DDoomguy Posted November 22, 2016 ID:1073986 Share Posted November 22, 2016 Hello. I am DDoomguy. I am running Windows 7, and there is a "Trojan.Malpack.Gen" in my computer. I did a full scan, and it shows 2 files, "d:/gcvwww", "f:/cxvqf". Even when I click Remove Selected, they keep coming back. I have tried ComboFix, I have attached the log file. This virus appeared after I just got my new laptop. This virus infected my Fraps installation (f:/Fraps), and there is no way to retrieve it back. ComboFix.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 23, 2016 Root Admin ID:1074108 Share Posted November 23, 2016 Hello @DDoomguy and Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller. PC Winvids - How to run Kaspersky TDSSKiller If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection. Once the tool has completed scanning make sure to re-enable your other security applications. Link to post Share on other sites More sharing options...
DDoomguy Posted November 23, 2016 Author ID:1074152 Share Posted November 23, 2016 I ran the tool, says no infection found. Strange. There's also a folder in C:/ named Qoobox. I don't know what it is. TDSSKiller.3.1.0.12_23.11.2016_16.24.55_log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 24, 2016 Root Admin ID:1074357 Share Posted November 24, 2016 That folder is from someone running Combofix and not knowing how to uninstall it properly. Let me have you run the following please. Please restart the computer first and then run the following steps and post back the logs when ready.STEP 01 Please download Junkware Removal Tool to your desktop. Shutdown your antivirus to avoid any conflicts. Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP. The tool will open and start scanning your system. Please be patient as this can take a while to complete. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next reply message When completed make sure to re-enable your antivirus STEP 02 Fix with AdwCleaner Please download AdwCleaner by Xplode and save the file to your Desktop. Right-click on icon and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan. When finished, please click Clean. Your PC should reboot now. After reboot, logfile will be opened. Copy its content into your next reply. Note: Reports will be saved in your system partition, usually at C:\Adwcleaner STEP 03 Download Sophos Free Virus Removal Tool and save it to your desktop. Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View Log file (bottom left-hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found, please confirm that result. STEP 04 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Link to post Share on other sites More sharing options...
DDoomguy Posted December 9, 2016 Author ID:1078460 Share Posted December 9, 2016 On 24/11/2016 at 6:01 AM, AdvancedSetup said: Above post Alright, I ran 3 of the programs (JRT, AdwCleaner, Farbar Recovery Scan Tool) I didn't get Sophos, mainly due to my internet being bad, so I hope you can understand. I'll download it later when I have time. I have attached the 3 logs. (Including the Additions file) There were 3 files in the AdwCleaner folder, I uploaded them all. Also, can you delete my new thread? I didn't get a notification when you replied, and created it accidentally. Addition.txt FRST.txt JRT.txt AdwCleaner[C0].txt AdwCleaner[C2].txt AdwCleaner[S0].txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2016 Root Admin ID:1078574 Share Posted December 9, 2016 Great, thanks. You have a very old version of Java installed. Please uninstall all versions of Java. If possible try to use the computer without Java. If you really have to have it make sure it's the latest version at all times. Please run the following fix. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Link to post Share on other sites More sharing options...
DDoomguy Posted December 10, 2016 Author ID:1078786 Share Posted December 10, 2016 Alright, I installed the recommended version of Java and uninstalled the previous ones. I attached the fixlog. Also, there is one more new suspicious exe, located at F:/mxlbc.exe. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 10, 2016 Root Admin ID:1078814 Share Posted December 10, 2016 Yes, unless you know what that file is and know for sure it's safe, I would remove it. The reason it's flagged as suspicious is that no files should be in the root of parent folders like that. Otherwise, how is the computer running now? Any other signs of an infection? Link to post Share on other sites More sharing options...
DDoomguy Posted December 10, 2016 Author ID:1078906 Share Posted December 10, 2016 7 hours ago, AdvancedSetup said: Yes, unless you know what that file is and know for sure it's safe, I would remove it. The reason it's flagged as suspicious is that no files should be in the root of parent folders like that. Otherwise, how is the computer running now? Any other signs of an infection? I installed the Sophos application, detected 6 threats, only removed 2 of them. It was identified as Sality. I spent hours searching for an solution, and I found AVG Sality remover. It successfully deleted the 4 threats that were remaining, and it cleaned the infected files. Thank you so much for the help! Finally got rid of this stupid virus. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 11, 2016 Root Admin ID:1079129 Share Posted December 11, 2016 Good Lord. That is a file infector virus and I doubt that AVG seriously fully or properly removed it. Please download and run the Sality Killer from Kaspersky and run it. In my own testing they were the only one that was able to properly remove it. That said, there are almost certainly many damaged files that cannot be repaired as Sality will have damaged them beyond repair. This tool will be able to fix some, but not all. If you have good solid backups of your data that were not connected while the computer was infected the best thing to do is FDISK, FORMAT, and reinstall Windows. We rarely see file infector viruses anymore but below is the alert we would normally give. (not the message has not been updated for a long time) One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System. Please read: When should I re-format? How should I reinstall? Help: I Got Hacked. Now What Do I Do? Where to draw the line? When to recommend a format and reinstall? Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools. Please let us know how you would like to proceed. Message borrowed from quietman7 with minor wording and link changes Link to post Share on other sites More sharing options...
DDoomguy Posted December 11, 2016 Author ID:1079181 Share Posted December 11, 2016 Alright, I downloaded the Kaspersky sality killer. I changed all passwords, but I have not written a password in any of my txt files. I am sure that I am safe, and I checked the localhosts/hosts file for unknown IPs. I am planning to reformat the laptop, since I want to make it 64-bit to be suitable for my gaming needs, thanks again though. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 12, 2016 Root Admin ID:1079392 Share Posted December 12, 2016 Okay then. Just be careful. Dangerous attack and many user think they're okay and bring it back from other sources such as USB sticks that were inserted, etc. Take care Ron Link to post Share on other sites More sharing options...
Recommended Posts