trojanloader.xs help?

my computer apparently contracted a trojanloader.xs. 

following your general instructions in the "read this first" section, i've installed 'avast', 'superantispyware', 'mbam', and 'hijackthis', and have attached the logs from them.

something is preventing me from totally removing other anti-virus programs(norton), and i cannot update java per your general instructions.

any help will be greatly appreciated.

[recovering space - attachment deleted by admin]

[Malware Removal Specialist]

You had a whole plethora of garbage cleaned up so far. Good job!

Although you still need to update your Java, and there is still some work to do...

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C9804581-F617-8691-1192-D78F0526799C} - C:\WINDOWS\system32\aite.dll (file missing)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

----------

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

.
----------

Next post please add
Combofix log
Uninstall list

Evil... thanks for all your help so far.

OK.. did the HijackThis system scan only... checked all 5 items listed... 'fixed' the 5 checked items.

Loaded ComboFix from the first link.  It scanned and 'deleted' 4 items, then it rebooted the machine.

NOTE;  could NOT turn on "Avast" after ComboFix rebooted machine, unless I am doing something wrong.  I will disconnect manually from net and work from safe laptop after sending this log.

Created 'uninstall list'

Both attached, awaiting further instructions.

[recovering space - attachment deleted by admin]

Update....

just found where java 6 update 6 was hiding, installed it.

located and deleted all other previous java versions, did reboot, c:\program files\java contains ONLY jre1.6.0_06.

still no 'avast' icon in bottom bar, but there is an icon for superantispyware.

will wait for further instructions.

thanks

[Malware Removal Specialist]

You said you already got the old Java uninstalled but i will list it just in case you missed any.

Uninstall:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_02

LiveReg (Symantec Corporation)
Norton AntiSpam
Norton AntiSpam
Norton Internet Security Professional
Norton Internet Security Professional

----------

Go to Start > Run and copy then paste the below line into the run box and click OK.

"%userprofile%\Desktop\cf" /u

----------

Download ATF Cleaner by Atribune
Alternate Download link
 
Make sure that all browser windows are closed

Windows Vista users: ATF-Cleaner must be Run as an Administrator
Double-click ATF-Cleaner.exe to run the program.

• Under Main Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.
  

Important: Restart the computer before continuing.

----------

Let me know how things are now.

[Malware Removal Specialist]

Apologies, I missed an entry in the CF log.

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "Zango" in the list of installed programs and click on Change/Remove to uninstall it. There may also be a program called Media Gateway, remove it as well.

More info HERE

i have all the old java runtime environments uninstalled.

i cannot uninstall 'live reg', says it is in use by norton internet security', however.....

there is NO listing at all in the 'add/remove' list for norton antispam, norton internet security professional, zango, nor media gateway.

is there another way to get to them to remove them? 

i did not do the 'user profile' stuff yet, nor the atf cleaner.  didn't know if out of order would cause a problem, so waiting your answer first.

thanks

[Malware Removal Specialist]

Uninstall Norton Using The Removal Tool

**NOTE: This uninstalls ALL Symantec Products**

Please download the Norton Removal Tool
Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool.
• Click Next
  
• Read the Terms and Conditions then click Next
  
• Type in the letters/ Numbers that you see into the text box. Click Next.
  
  • Then click Next and the tool will start running.
  Once completed you may have to restart your computer.
  
  ----------
  
  Download OTMoveIt2 by OldTimer
  • Save it to your desktop.
    
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    
    
    • Double-click OTMoveIt2.exe to run it.
      
    • Copy the lines in the codebox below.

Code: [Select]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

sorry, apparently a bad address for the norton removal tool.  any new address for it?

[Malware Removal Specialist]

Fixed the link.

OK...  did the norton removal tool download, appears to have worked.

Downloaded OTMoveIT2...  results:

< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango\\ deleted successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_231758

I then did the Start>Run, copied the 'userprofile\desktop\cf' info into the box, got a return box that windows could not find  "C:........cf" and to please check the address and retry.

Then downloaded the ATF Cleaner, but then it asks me to check off on what I want cleaned.  What should I have checked when it runs?

Also, still not sure if 'Avast' is actually running.  Still no icon in the task bar.

So far, speed has increased tremendously.  No little box warnings popping up all over, and seems to have stopped opening dozens of IE windows.

We getting close?

Thanks

[Malware Removal Specialist]

Were getting close.

Go to Start > Run and copy paste

combofix /u

Note the space between Combofix and /u

Then click OK.

The instructions on what to check off are all there for ATF cleaner.

----------

After that:

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let me know how everything is now.

OK....  ComboFix is uninstalled.

ATF cleaner, checked all, deleted 109.309 MBs.  rebooted.

Created restore point, cleaned all previous restore points.

Tried to load Secunia Software Inspector... "IE cannot display web page"

Bad link?  What should I do now?

[Malware Removal Specialist]

Hmm, site seems to be down. Maybe try again in a few hours.

OK.. Secunia site is back up... ran full scan, updated all.

Reran scan, all good except Adobe Flash.  Able to update to vers. 9.0.115.0, but keep getting a bar across the top saying 'internet explorer is preventing active x from operating in an unsafe manner', and will not update to the requested 9.0.124.0 version.  Same for macromedia update, which apparently is the same as the Adobe Flash.

As far as all else:

Machine seems to be running much faster.

No annoying  pop-up warning messages every 5 seconds.

I still have a blue background on my desktop.  During startup, my usual wallpaper loads, but then is replaced by the bluescreen.  Do i need to just 'reapply' it as my wallpaper?

Still have no idea if Avast is operating or not.  No icon in taskbar.  Double-clicking desktop icon gives no indication of operating status.  Is Avast the anti-virus program of choice?

What about a firewall? 

Any help is greatly appreciated.

Thanks

Sorry, back again...

Just checked my system startup list, found something called "ctfmon.exe" still there. 

I remember one of the previous processes listed that as malware or something, and supposedly removed it.

Ideas?

Thanks

[Malware Removal Specialist]

Sounds like you need to reset your wallpaper.

Try uninstalling and then re-installing Avast. Avast! Home Edition

For a firewall I would suggest Comodo in Advanced mode Comodo Firewall

Evil;... Uninstalled/Reinstalled Avast, performed boot scan, came out clean.

Loaded Comodo Firewall... scanned, 1 detection, deleted.

Is it now safe to trust this machine?
Should I hang onto all the programs-OTMoveIT, Highjackthis, Mbam

Read Tony Kleins essay.

What else should /can I do?

Thanks for all your help.

[Malware Removal Specialist]

Definitely look through Tony Kleins article.

All the programs are safe to keep (except OTMoveIT) and run occasionally to make sure nothing has crept in.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

.
I'm 99.99% sure you are now clear of malware.

Let me know if anything else comes up.

Everything appears to be functioning as it should... even better than before the bug.

Thanks for all your excellent help.  Greatly appreciated.