Trojan horse virus(es) on our XP

[Daisy357]

Hello and thanks for providing this service. Starting on 12/3, we had multiple Norton messages popping up, scanning messages when we had no windows open, and then receiving rejection messages from wherever these invisible messages were being sent (they all seemed to go to email addresses in Europe). At one point the entire screen was filled with Norton messages! I also had a new window pop up when I tried to log into my Chase Visa account, asking me to create a new profile with questions like what is your PIN # and bank routing # etc. I knew that was wrong since I have had a Chase online account for years! These problems happened only to whichever XP user logged in first.

We followed Norton's directions to detect the problem and it found nothing. So we uninstalled Norton and installed a new antivirus software (Trend). It also found nothing. Then we followed the steps you outlined and detected a few trojan horse viruses. The logs are attached. Please let us know if we need to do anything else.

Thanks again.


[saving space - attachment deleted by admin]

[patio]

The Resident Experts will be along shortly to assist Daisy....keep in mind a financial institution will never request ANY data via EMail.
This practice is commonly known as Phishing...

[evilfantasy]

Hello Daisy, welcome to Computer Hope.

I am looking at the HijackThis log and seeing some entries that will require further research.

As patio suggested this is a Phishing attempt as you are likely well aware of. What I think the best direction to take at this point would be to:

A) DO NOT use the computer that is having the problems to enter any personal information or do any online banking until you are 100% sure it is clean.

B) Log on to a computer that you know is NOT infected. Then log in to your banking/credit accounts and change the passwords.

C) Contact your financial institutions and inform them your computer may have been compromised so they are aware and so you can see what they suggest as the best actions to take.

D) Read this article from Microsoft starting at  Cleaning a Compromised System

Your best course of action may be to save any important documents and completely erasing the drive and reinstalling. If the computer has been compromised we can give no guarantee it will be completely cleaned.

More links for information and resources.

CastleCops Phishing Incident Reporting and Termination (PIRT) Squad(SM)

http://www.antiphishing.org/

http://www.microsoft.com/protect/yourself/phishing/identify.mspx



Let us know if you are wanting to try to clean the computer and we will go from there.

<admin edit> Fixing broken link.

[Daisy357]

We bought a new cool external hard drive and backed up right away.

I changed all the passwords this morning from my work computer (I did this once last week but did it again just in case). I called Chase this weekend to report the problem. I do know about Phishing, but this was not in the form of an email. Instead, at the web login screen, a new screen popped up that looked just like a Chase web page, the kind you would see if you are registering a new online account. Even the URL was a duplicate of other Chase pages but the questions were really suspicious. I did NOT complete anything on that page and immediately logged off. The Chase representative told me that there was a trojan horse in the past (I can't remember how long ago) that mimicked web pages and that was likely what we had. They gave me an alternate website to use.

Since I followed all your steps we have not seen the Chase popup screen again. I realize you can't give any guarantees but I'd sure like to avoid formatting the hard drive if at all possible. I'll read the information you sent and thanks again for all your help.

[evilfantasy]

When I first replied this morning, I was at home.

Storms in the midwest have me in a hotel at the moment due to power outages over half of the city. I'm 60 miles from home.

I am currently in the business center of a Holiday Inn Express using the internet connection.

I do not have all of my links, tools, notes and such I need to do this the right way, so it may be tomorrow before I get to work on this correctly.

Sorry, ice storms have the city in shambles...

[evilfantasy]

OK, I have gotten to some of my documents.

-----

Please download, update and run A-Squared Free

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to somewhere convenient, such as your desktop
* Add the report as an attachment in your next post.

-----

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

-----

Next post please attach
a-squared log
Report.txt
New HijackThis log

[Daisy357]

Yes, we heard about your ice storms on the news last night. We woke up to snow this morning but just a typical winter storm for Denver.

New logs are attached.


[saving space - attachment deleted by admin]

[evilfantasy]

The power company is saying it may be up to 7 days before all power is restored. I can only wonder when mine will be back on?

The odd thing is that the streets are not frozen at all (not even bridges). But the trees and power lines have tons of ice on them. I love Oklahoma 

-----

I don't see ant antivirus running, or the presence of a firewall.

You do have Trend Micro Internet Security, is this a paid version, or has the subscription run out?

If so you will need to uninstall Trend Micro in Add/Remove programs and then install another antivirus ASAP. Without updates an antivirus is just taking up space.

We strongly advise to install these protective programs now. Both are 100% free for home use and offer superior protection.
AVG Anti-Virus Free
Comodo Free Firewall

----------

Open HijackThis and select Do a system scan only and place a check mark next to:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) <--Only if you do not use Weatherbug from the Internet Explorer tool bar.

Close all windows and click Fix checked

-----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

----------


Please download the trial version of SpySweeper (2 week trial can be uninstalled when we are done)

* Run the installer. Choosing to only install SpySweeper
* It will prompt you to update to the latest definitions, choose Yes (recommended) and click Next
* Once the definitions are installed, click I accept the agreement and then Next
* Choose Typical Installation then click Next
* Enter your email address then click Next
Important Uncheck the box Install the Webroot Ask toolbar Search Assistant, I agree to the terms above before clicking Next
* Click Install.
* Choose Yes, restart my computer now (recommended) then click Finish (the computer will restart)

* Once restarted open SpySweeper.
* Click the Options tab. (lower left)
* Under Options > Sweep Tab > Sweep Type choose Full Sweep (Recommended)
* Click the Always Apply tab and use the dropdown menu to select Always Quarantine
* Click the Home tab and choose Start Full sweep

* When it's done scanning, Make sure everything has a check next to it, then click the Quarantine Selected button.
* It will quarantine all of the items found.
* Click View Session Log in the upper right corner.
* Click the Save To File button.
* Click Desktop for the location.
* Next to the Save as type: be sure it is set to Text Document (.txt) and then click Save
* Attach the SpySweeper Session Log in your next reply.

----------


Run the BitDefender Online Scanner
Click I Agree to the license and then select Click here to scan
DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
(take notice of where you save it so you can find it later)

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us

Post the bdscan.txt file as an Attachment.

----------

Next post please attach
SpySweeper Session log
bdscan.txt log
New HijackThis log

[Daisy357]

Any melting ice yet? It's still cold and icy here but no more snow (at least until Friday).

Sheesh, all the homework you keep giving me. Tackling these viruses is like a second full-time job! 

New logs are attached.


[saving space - attachment deleted by admin]

[evilfantasy]

Any melting ice yet? It's still cold and icy here but no more snow (at least until Friday).

Came home today Then spent the afternoon chopping apart an entire tree which had fallen in my aunts driveway.

Sheesh, all the homework you keep giving me. Tackling these viruses is like a second full-time job!

Agreed, sometimes figuring out the fix is painful itself


The logs are not showing any malware I think it was a very bad case of adware.

We can clean up a few things now.

Download and run the Norton Removal Tool Norton can be a pain to get completely rid of. This will help.


Delete SDFix.exe from the desktop and go to C:\SDFix and delete the whole folder.

Run ATF Cleaner again and then reset System Restore to clear infected restore points and create a new clean one.

You can uninstall SpySweeper.

You can keep and use the other tools we installed. They are free and some of the best there is. HijackThis should be used with caution!

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


If anything else comes up just let us know.

Safe surfing..........

[Daisy357]

Thank you thank you. It was a lot of work but definitely worth it. I feel so much better now. My husband was ready to reformat the hard drive but I just didn't want to go there! Your service is so helpful and I appreciate your advice and assistance.