dennisl Posted December 20, 2013 Author ID:766576 Share Posted December 20, 2013 Yes it's there now Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.12.19.07Windows 7 Service Pack 1 x86 NTFSInternet Explorer 11.0.9600.16476NB01 [administrator]19/12/2013 20:51:45MBAM-log-2013-12-20 (08-39-18).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 240535Time elapsed: 11 minute(s), 29 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Windows\System32\YAeEGhx.exe (Trojan.Agent.ZB) -> No action taken.(end) URLhttps://www.virustotal.com/en/file/1ad78156646ad730b7cd9667dcc955868229919df28a94d6c57557a0a82adafa/analysis/1387536298/ Link to post Share on other sites More sharing options...
MrCharlie Posted December 20, 2013 ID:766612 Share Posted December 20, 2013 OK..... Download aswMBR to your desktop. http://public.avast.com/~gmerek/aswMBR.exe Double click the aswMBR.exe to run it. If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes". Click the "Scan" button to start scan. On completion of the scan click "Save log", save it to your desktop and post in your next reply. NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it. MrC Link to post Share on other sites More sharing options...
dennisl Posted December 20, 2013 Author ID:766652 Share Posted December 20, 2013 Log file attachedaswMBR1.txt Link to post Share on other sites More sharing options...
MrCharlie Posted December 20, 2013 ID:766656 Share Posted December 20, 2013 Run Norton Power Eraser, just be careful of what it deletes! http://security.symantec.com/nbrt/npe.aspx <---Norton Power Eraser MrC Link to post Share on other sites More sharing options...
dennisl Posted December 20, 2013 Author ID:766934 Share Posted December 20, 2013 Only thing it's found is replicationmanager.exeI think this is used with a contact management program to replicate data to & from a server at work,so didn't remove. No sign of the trojan though. Link to post Share on other sites More sharing options...
MrCharlie Posted December 20, 2013 ID:766963 Share Posted December 20, 2013 Run another scan with FRST, make sure the addition.txt box is checked, attach the 2 logs. MrC Link to post Share on other sites More sharing options...
dennisl Posted December 22, 2013 Author ID:767831 Share Posted December 22, 2013 Log files attachedAddition1a.txtFRST1a.txt Link to post Share on other sites More sharing options...
MrCharlie Posted December 22, 2013 ID:767941 Share Posted December 22, 2013 If you don't use this toolbar, please uninstall it: http://www.systemlookup.com/CLSID/64579-Toolbar_dll.htmlAddThis Toolbar (Version: 1.514)Toolbar: HKLM - AddThis Toolbar - {B43176CC-4D9E-493B-A636-D9CBFE39C6DA} - C:\Program Files\AddThis Toolbar\Toolbar.dll ()------------------------------Download the attached fixlist.txt to the same folder as FRST.Run FRST.exe and click Fix only once and waitThe tool will create a log (Fixlog.txt) in the folder, please post it to your reply.Then......Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
dennisl Posted December 24, 2013 Author ID:768584 Share Posted December 24, 2013 Sorry but it'll be after Christmas before I can reply on thisI'd be grateful if you could keep the topic open.ThanksDennis Link to post Share on other sites More sharing options...
MrCharlie Posted December 28, 2013 ID:770085 Share Posted December 28, 2013 How are we doing???? MrC Link to post Share on other sites More sharing options...
dennisl Posted December 29, 2013 Author ID:770331 Share Posted December 29, 2013 I'm helping a friend on this, but have been out of contact over the Xmas period.Hope to continue soonThanks Link to post Share on other sites More sharing options...
MrCharlie Posted December 29, 2013 ID:770365 Share Posted December 29, 2013 Well the fix will no longer work due to the time pasted. Everytime the computer is rebooted, new files and tasks are created. The fix has to be done in real time when we are both on line. MrC Link to post Share on other sites More sharing options...
dennisl Posted January 1, 2014 Author ID:771467 Share Posted January 1, 2014 If convenient, could you please post a new fix file on Friday please?Many thanks Link to post Share on other sites More sharing options...
MrCharlie Posted January 1, 2014 ID:771507 Share Posted January 1, 2014 I would need a new scan with FRST and make sure the Addition.txt box is checked. Run the scan and post the logs when you're online and don't reboot the computer!!! MrC Link to post Share on other sites More sharing options...
dennisl Posted January 3, 2014 Author ID:772931 Share Posted January 3, 2014 Log files attachedAdditionJan3.txtFRSTjan3.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 3, 2014 ID:772970 Share Posted January 3, 2014 Download the attached fixlist.txt to the same folder as FRST. Run FRST.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. Then...... Update and run a FULL Scan with Malwarebytes. Let me know...MrC Link to post Share on other sites More sharing options...
dennisl Posted January 4, 2014 Author ID:773512 Share Posted January 4, 2014 Sorry I'm having difficulty getting replies from the person who has the infected computer, due the the extended holiday period here in the UK.I'll be online again all day through next week, when I'm back at work, & will be able keep contact with him & run through the procedures ,without all these delays.Thanks for your patience.Dennis Link to post Share on other sites More sharing options...
dennisl Posted January 6, 2014 Author ID:774265 Share Posted January 6, 2014 New log files attached & computer is ready for next scan. FRSTJAN6.txtAdditionJAN6.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 6, 2014 ID:774273 Share Posted January 6, 2014 Use this fixlist.txt: https://forums.malwarebytes.org/index.php?showtopic=138160&p=772970 Download the attached fixlist.txt to the same folder as FRST. Run FRST.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. Then...... Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal. Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
dennisl Posted January 6, 2014 Author ID:774317 Share Posted January 6, 2014 Look's like we're still in troubleI ran another MWB quick scan afterwards & it's still there Log files attached MBAM-log-2014-01-06 (15-28-32)a.txtmbam-log-2014-01-06 (13-35-33).txtFixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 6, 2014 ID:774449 Share Posted January 6, 2014 Run another scan with FRST and make sure the addition box is checked. MrC Link to post Share on other sites More sharing options...
dennisl Posted January 7, 2014 Author ID:775008 Share Posted January 7, 2014 Log files attachedAdditionjan7.txtFRSTjan7.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 7, 2014 ID:775107 Share Posted January 7, 2014 I noticed that you xxx out the user name in these two lines:C:\Users\xxx\Convert.exeC:\Users\xxx\AppData\Local\Temp\Quarantine.exeDownload the attached fixlist.txt, open it up and edit it to enter the correct user name (save the changes) or the fix won't work!---------------------------Download the attached fixlist.txt to the same folder as FRST.Run FRST.exe and click Fix only once and waitThe tool will create a log (Fixlog.txt) in the folder, please post it to your reply.Then......Update and run MBLet me know...MrC Link to post Share on other sites More sharing options...
dennisl Posted January 9, 2014 Author ID:775649 Share Posted January 9, 2014 Log files atachedWasn't sure if you wanted MWB to delete or just run the scan?Fixlog9Jan.txtMBAM-log-2014-01-09 (09-27-23).txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 9, 2014 ID:775707 Share Posted January 9, 2014 C:\Windows\System32\EFCjNIE.exe (Trojan.Agent.ZB) -> No action taken. Delete it and then re-scan to see if it comes up clean. MrC Link to post Share on other sites More sharing options...
Recommended Posts