Trojan infection - Spybot & HJT won't run

Status
Not open for further replies.
Could I just clarify which program I need to download & rename to svchost.exe? Is it the exeHelper? <--Yes

This is related to the rootkit
A little further information for you that may be important. I have been keeping the laptop offline other than the times I've needed to download programs and try to post logs. However, I noticed something strange happening last night when I tried to connect to the Spybot Forum - it let me get to the Spybot Home page, but when I clicked on the 'Forums' icon it redirected me to a Google search. (I could only get to the forum via the history). I don't know whether that info is relevant but I thought I'd better let you know.
 
I'm trying to download exeHelper onto my own PC but its been flagged up as an infected file by AVG Resident Shield:
"Accessed file is infected"
"Threat name: Virus found Downloader.Banload"
"Detected on open"
...I have the option to "Move to Vault" or "Ignore"
 
I doubt the file is infected , have you tried renaming it to explorer.exe or svchost.exe prior to the download ?
 
I was trying to save it as svchost.exe when it was flagged as infected and I've just tried saving it as explorer.exe with exactly the same result. There is also another window that appears under the virus alert that says...
"Error Copying File or Folder"
"Cannot copy exeHelper[1}:Access is denied."
"Make sure the disk is not full or write protected and that the file is not currently in use."
 
Just hang on a bit. This infection like I said is fairly new. I am going to ask some others to look at it
 
OK thanks, I'll wait to hear back from you.

PS. I just want to confirm to you that the latest 'virus messages' are when I'm trying to copy the exeHelper file onto my 'clean' PC, not the infected laptop. Thanks.
 
OK, what I was trying to do was to get a clean download uninterrupted by this Rootkit. Download exehelper on the infected one and change the name to svchost.exe and see if it will run.

Either way, see if you can run this program, Download it either from your computer or the infected one.

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit icon to start the program.
  • press start
  • Allow the program to run the initial express scan
  • This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
    Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  • Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  • Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  • During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

    • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  • Once the scan is complete, on the menu bar, click file and choose report list.
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Close Dr.Web Cureit.
  • Please post the Dr.Web.txt report in your next reply
 
It gets no better!

Tried saving the exeHelper as 'svchost.exe' on the infected laptop - the save appeared to have worked but the file is nowhere to be found.

I loaded 'Dr.Web CureIt' onto my clean PC, burned onto a DVD, copied onto the laptop and proceeded with the running. The express scan ran through OK (nothing reported) but when I launched the complete scan it said it was preparing scanning but then the window it was running in flickered then disappeared (I checked the task manager and nothing was running).
 
Hang on a bit, but I am coming to the conclusion that a format and reinstall of windows maybe your only option.

Be back later when I find some other info
 
Thanks, We're pretty much resigned to the fact we'll need to format & reinstall. However, we're also willing to hang fire for a while and let you try out anything else you may wish (in case you want to take the opportunity to get better acquainted with this nasty little bug - anything that may help the next poor victim!).
Regards, Fatdad.
 
I just talked to the author of exehelper. AVG Antivirus is preventing its download, its a false positive.

This is what you need to do on the infected computer.

Open AVG and disable the resident shield , if you cant do that than just uninstall AVG via the Add Remove Programs in the Control Panel, we will just reinstall it when were done.

Then drag exehelper , even the renamed ones to the trash and redownload it fresh to your desktop.


Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then do this.

Download Inherit and save it to your desk top

Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"

Drag exehelper into Inherit and then give exehelper.exe another try
 
Hi Ken545,
Mixed news...
Tried to disable AVG but processes still showed in the Task Manager as running. Then tried to uninstall via Control Panel but this failed "Error: Action failed for file avgcsrvx.exe creating backup..."
Couldn't download exeHelper or Inherit onto laptop - usual problem, save appears to have worked but file nowhere to be found.
I have managed to get 'Inherit' onto laptop via my PC & CD (but I'm not willing to do same with exeHelper - I know you've told me the AVG reported virus is a false positive but I'm not prepared to risk losing both the laptop & the PC - I hope you can understand my position)
I've now put the following programs through Inherit (all flagged as OK):
HJT
Spybot S&D
Dr.Web CureIt
Malwarebytes
RSIT
Combofix
Would you like me to try any of these again?
 
Do this.

Open up Notepad and copy and paste the bolded text into it.


@echo off
dir /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >c:\LogIt.txt
start c:\LogIt.txt

Then go to File> Save As and name it Permissions.bat
Save it to your desktop
In the dropdown list, save it as All Files
Doubleclick on it to run
Takes a split second , you wont see any thing happen


You should still have exehelper on your desktop, renamed or otherwise, doubleclick it to run


Then run Combofix
 
Last edited:
Tried the "Permissions" fix but it failed saying...
"Windows cannot find 'c:\LogIt.txt'. Make sure you typed the name correctly, and then try again."

I'm afraid I don't have a copy of exeHelper (renamed or otherwise) anywhere on the laptop as this is one of the files that won't download/save.
 
This is so frustrating.
I ran combofix, it rebooted the laptop (but it displayed three 'Access Denied' messages before shutting down), when it came back up I used the Vista 'Start Search' to look for the 'combofix.txt' file but it couldn't find it.
 
C:\ComboFix.txt <--It should be here

Make sure the infected computer has internet access, run Malwarebytes, check for updates and run the Quick Scan , when its done on the bottom make sure you select to remove everything thats checked and then post the report
 
I updated Malwarebytes (successfully) and launced the Quick Scan - it started but then the window disappeared. I tried clicking on the program icon again but it was back to the old "Windows cannot access the specified device, path or file" message.
 
We need to get exehelper back on this infected one, try downloading it again.

I understand you concern about AVG flagging exehelper as infected, but it is not infected, its just a false positive, its important that we get this on the infected computer one way or the other. We have had one road block after another , we dont need another one. The author has confirmed that its a false positve and I have seen other people on the forums downloading it with the AVG warning with no issues.

Before you run it make sure you drop it into Inherit.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Run this program also
Dr.Web CureIt
 
Status
Not open for further replies.
Back
Top