help with stubborn virus

[mbsouthpaw1]

OK, did most of it; but by "manual delete" you mean move the files and/or application and/or folders to recycle and then empty the recycling bin?

[MrCharlie]

Yes....that's correct.

MrC

[mbsouthpaw1]

OK, thanks MrC.  I posted some positive feedback on your profile page, and working on the paypal thing.  You were a great help. 

[MrCharlie]

OK....Take Care MrC

[mbsouthpaw1]

Hi there MrC.  It appears that the virus is back.  I'm getting the same symptoms as when I started (i.e. something's allowing or writing Trojan horse (gen.2) in to the system.  Would it be productive to try from the start again?  I did not try the paypal yet, because I'm still worried about logging on to sensitive sites yet. 

 

MrB

 

[MrCharlie]

Why do you say that??

MrC

[mbsouthpaw1]

I had 637 Trojan horse detections today; and this was the exact symptom that caused me to contact you, although there were fewer detections when we started.  I'm just thinking that maybe something happened during the clean, or there's some evidence of what's still going on in the system (maybe if I run roguekiller and such it will show up again?).  I unplug from the internet (manually shut off the wireless) and the notifications keep coming.  Is that what you were asking me? 

[MrCharlie]

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

[mbsouthpaw1]

RogueKiller V8.7.4 [Oct 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mbelchik [Admin rights]
Mode : Scan -- Date : 10/16/2013 14:39:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1  localhost
192.168.164.23 domsat
192.168.164.23 domsat.yuroktribe.nsn.us
192.168.164.126 ytep-sql
192.168.164.126 ytep-sql.yuroktribe.nsn.us
192.168.168.12 fiscalsql
192.168.168.1 ytmain
192.168.168.1 ytmain.yuroktribe.nsn.us
192.168.168.12 fiscalsql.yuroktribe.nsn.us
192.168.168.4 www.myspace.com
192.168.168.4 myspace.com
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  www.abcsearcher.com #[spamdexing][Microsoft.Strider]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  adserver.adbunker.com
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
127.0.0.1  c.abnad.net #[iE-SpyAd]
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++
--- User ---
[MBR] f151f49702d3728140a62fbf3881ba92
[bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10162013_143932.txt >>

 

 

[MrCharlie]

It's clean...no ZeroAccess showing.

 

MrC

[mbsouthpaw1]

OK, any ideas on what could be causing the hundreds of Trojan.gen.2 to pop up in increasing numbers in the past 2 weeks?  Thank you in advance MrC. 

[MrCharlie]

I don't know...can you show me some logs from scans??

 

MrC

[mbsouthpaw1]

I have to attach the file; it was too long when I attempted to cut and paste. 

symantec risk log 101613.txt

[MrCharlie]

This may be the answer:

 

http://www.symantec.com/business/support/index?page=content&id=TECH92399

 

MrC

[mbsouthpaw1]

OK, I'm thinking I'm on the right track now.  Should have looked up the DWH temp thing!!  Thank you again. 

 

I'll work with Symantec and such to clean up this last problem. 

 

Mike

[MrCharlie]

OK, I remember running into this once before.

 

MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.