Jump to content

Cant get rid of a Trojan

zux85

By zux85
in Resolved Malware Removal Logs

 Share

Recommended Posts

zux85

zux85

Posted
Posted

Hello,

Im new here...hope i am doing this correctly.

Every time i run Malwarebytes it finds 1 infection and has me reboot. I reboot and it finds the same infection. See below...

I did have a few infections that it succesfuly removed in previous scans.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.16.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

David :: DAVID-PC [administrator]

3/17/2012 8:46:25 PM

mbam-log-2012-03-17 (20-46-25).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213250

Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|65372 (Trojan.Agent) -> Data: C:\PROGRA~3\LOCALS~1\Temp\msaaudbfm.exe -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Thank you for your help

DDS.txt

Attach.txt

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello and :welcome:

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Click Start > All programs > Accessories, right click Command Prompt and select "run as administrator".

Type chkdsk /r and press enter.

When asked to schedule the disk check for next reboot, type Y and press enter.

Restart your computer and let the disk check run unhindered. Note, this may take a long time, depending a bit on disk size.

When done, verify if mbam still detects the items.

Link to post
Share on other sites
zux85

zux85

Posted
  • Author
Posted

Click Start > All programs > Accessories, right click Command Prompt and select "run as administrator".

Type chkdsk /r and press enter.

When asked to schedule the disk check for next reboot, type Y and press enter.

Restart your computer and let the disk check run unhindered. Note, this may take a long time, depending a bit on disk size.

When done, verify if mbam still detects the items.

Elise- Thank you again for all your help here.

I ran the disk check. Took quite a while. Rebooted and the ran malwarebytes.

It still found the same 1 item!

Link to post
Share on other sites
Elise

Elise

Posted
Posted

In that case lets do some more digging. :)

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscan.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites
zux85

zux85

Posted
  • Author
Posted

In that case lets do some more digging. :)

OTL

-----

Please download OTL from one of the following mirrors:


  • [*]Save it to your desktop.

    [*]Double click on the otlicon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscan.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Attached.

not sure if its related but Microsoft security essentials just found and suspensed: Trojan:Win32/Delf.LQ

OTL.Txt

Extras.Txt

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again,

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlicon.png on your desktop.
  2. Copy and Paste the following code into the customscanfix.png textbox.
    :otl
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 65372 = C:\PROGRA~3\LOCALS~1\Temp\msaaudbfm.exe

    :commands
    [emptytemp]


  3. Push runfix.png
    After a reboot, please rerun MBAM and see if this item is still detected.
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click the OK button.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

I really am not sure why it was so hard to remove, I suspect it may have been recreated from the temp folder or from its own running file (mbam detected the run value in the registry, but not also the file).

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    2. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    3. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    4. Check "YES, I accept the Terms of Use."
    5. Click the Start button.
    6. Accept any security warnings from your browser.
    7. Under scan settings, check "Scan Archives" and "Remove found threats"
    8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

These were only some remnants, which means you're good to go. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.