[Cannot remove Trojan:JS/Medfos.B]

Thanks for your help Gringo, and sorry for the delay. Please close this thread. Combofix frequently breaks the LMI Rescue connection I was using to do this remotely, so I elected to stop with this and remove the infection with other means.

[Cannot remove Trojan:JS/Medfos.B]

Hi Gringo,

After I posted, and before I got your reply, I used Process Explorer to identify two rundll32.exe processes that were loading two DLLs that were recreating the CRX file that MSE was removing, and then deleted the CRX and the two DLLs on reboot using Sysinternal's movefile.exe.

Now I see no further problems, but have followed your instructions and here are the logs you requested. Note that all the LMI stuff referenced in RogueKiller is LogMeIn Rescue, which I am using to do this all remotely from another machine.

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Adobe Flash Player 11.5.502.135

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials msseces.exe

Windows Defender MSMpEng.exe

Microsoft Security Client Antimalware MsMpEng.exe

Microsoft Security Client Antimalware NisSrv.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 26% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

# AdwCleaner v2.104 - Logfile created 01/03/2013 at 01:54:14

# Updated 29/12/2012 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (32 bits)

# User : GKorba - GKORBA01

# Boot Mode : Normal

# Running from : C:\Users\gkorba\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

*************************

AdwCleaner[s1].txt - [517 octets] - [03/01/2013 01:54:14]

########## EOF - C:\AdwCleaner[s1].txt - [576 octets] ##########

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : GKorba [Admin rights]

Mode : Remove -- Date : 01/03/2013 02:03:25

¤¤¤ Bad processes : 6 ¤¤¤

[sUSP PATH] unattended_srv.exe -- C:\Users\gkorba\AppData\Local\LogMeIn Rescue Unattended\LMIR0001.tmp\unattended_srv.exe -> KILLED [TermProc]

[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\rahook.dll -> UNLOADED

[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED

[sUSP PATH] unattended.exe -- C:\Users\gkorba\AppData\Local\LogMeIn Rescue Unattended\LMIR0001.tmp\unattended.exe -> KILLED [TermProc]

[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED

[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SSD PM800 TM 128 +++++

--- User ---

[MBR] f581396ca32fa274db6c6e51095e85b1

[bSP] bd88243ba1753a8780c06e4eb19307c6 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 9618 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 19779584 | Size: 112445 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3]_D_01032013_02d0203.txt >>

RKreport[1]_S_01022013_02d1911.txt ; RKreport[2]_S_01032013_02d0200.txt ; RKreport[3]_D_01032013_02d0203.txt

Thanks,

John Wilson

[Cannot remove Trojan:JS/Medfos.B]

Got "Rogue.SystemProgressiveProtection" from a fake Fedex emails. Ran updated MBAM and it removed several items:

Files Detected: 4

C:\ProgramData\B2FCF13D1007295A0000B2FC3E4B33BC\B2FCF13D1007295A0000B2FC3E4B33BC.exe (Trojan.Lameshield.124) -> Quarantined and deleted successfully.

C:\Users\gkorba\Desktop\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.

C:\Users\gkorba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.

And subsequent full MBAM scan showed all clean. Then MSE kept finding Trojan:JS/Medfos.B in %appdata%\local\-f3a8-4422-bcdb-d6c8ded53e42.crx->manager.js, and it keeps coming back after telling MSE to delete it.

I found the process that keeps creating that CRX is "C:\Windows\System32\rundll32.exe" "C:\Users\gkorba\AppData\Roaming\dlosat.dll",Reversed_Type, but I don't know how to get rid of it.

Attached are dds.txt and attach.txt

Thanks!

Attach.txt

DDS.txt