Jump to content

Recommended Posts

Vista operation system.

one of users (User A) on the computer has the trojan ExeShell.Gen. And she is not able to run anything e.g. login to Mozilla, skype gives strange messages, etc.

went to different user (User B) on same computer which is not affected by trojan and ran Malwarebytes which generated the following log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6696

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19048

5/27/2011 11:53:30 PM

mbam-log-2011-05-27 (23-53-30).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 461958

Time elapsed: 3 hour(s), 44 minute(s), 20 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\Users\Gail\AppData\Local\san.exe (Trojan.ExeShell.Gen) -> 6408 -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Gail\AppData\Local\san.exe (Trojan.ExeShell.Gen) -> Delete on reboot.

Rebooted and many of applications do not work for User A. What should we do?

Link to post
Share on other sites

Greetings and welcome :)

Please download and run shell.reg and reboot, then see if the issue is now corrected or not. If it is not, then you may need to also run the file from User A's user account and then reboot again.

If that did not correct the issue then please do the following:

Read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.

One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

Thank you :)

Link to post
Share on other sites

Tried to run shell.reg and got the following message:

"Cannot import XC:\users\business be there\downloads\shell.reg: Not all data successfully written to the registry. Some keys are open by the system or other processes."

Greetings and welcome :)

Please download and run shell.reg and reboot, then see if the issue is now corrected or not. If it is not, then you may need to also run the file from User A's user account and then reboot again.

If that did not correct the issue then please do the following:

Read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.

One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

Thank you :)

Link to post
Share on other sites

Ran it on the infected User A and rebooted. Programs like Skype will not run, returning this message: "C;\program file\skype\phone\skype.exe. Application not found." Skye will run on other users.

If try to run iTunes, get the following: "Choose the program to open this file." -- And it shows Internet Explorer as the only option. If I run Internet Explorer at that point, I expect ITunes will come up but have not done that yet as we have never gotten than message before the trojan arrived.

Thanks for any help.

Link to post
Share on other sites

If I run iTunes, it goes into a loop and never opens application - ask if ok to run then, then just keeps going back to "choose a program, etc." and then to "run" and then back again. other programs like sype and overdrive will not open at all.

Have re-done Full Scan with Malwarebytes AntiMalware and it is not showing any problems this time. 1st full scan did show "Files Infected:

c:\Users\Gail\AppData\Local\san.exe (Trojan.ExeShell.Gen) -> Delete on reboot."

Have looked at other responses and one recommended running Combofix. Should I try that? or what else? Thanks for help.

Ran it on the infected User A and rebooted. Programs like Skype will not run, returning this message: "C;\program file\skype\phone\skype.exe. Application not found." Skye will run on other users.

If try to run iTunes, get the following: "Choose the program to open this file." -- And it shows Internet Explorer as the only option. If I run Internet Explorer at that point, I expect ITunes will come up but have not done that yet as we have never gotten than message before the trojan arrived.

Thanks for any help.

Link to post
Share on other sites

Yeah, it sounds like the infections have done other things that are still messing with the system. Don't run ComboFix without expert supervision, it is not designed to be used that way and might render the system unbootable if you don't know what you're doing. Instead, please follow the instructions I posted here to get help in our Malware Removal forum or seek help via email from support@malwarebytes.org. They'll help you to get your system cleaned up and the issues corrected :).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.