Jump to content

Trojan.Win32.Generic!BT removal - Need help please


Recommended Posts

Hi,

First off, thanks for any help. I'm at a loss of what to do as I'm not a techy...but moreso than my sister, but that's not saying much. :-)

My sister has a Trojan.Win32.Generic!BT on her computer.

She has Vipre anti-virus on her computer which was installed from her realtor office. I ran a scan using that and virus was put in quarantine. I removed infections from computer.

The thing is no matter how many times I remove it pops back up the next day or whenever and she calls me back.

I then ran Malwarebytes and several threats popped up and again I removed. Spybot caught 1 low risk threat but I removed that also.

Right when I think she is good to go and all threats removed via the anti-virus software, she calls me back up that virus has popped up again. I again go through the whole process and remove again.

How can I permanently remove these threats? I am by any means a computer geek or guru. I did save her logs thinking it might help and I took screenshots of her scanned results. Maybe those might help.

Any suggestions would be greatly appreciated. I've been working on her computer remotely as she lives in a different city than I do.

Trojaninfo2_zpsec87d766.jpg

spybotAnneMaininfo2-Copy_zps27c59940.jpg

trojanAnneMain2-Copy_zps78466df4.jpg

trojan22_zps9d733efd.jpg

trojan12_zpsdf70c885.jpg

trojan2-Copy_zps046f175b.jpg

trojan_zps2eb1a01f.jpg

Logs from Spybot and Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.27.08

Windows XP Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Anne-Main :: MANAL01131001AB [administrator]

Protection: Disabled

1/27/2013 4:57:10 PM

mbam-log-2013-01-27 (16-57-10).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 322437

Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Detected: 1

C:\Windows\Temp\temp42.exe (Trojan.Lameshield.ET) -> 4736 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\ANNE-M~1\LOCALS~1\Temp\mswoloxpz.pif -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.Lameshield.ET) -> Data: C:\windows\Temp\temp42.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Users\Anne-Main\AppData\Local\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.

C:\Documents and Settings\Anne-Main\AppData\Local\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.

C:\Documents and Settings\Anne-Main\Local Settings\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.

C:\Users\Anne-Main\Local Settings\Temp\tmp6594a7b5\sev198.exe (Malware.Packer.DLR1) -> Delete on reboot.

C:\Windows\Temp\temp42.exe (Trojan.Lameshield.ET) -> Delete on reboot.

(end)

Spybot log:

Search results from Spybot - Search & Destroy

1/27/2013 6:03:27 PM

Scan took 00:31:38.

80 items found.

Macromedia.FlashPlayer.Cookies: [sBI $6AA61750] Text file (File, nothing done)

C:\Users\Anne-Main\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\UKK5783B\cfiles.5min.com\Storage5minCookie.sol

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Macromedia.FlashPlayer.Cookies: [sBI $6AA61750] Text file (File, nothing done)

C:\Users\Anne-Main\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\UKK5783B\s.ytimg.com\videostats.sol

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

Right Media: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

FastClick: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

BurstMedia: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

DoubleClick: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

Zedo: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Anne-Main) (Browser: Cookie, nothing done)

DoubleClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

FastClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

CasaleMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Statcounter: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

WebTrends live: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

BurstMedia: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Zedo: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

MediaPlex: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

DoubleClick: [sBI $8E73A7FB] Tracking cookie (Firefox: Anne-Main (default)) (Browser: Cookie, nothing done)

Log: [sBI $8E73A7FB] Install: Directx.log (File, nothing done)

C:\Windows\Directx.log

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Log: [sBI $8E73A7FB] Install: setupact.log (File, nothing done)

C:\Windows\setupact.log

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Log: [sBI $8E73A7FB] Install: DtcInstall.log (File, nothing done)

C:\Windows\DtcInstall.log

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Internet Explorer: [sBI $FF589D0C] Download directory (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Internet Explorer\Download Directory

Internet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [sBI $0BC7B918] User agent (Registry Change, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

MS Management Console: [sBI $ECD50EAD] Recent command list (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: [sBI $5C51E349] Client ID (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [sBI $C2A44980] Most recent application (Registry Change, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [sBI $EB49D5AF] Most recent application (Registry Change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectDraw: [sBI $EB49D5AF] Most recent application (Registry Change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [sBI $9A063C91] Most recent application (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [sBI $7B184199] Most recent application ID (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Office 11.0: [sBI $53EEAC4B] Last opened-from-web file (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Common\Internet\UseRWHlinkNavigation

MS Office 11.0 (Access): [sBI $7F916EA4] Recent database #1 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU1

MS Office 11.0 (Access): [sBI $806BF7B4] Recent database #2 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU2

MS Office 11.0 (Access): [sBI $63ED7D7B] Recent database #3 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU3

MS Office 11.0 (Access): [sBI $A4EFC3D5] Recent database #4 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU4

MS Office 11.0 (Access): [sBI $4769491A] Recent database #5 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU5

MS Office 11.0 (Access): [sBI $B893D00A] Recent database #6 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU6

MS Office 11.0 (Access): [sBI $5B155AC5] Recent database #7 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU7

MS Office 11.0 (Access): [sBI $EDE7AB17] Recent database #8 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU8

MS Office 11.0 (Access): [sBI $0E6121D8] Recent database #9 (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Access\Settings\MRU9

MS Office 11.0 (Cliparts): [sBI $D2A56AFD] Last search made (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Clip Organizer\Search\Last Query

MS Office 11.0 (Excel): [sBI $8DAB8D88] Recent file list (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Excel\Recent Files

MS Office 11.0 (Outlook): [sBI $51367364] Typed search term history (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Outlook\Office Finder

MS Office 11.0 (Picture Manager): [sBI $2379928F] Last selected folder (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection

MS Office 11.0 (PowerPoint): [sBI $C10CED61] Recent file list (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\PowerPoint\Recent File List

MS Office 11.0 (Publisher): [sBI $52D0C0B4] Recent file list (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Publisher\Recent File List

MS Office 11.0 (Word): [sBI $15AC27CE] Recent file list (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Paint: [sBI $07867C39] Recent file list (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Regedit: [sBI $C3B62FC1] Recent open key (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows.OpenWith: [sBI $48691F6C] Open with list - .ASD extension (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASD\OpenWithList

Windows.OpenWith: [sBI $F7204896] Open with list - .AVI extension (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: [sBI $A1C94E79] Open with list - .BMP extension (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: [sBI $F1129B32] Open with list - .CPL extension (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPL\OpenWithList

Windows.OpenWith: [sBI $ECC28BDF] Open with list - .CSV extension (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: [sBI $7308A845] Run history (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [sBI $AA0766B5] Stream history (Registry Key, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Media SDK: [sBI $37AAEDE6] Computer name (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [sBI $CAA58B6E] Unique ID (Registry Change, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [sBI $BACCD0DA] Volume serial number (Registry Value, nothing done)

HKEY_USERS\S-1-5-21-1954671074-525901946-522980543-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [sBI $49804B54] Browser: Cookie (255) (Browser: Cookie, nothing done)

Cache: [sBI $49804B54] Browser: Cache (237) (Browser: Cache, nothing done)

History: [sBI $49804B54] Browser: History (3) (Browser: History, nothing done)

Cookie: [sBI $49804B54] Browser: Cookie (769) (Browser: Cookie, nothing done)

--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---

2012-11-13 blindman.exe (2.0.12.151)

2012-11-13 explorer.exe (2.0.12.173)

2012-11-13 SDBootCD.exe (2.0.12.109)

2012-11-13 SDCleaner.exe (2.0.12.110)

2012-11-13 SDDelFile.exe (2.0.12.94)

2012-11-13 SDFiles.exe (2.0.12.135)

2012-11-13 SDFileScanHelper.exe (2.0.12.1)

2012-11-13 SDFSSvc.exe (2.0.12.205)

2012-11-13 SDImmunize.exe (2.0.12.130)

2012-11-13 SDLogReport.exe (2.0.12.107)

2012-11-13 SDPESetup.exe (2.0.12.3)

2012-11-13 SDPEStart.exe (2.0.12.86)

2012-11-13 SDPhoneScan.exe (2.0.12.27)

2012-11-13 SDPRE.exe (2.0.12.13)

2012-11-13 SDPrepPos.exe (2.0.12.10)

2012-11-13 SDQuarantine.exe (2.0.12.103)

2012-11-13 SDRootAlyzer.exe (2.0.12.116)

2012-11-13 SDSBIEdit.exe (2.0.12.39)

2012-11-13 SDScan.exe (2.0.12.173)

2012-11-13 SDScript.exe (2.0.12.53)

2012-11-13 SDSettings.exe (2.0.12.130)

2012-11-13 SDShred.exe (2.0.12.105)

2012-11-13 SDSysRepair.exe (2.0.12.101)

2012-11-13 SDTools.exe (2.0.12.150)

2012-11-13 SDTray.exe (2.0.12.127)

2012-11-13 SDUpdate.exe (2.0.12.89)

2012-11-13 SDUpdSvc.exe (2.0.12.76)

2012-11-13 SDWelcome.exe (2.0.12.126)

2012-11-13 SDWSCSvc.exe (2.0.12.2)

2013-01-27 unins000.exe (51.1052.0.0)

1999-12-02 xcacls.exe

2012-08-23 borlndmm.dll (10.0.2288.42451)

2012-09-05 DelZip190.dll (1.9.0.107)

2012-09-10 libeay32.dll (1.0.0.4)

2012-09-10 libssl32.dll (1.0.0.4)

2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)

2012-11-13 SDECon32.dll (2.0.12.113)

2012-11-13 SDECon64.dll (2.0.12.113)

2012-11-13 SDEvents.dll (2.0.12.2)

2012-11-13 SDFileScanLibrary.dll (2.0.12.9)

2012-11-13 SDHelper.dll (2.0.12.88)

2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)

2012-11-13 SDLists.dll (2.0.12.4)

2012-11-13 SDResources.dll (2.0.12.7)

2012-11-13 SDScanLibrary.dll (2.0.12.131)

2012-11-13 SDTasks.dll (2.0.12.15)

2012-11-13 SDWinLogon.dll (2.0.12.0)

2012-08-23 sqlite3.dll

2012-09-10 ssleay32.dll (1.0.0.4)

2012-11-13 Tools.dll (2.0.12.36)

2012-11-13 UninsSrv.dll (2.0.12.52)

2012-11-14 Includes\Adware.sbi (*)

2012-11-14 Includes\AdwareC.sbi (*)

2010-08-13 Includes\Cookies.sbi (*)

2012-11-14 Includes\Dialer.sbi (*)

2012-11-14 Includes\DialerC.sbi (*)

2012-11-14 Includes\HeavyDuty.sbi (*)

2012-11-14 Includes\Hijackers.sbi (*)

2012-11-14 Includes\HijackersC.sbi (*)

2012-11-14 Includes\iPhone.sbi (*)

2012-11-14 Includes\Keyloggers.sbi (*)

2012-11-14 Includes\KeyloggersC.sbi (*)

2012-11-14 Includes\Malware.sbi (*)

2012-11-14 Includes\MalwareC.sbi (*)

2012-11-14 Includes\PUPS.sbi (*)

2012-11-14 Includes\PUPSC.sbi (*)

2012-11-14 Includes\Security.sbi (*)

2012-11-14 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2012-11-14 Includes\Spyware.sbi (*)

2012-11-14 Includes\SpywareC.sbi (*)

2011-06-07 Includes\Tracks.sbi (*)

2005-02-17 Includes\Tracks.uti (*)

2012-11-14 Includes\Trojans.sbi (*)

2012-11-14 Includes\TrojansC-02.sbi (*)

2012-11-14 Includes\TrojansC-03.sbi (*)

2012-11-14 Includes\TrojansC-04.sbi (*)

2012-11-14 Includes\TrojansC-05.sbi (*)

2012-11-14 Includes\TrojansC.sbi (*)

I also went in a deleted all temp files.

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Thanks so much for the response. I appreciate it.

I will have to wait until tonight when my sister gets home from work to do this by remotely logging into her computer.

One things that concerns me though is the Recovery Console. She doesn't have any recovery CDs and what if there isn't recovery preinstalled on her computer? Plus since I can't log in unless she is booted up, she can't do this type of thing herself. She is really very 'not-techy' AT ALL.

I don't want to mess up her computer as this is her laptop and her desktop just died not too long ago and she really relies on this laptop. Do you feel she'll be ok by running this program. If so, I'll go ahead with it and hope for the best.

Thanks again.

Link to post
Share on other sites

Hi Dark Knight!

I just logged onto her computer and scanned with Vipre and Malwarebytes.

Vipre, her anit-virus software resulted in a low risk cookie and I deleted that.

Malwarebytes resulted in PUM.UserWLoad :angry: category is Registry Value.

So looks like we'll need to do as you say. We are both tired tonight but she gets off work tomorrow (Tuesday) at 6:30pm, so we'll work on it then. We'll be running the combofix. It's just hard doing it remotely but thanks so much for your help and patience.

The Trojan.Win32.Generic!BT trojan didn't show back up in Malwarebytes. Could that mean it's gone and now she just has the ohter?

Link to post
Share on other sites

I don't see anyway to edit a post or else I'd just edit the one above.

Anyway, since I didn't get a change to run the scan tonight, hopefully the combofix download will be back up on the bleepingcomputer.com site tomorrow and I'll try again. I was going to download it from another site.....perhaps CNet or softpedia but I saw somewhere that it was recommended to only trust the bleepingcomputer site so I didn't. Should I?

Since I was on her computer anyway, I went ahead and ran scans again with Malwarebytes and Vipre. Malwarebytes again showd Backdoor.Bot and PUM0UserWLoad trojans. I then ran Vipre and it came back clean but only after I deleted the files from Malwarebytes. I'm sure they'll pop back on when logging back into the computer.

I told her to stay off of it until we clean up these trojans.

Thanks for your continued help. Let me know how to proceed now.

Link to post
Share on other sites

Hey diddlydudette,

ComboFix has been compromised so please do not download any copies for the interim.

Please read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:

Download Kaspersky Rescue Disk 10

How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?

How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

  • Please go to a clean computer
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • On the infected computer: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10?

Then, please print the following directions:

Boot from Kaspersky Rescue Disk 10:

Restart your computer and put the disk in the drive while booting.

Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.

Select the required interface language using the arrow-keys on your keyboard.

Press the Enter key on the keyboard.

In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode

Click Enter.

Click 'A' to accept the agreement.

Select operating system from dropdown menu (select Windows whatever).

Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:

Click My Update Center and update.

Back to other tab and click Start Object Scan.

When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.

On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.

On the upper right hand corner of the Detailed report window, click on the Save button.

After clicking Detailed Report and 'SAVE', a browse window opens.

Double-click on the \

Click 'disks'.

All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.

Click on the Save button.

The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Link to post
Share on other sites

Hi Dark Knight.

Sorry I had to go away a couple of days and didn't respond.

I see where Combofix is back up. Can I use that instead of the above? Combofix just sounds easier. Ther other sounds awfully complicated....remember I'm helping my sister remotely and neither of us are techy so the easier steps the better. Thanks again!! :)

Link to post
Share on other sites

Hello diddlydudette,

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.