cant get rid of trojan and back door bot

[lottie]

Please can someone help.I am having so much trouble trying to get rid of these. I did 3 scans which kept coming up with trojan and back door bot.I tried to delete them each time and restarted pc. I also found something coming up about rootkit hidden in files. I lost my module I think it was due to a big update from avg.I went through the procedure of removing cleaning and re install maleware bytes but it made no difference.

on the logs it either said removed and deleted or no action taken.

I really am worried as I am not a computer buff and dont know how to do things on here allthough I usually manage ( I am not a young thing lol ).

Is there any way someone can take over my pc by remote and solve this for me I am so worried or can anyone tell me where to get i touch to get it done please.

Thankyou Lottie.

mbam_log_2010_07_26__22_00_09_.txt

mbam_log_2010_07_26__22_00_09_.txt

[AdvancedSetup]

Both the logs you posted show that you did not tell MBAM to remove the infection. Please try to do the following step by step.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log.

[lottie]

Thankyou for your reply. I did click on remove selected each time and re started my pc each time but they were still there.

Nothing came up on the scan this morning so maybe it has cleared itself. I shall shortly scan again and see what happens.

Regards lottie

[lottie]

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4353

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/07/2010 12:11:01

mbam-log-2010-07-27 (12-11-01).txt

Scan type: Quick scan

Objects scanned: 149614

Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Here is the latest log. This is what I have been getting after deleting selected. But then when I do another scan later the 2 items are back . no matter how many times i delete selected, also there is nothing in my quarantine box

[lottie]

Tearing my hair out now and going round in circlesMalwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4356

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/07/2010 13:18:46

mbam-log-2010-07-27 (13-18-46).txt

Scan type: Quick scan

Objects scanned: 149274

Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

. just done another scan and the same 2 items have been found again

[lottie]

Here we go just scanned again 1 hr later still there.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4357

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/07/2010 14:47:42

mbam-log-2010-07-27 (14-47-42).txt

Scan type: Quick scan

Objects scanned: 149696

Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

[AdvancedSetup]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[lottie]

OMG I am really scared to do this case I mess up and crash. On my own here have no one to guide me (such a 71yr old thicko lol)

Can you advise where I can get my pc taken over by remote to do it for me please as long as they are reputable.

Lottie

[AdvancedSetup]

I know it looks daunting Lottie, but really thousands of people come by here that have no real computer skill and are able to do this.

Print out the web page for reference, then go slowly step by step and you'll be able to do it.

First disable your Anti-Virus using the link provided. If you tell me your Anti-Virus I can post here how to disable it.

Then download Combofix and run it. In most cases it will fix it all automatically for you.

I'm sorry but I don't know of any specific site that I could recommend do it for you remotely. I know that Microsoft does offer it but it's not cheap either.

[lottie]

Big ty to Ron for all his help and patience Microsoft and AVG did a remote on my pc and removed file.

After removal my control panel features would not work so file was put back and still showing the 2 bugs.

Avg did both hijackthis and a combo fix and then had to replace the file because of the control panel failure.

AVG then sent the hijackthis file to their virus dept for analysing. I did a scan this morning and the 2 same infections were showing.

I have just received mail back from AVG saying that after analysing their are no infections and the file is part of microsoft works.

Could this be a false positive that is coming up on the scan?

If so how can I get rid of it please.

Nothing comes up on the AVG scan at all just the maleware bytes.

Lottie

[AdvancedSetup]

rundll.exe is a Windows System process belonging to the Windows 95, 98 and ME and should typically not be on or needed by Windows XP

rundll32.exe is a legit file but it does not belong in the folder where it's located. If your control panel or other issues arise by removing this file then I have to assume that someone or something moved it from C:\WINDOWS\SYSTEM32 in the C:\WINDOWS folder.

Please do the following.

Click on START - RUN and type in the following and hit OK

CMD /K DIR C:\WINDOWS\rundll32.exe /S

You should see something similar as shown below.

Directory of C:\WINDOWS\system32

04/14/2008 05:00 AM 33,280 rundll32.exe

1 File(s) 33,280 bytes

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 05:00 AM 33,280 rundll32.exe

1 File(s) 33,280 bytes

Total Files Listed:

2 File(s) 66,560 bytes

0 Dir(s) 11,164,819,456 bytes free

If you only see the file in C:\WINDOWS\rundll32.exe then let me know.

[lottie]

typed in the above and message comes up

"cannot find CMD / K"

[AdvancedSetup]

LOL - Well that's not good. Seems maybe the system path is not valid or some other issue going on.

I'll send you a PM (private message) to run something else.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!