Trojan File.Fill Detected

[MHP]

Malwarebytes detected a trojan file.fill .tmp file on my desktop.

 

I have done the following:

1. Rebooted into safe mode after detection.

2. Removed trojan via Malwarebytes while in Safe Mode.

4. Scanned again via Malwarebytes, nothing found, BUT there were (2) .tmp files on desktop that i deleted permanently.

5. Rebooted into safe mode with network access.

6. Downloaded Farbar Recovery Scan Tool and ran scan.

 

Attached are:

1. Malwarebytes log file (named: MalwareBytes-Trojan File.Fill.txt) from initial detection.

2. Farbar scan results: FRST.txt and Addition.txt

 

Thank you for your assistance.  Please let me know of any additional steps I need to take to ensure complete removal and if you see anything else suspicious.

MHP

 

MalwareBytes-Trojan File.Fill.txt

FRST.txt

Addition.txt

[MHP]

after cleaning with MalwareBytes in SafeMode, i rebooted.

 

5 .tmp files on desktop now.

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Scan with Malwarebytes' Anti-Malware

Please re-run Malwarebytes' Anti-Malware.

• First of all, select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the newest Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and upload your next reply.

[MHP]

Thanks for your quick response, TwinHeadedEagle. Running now.

[MHP]

Here is the mbam. looks like it didn't detect anything this time.

 

mbam.txt

[TwinHeadedEagle]

Good. Let's use FRST again:

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

[MHP]

ok. here they are.

FRST.txt

Addition.txt

[TwinHeadedEagle]

PC seems clean, how is it behaving now?

[MHP]

Seems good.

Thank you so much for your time. Even with no results coming up it is comforting to have another set of eyes look at things. You never can tell how some of these things hang around if you are not fighting them on a daily basis. 

 

Also, I wasn't aware that MalwareBytes does not perform as well in SAFEMODE. Someone dropped me a message from the forum to let me know. I'll keep that in mind for the future as well as your other recommendations for safe computing.

 

Keep up the good fight! I'll visit your donation page

[MHP]

oops. i guess i spoke too soon!!! the dang thing is back!

Just ran MB as a daily check and bam, trojan.filefill came back as a .tmp file on the desktop.

 

i will attach the mb report and the 2 farbar reports.

 

i ran MB, it identified Trojan File.Fill and removed it. I have the report from that action. It then required a reboot, so i ran FARBAR after the reboot.

Addition.txt

FRST.txt

mbam-trojan filefill.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[MHP]

thanks.

 

it ran and said it created the log but then also wanted a reboot. i let it reboot. here is the fixlog

 

Fixlog.txt

[MHP]

the .tmp file that was on the desktop has now turned into 3 .tmp files. i uploaded on that was 383kb to www.virustotal.com and got the following info:

 

2 sources out of many found the tmp file to be bad:

 

Comodo: Heur.Corrupt.PE

TheHacker: w32/Behav-Heuristic-CorruptFile-EP

 

 

 

[TwinHeadedEagle]

Do they appear randomly, or when you do something?

[MHP]

i am trying to determine that. it appears randomly at this point but i will be paying more attention.

[MHP]

Thanbks againfor your help. so far there has been no return. i did end up running adwcleaner and tdsskiller last night just to see what turned up but i think it may be clean.

 

is there one report that is better than another to determine if it is completely clean?

[TwinHeadedEagle]

We checked with FRST several times and I in the last one, I didn't see signs of infection.

[MHP]

ok, great. Its looking good. 

Think i'll buy you a beer!

[MHP]

Problem with the donation page. I enter all of my info, for United States which is selected but it is still requiring a COUNTY, which does not apply to United States. it wont go through without a county.

[TwinHeadedEagle]

Don't know what is going on, I receive donations normally.

[MHP]

must be a paypal issue. i had all of the correct info in and this is the error i got. as i said, there is no proper selection for county and leaving blank yields this error.

[TwinHeadedEagle]

I really don't know what is going on, but thank you for your efforts anyway. Don't bother if you're unable to figure it out.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!