given in PP's link some of those do cleaning too so use one of those like BitDefender or Panda. If it finds something tell it to clean.

[rojo]

OK - Kaspersky log now attached and hopefully all is well.

feedback appreciated

Rosie