Jump to content

Advice for removing trojan & fake antispyware please


Recommended Posts

Hi. I'm a long time Scada technician and experienced PC user. I've never had any major problems with infections, but am trying to help out a friend who has some infections on his laptop.

The symptoms were:

General slowness, Redirected websites, spyware and virus checkers failing to start or update etc.

I have made a start at this, and would appreciate some guidance.

AVGfree found no infections.

After restarting in safemode and running the AVG commandline scanner it found several registry entries and infected files "Trojan Horse Downloader.ZLOB.AJWU" and "Fake_Antispyware.BMB". It removed them. I can post the log if it helps.

I restarted the PC and ran AVGfree again, and it found more infected files of the same names, but was unable to move them all to the virus vault. The files it was unable to move included explorer.exe and some of the AVG files. Again, I can post the log if it helps.

I am reluctant to plug the laptop into my router, as I understand that some of these infections can attempt to alter firewall settings in the router etc.

I tried to install Malwarebytes in safe mode, but nothing happened. After searching the internet and this forum I renamed the installer, and it ran. I also had to rename MBam.exe to renamed.exe to get the App to run. I found the sticky on this forum about offline updating, and have updated the definitions from my PC.

Malwarebytes is now scanning and has so far found 2 infections.

I am currently downloading the latest build of miniPE. What tools on here should I run?

I have not been able to find any information specific to Downloader.ZLOB.AJWU, or Fake_antispyware.BMB. Any advice on removing these and reversing any damage caused would be great. I can always rebuild the laptop from scratch, but want to use this as a learning excercise.

regards, Allen

Link to post
Share on other sites

The Malwarebytes scan has just completed.

It found 3 infections.

The memory module was

\\?\globalroot\systemroot\system32\uacijubcbmp.dll (Trojan.TDSS) -> Delete on restart

The files were

\\?\globalroot\systemroot\system32\uacijubcbmp.dll (Trojan.TDSS) -> Quarantine

c:\windows\system32\uacinit.dll (Trojan Agent) -> Delete on restart

I restarted into safe mode, and MBam.exe still won't start unless renamed and it finds some of the same infections (hasn't finished yet, so may be the same 3)

Will restarting in safemode complete the removal or do I need to restart back into a normal windows startup to remove the infection?

Also malwarebytes made no mention of finding Fake_antispyware.bmb, the other infection that avgfree reported but was unable to move to fix. Do I need to use something else to find and remove this?

Regards, Allen.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.