mbsouthpaw1

OK, I'm thinking I'm on the right track now. Should have looked up the DWH temp thing!! Thank you again. I'll work with Symantec and such to clean up this last problem. Mike

I have to attach the file; it was too long when I attempted to cut and paste. symantec risk log 101613.txt

OK, any ideas on what could be causing the hundreds of Trojan.gen.2 to pop up in increasing numbers in the past 2 weeks? Thank you in advance MrC.

RogueKiller V8.7.4 [Oct 16 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : mbelchik [Admin rights] Mode : Scan -- Date : 10/16/2013 14:39:32 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost 192.168.164.23 domsat 192.168.164.23 domsat.yuroktribe.nsn.us 192.168.164.126 ytep-sql 192.168.164.126 ytep-sql.yuroktribe.nsn.us 192.168.168.12 fiscalsql 192.168.168.1 ytmain 192.168.168.1 ytmain.yuroktribe.nsn.us 192.168.168.12 fiscalsql.yuroktribe.nsn.us 192.168.168.4 www.myspace.com 192.168.168.4 myspace.com 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abcsearcher.com #[spamdexing][Microsoft.Strider] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 adserver.adbunker.com 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[iE-SpyAd] [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++ --- User --- [MBR] f151f49702d3728140a62fbf3881ba92 [bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10162013_143932.txt >>

I had 637 Trojan horse detections today; and this was the exact symptom that caused me to contact you, although there were fewer detections when we started. I'm just thinking that maybe something happened during the clean, or there's some evidence of what's still going on in the system (maybe if I run roguekiller and such it will show up again?). I unplug from the internet (manually shut off the wireless) and the notifications keep coming. Is that what you were asking me?

Hi there MrC. It appears that the virus is back. I'm getting the same symptoms as when I started (i.e. something's allowing or writing Trojan horse (gen.2) in to the system. Would it be productive to try from the start again? I did not try the paypal yet, because I'm still worried about logging on to sensitive sites yet. MrB

OK, thanks MrC. I posted some positive feedback on your profile page, and working on the paypal thing. You were a great help.

OK, did most of it; but by "manual delete" you mean move the files and/or application and/or folders to recycle and then empty the recycling bin?

Ran the security check... Results of screen317's Security Check version 0.99.74 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` MVPS Hosts File Malwarebytes Anti-Malware version 1.75.0.1300 JavaFX 2.1.1 Java 6 Update 31 Java 7 Update 25 Java version out of Date! Adobe Reader 10.1.8 Adobe Reader out of Date! Mozilla Firefox 12.0 Firefox out of Date! Google Chrome 29.0.1547.76 Google Chrome 30.0.1599.69 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 3% ````````````````````End of Log``````````````````````

OK, meeting was canceled; I will run the software mentioned above and paste log in.

Thank you for getting back to me. I will have to pick this up this afternoon; I have a work meeting today. Mike

I cannot thank you enough, MrC. I don't have a paypal, but I'll try to get one up and running and send you something; I've been meaning to do that anyway. One final question: given the warning you sent me about the zeroaccess, should I still be nervous? Is my only absolute guarantee to wipe the system? I don't handle confidential customer data, but I do personal banking on the machine. MrB (yes, those are really my initials)

Done, thanks for responding. RogueKiller V8.7.2 [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : mbelchik [Admin rights] Mode : Scan -- Date : 10/14/2013 17:14:23 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost 192.168.164.23 domsat 192.168.164.23 domsat.yuroktribe.nsn.us 192.168.164.126 ytep-sql 192.168.164.126 ytep-sql.yuroktribe.nsn.us 192.168.168.12 fiscalsql 192.168.168.1 ytmain 192.168.168.1 ytmain.yuroktribe.nsn.us 192.168.168.12 fiscalsql.yuroktribe.nsn.us 192.168.168.4 www.myspace.com 192.168.168.4 myspace.com 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abcsearcher.com #[spamdexing][Microsoft.Strider] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 adserver.adbunker.com 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[iE-SpyAd] [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++ --- User --- [MBR] f151f49702d3728140a62fbf3881ba92 [bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Staples Relay USB Device +++++ --- User --- [MBR] 2b4d681ebbcb82be2958055edccbd202 [bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 56 | Size: 7788 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_10142013_171423.txt >> RKreport[0]_D_10102013_172655.txt;RKreport[0]_H_10102013_172734.txt;RKreport[0]_S_10102013_170002.txt RKreport[0]_S_10102013_172231.txt

Not sure what you mean, because although Symantec is finding stuff, it never did locate the original zero access Trojan like you did with those other programs. Are you saying the next step is to run a Symantec scan and use one of their removal tools, and abandon roguekiller, combofix, etc. ? Help!! thx, MrB