Persistent/Returning trojans and whatnot.

[MattM22]

I'm still getting the certstore.dat trojan when I run MBAM. Here's a log from the recent run, which includes most recent updates:

Malwarebytes' Anti-Malware 1.41

Database version: 2925

Windows 6.0.6002 Service Pack 2

10/8/2009 9:08:21 AM

mbam-log-2009-10-08 (09-08-21).txt

Scan type: Quick Scan

Objects scanned: 94016

Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

[miekiemoes]

Not that sure if that file is malicious though... However, as I said before, I've seen this file a lot when Virut was present since it stored data to Virut related sites in there. I really hope this is not the case, because it doesn't mean that, since online scanners don't detect anything anymore that Virut isn't present. After all, this one is still not very well detected and new variants create everyday.

Also, I see a lot of folders and files modified within a short period op time, so this may also show the presence of a File infector.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Windows\System32\certstore.dat

Select it and click ok:

Then click the Send File button below.

[MattM22]

Currently not seeing a certstore.dat file. Will play around for a couple hours and see if it shows up again.

The files and folders activity is probably due to me. I'm organizing a ton of files and off loading them to an external drive in case I need to wipe and reinstall.

[miekiemoes]

Ok, let me know

[MattM22]

Ok, back to it! Ran MBAM today and found a new certstore.dat file. I have uploaded it to the link you indicated a couple posts up. Here is the MBAM log from today's run:

Malwarebytes' Anti-Malware 1.41

Database version: 2925

Windows 6.0.6002 Service Pack 2

10/9/2009 2:47:23 PM

mbam-log-2009-10-09 (14-47-23).txt

Scan type: Quick Scan

Objects scanned: 94471

Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

I'm still getting those windows pop up dialogs about services being shut down. I also get a pop up dialog with no body AT ALL, just the title bar. That's kinda weird.

[miekiemoes]

Hi,

Thanks for the file.

To be honest, as you said before:

The files and folders activity is probably due to me. I'm organizing a ton of files and off loading them to an external drive in case I need to wipe and reinstall.

Since you're system was so severly infected and still probably is since it really smells like a file infector is present here (certstore.dat gets recreated all the time, comes in most cases with Virut as you can see here ), I suggest that the best way is a format and reinstall. As you also state, you're getting many errors, services are shutting down, so damage has been done as well.

You have your backups already anyway, so imho a format and reinstall is the fastest and especially the safest solution.

If I was dealing with the malware you are dealing with, I wouldn't even bother to clean this up manually, but perform a format and reinstall instead as this is the only guarantee that you can trust your PC afterwards again and everything will work properly again as well. After all, malware damages a lot, especially the "family" you are dealing with.

Also, keep in mind to change ALL your passwords afterwards since they may be known.

[MattM22]

Cool deal. I will go ahead with the reformat and reinstall. Thanks again for all of the assistance. Without your help, I would not have gotten my system stable enough to back up all of my personal data, which I have managed to do successfully.

So thanks a million, and I will see you around! Consider this case closed

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

oooh, and don't forget to change your passwords afterwards

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.