Trojan and stolen.data keylog help please

[Lili]

Hi, Help would be much appreciated.

I have been reading the posts on this forum regarding the above malware but I have also realised that maybe I shouldnt try to fix myself.

I have installed Malwarebyte (free version), Spybot S&D(which has not detected them) and windows defender is up to date.

 

The same problem as the other posts, which is when I remove them they just come back immediately.

 

What do I need to do next?

 

Thanks

[Lili]

Here is the malwarebytes scan log:

 

My apologies in advance over the computer name, not my doing. Sorry.

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.17.08

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
cunts :: CUNTS-PC [administrator]

18/12/2013 14:17:44
MBAM-log-2013-12-18 (14-25-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199445
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EssentialEngine (Trojan.Agent) -> Data: C:\Users\cunts\AppData\Local\Temp\DirectX .exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\cunts\AppData\Roaming\Keylog (Stolen.Data) -> No action taken.
C:\Users\cunts\AppData\Roaming\ntwrk00011.exe (Backdoor.Messa) -> No action taken.
C:\Users\cunts\AppData\Local\Temp\DirectX .exe (Trojan.Agent) -> No action taken.

(end)
 

[Maniac]

Hello Lili and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

[Lili]

Hi, thanks for your reply. I will now change all passwords on another device and I will then reply further on another device. Obviously I need to do this asap.

[Maniac]

When you are ready to proceed further, please let me know.

[Lili]

Ok so that back door Mesa is disguised as a windows file btw.

Considering all my private passwords etc are on my laptop I have decided to wipe the computer completely and do a fresh install.

That's no problem for me.

I have one question which is: if I back up my files including the usual stuff like photos and music etc, and software, is there a chance the virus will be transferred onto my external HD too?

[Maniac]

It is okay for your picture and music, but may be a problem with your software. I strongly recommend you to check every program in www.virustotal.com to make sure they are clean. Take some preventions before you transfer your data to your clean system:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

[Lili]

Ok thanks very much for your help.

[Maniac]

You're welcome!

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.