MalwareBytes says it removes trojan, but still there

[shawnh]

Hi all, I got a rather persistent little trojan on my hands. I've run Malwarebytes several times and it says it will remove it on reboot, but when I do and run Malwarebytes again, it's still there (see attached screenshot).

I've noticed that possibly because of this virus, I can't do any google search on "malware" or such... my browser just won't go anywhere. And when I try to run TrendMicro Housecall, it'll crash it. Weird eh? Thanks to anyone who can help!

 

Cheers

Shawn

[Starbuck]

Hi shawnh

 

2 things for you:

 

Step 1

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

Step 2

• Download OTL to your desktop.
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

Now copy the lines in the codebox below.


netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

In your next reply, please submit:

Gooredfix.txt

and both reports from OTL

 

 

Thanks.

[shawnh]

Thanks very much Starbuck, I did all the runs you suggested, but there was too much text to paste into this reply window, hence I've attached the result files instead.

 

Thanks!

Shawn

GooredFix.txt

Extras.Txt

OTL.Txt

[Starbuck]

Hi shawnh

 

there was too much text to paste into this reply window, hence I've attached the result files instead.

That's fine, no problem

Gooredfix took care of one bad extension, let's clean up a bit more then we'll get another scan done:

 

Step 1

Double click on OTL.exe to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:OTL
PRC - C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe ()
O4 - HKCU..\Run: [TOY5KNQ8OC] C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe ()
[2010/03/07 09:51:07 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/08 17:39:48 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Kathy\Application Data\SystemProc
[2010/03/09 01:44:12 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

:commands
[emptytemp]
[purity]
[EMPTYFLASH]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

Step 2

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
   
  Then:
   
  Double click on Combo-Fix.exe & follow the prompts.
   
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  If running Vista, you may not see this screen
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

In your next reply, please submit:

OTL report that comes up after the fix

Combofix.txt

 

 

Thanks.

[shawnh]

All done Starbuck... I've attached the files.

 

Thanks man!

Shawn

03092010_172121.txt

ComboFix.txt

[Starbuck]

Hi shawnh

 

How's the system running now?

[shawnh]

Seems to be great now Starbuck, thanks very much! I didn't think we were done - I thought there was still something left for you to do with the last files I sent you!

 

Cheers

Shawn

[Starbuck]

I didn't think we were done

We're not quite finished yet :D

 

I thought there was still something left for you to do with the last files I sent you!

The Otl report just confirms that the fix ran successfully.

Combofix took care of a couple of problems and didn't leave anything for us to clean up.

 

Let's get an online scan done now and double check everything.

 

I'd like you to do an ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
   
  
• Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
   
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  
  • Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer.
    Save it to your desktop.
    
  • Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
    

  [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

  [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.

  [*]Accept any security warnings from your browser.

  [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

  [*]Click the Start button.

  [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

  [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.

  Include the contents of this report in your next reply.

  [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.

  [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

 

Thanks

[shawnh]

Hi Starbuck, sorry for the long delay in getting back to you - I've had a millon things on the go here.

 

Anyhoo, the ESET scan came out clean! Didn't find any malware at all! Below is a copy of the log file:

 

 

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=cf2a1ed6ac5cd5468ebbd0c2b12631e4

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-03-22 05:36:16

# local_time=2010-03-22 02:36:16 (-0400, Atlantic Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 75 70 2955781 9400243 0 0

# scanned=57356

# found=0

# cleaned=0

# scan_time=3709

 

 

... so I guess we're all done with this computer then? Thanks SO much man!

 

But I'm not done bugging you however ;-) It appears one other of my computers is affected with something. When I go to run MalwareBytes on it, it shuts the program down automatically. Would you mind helping me again for this one?

 

Thank You!

Shawn

[Starbuck]

Hi shawnh

 

sorry for the long delay in getting back to you - I've had a millon things on the go here.

it's no problem at all.

 

But I'm not done bugging you however ;-) It appears one other of my computers is affected with something.

We'll finish off this system, then we can draw a line under it.

Each system will have to be looked at separately.

We don't have a problem with looking at any other system you have.... just start a new thread and either myself or one of the team will take a look for you.

 

Step 1

• Please double-click OTL.exe to run it.
  
• You should see a CleanUp! button, press that button,
   
  http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png
   
  
• This will remove any programs we have asked you to download along with there associated folders.. plus itself.

 

Note:

MBAM will not be removed

 

Step 2

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

 

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then go to Start > Run and type: Cleanmgr
  
• Click "OK".
  
• Select the drive for cleaning then click OK (usually 'C' drive)
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

 

To find out how you may have been infected....read this topic:

So how did i get infected?

 

Not all of the following information will be applicable to you, but it's still best to read it all.

 

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Use an AntiVirus Software
  
  • Avira AntiVir
    
  • Avast free
    
  • AVG Free
    
  • Bitdefender Free
    
  • MS Security Essentials ... see note*
    

   

  Note*:

  Upon installation MS Security Essentials will check that your OS is a legal copy.

   

  Only install one AntiVirus program

   

  [*]Update your AntiVirus Software regularly

   

  [*]Use a 3rd party Firewall

  • Online Armor Free
    
  • ZoneAlarm ...Important note below
    
  • Outpost Firewall Free
    
  • Sunbelt Personal Firewall
    

  NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

   

  Only install one software Firewall

   

  Some 3rd party Firewalls will turn off the windows firewall when they are installed.

  It's always best to check that the Windows Firewall is turned off:

   

  How to turn off Windows Firewall:

  Start ... Control Panel ...click on 'Classic View'.

  now select Windows Firewall.

  When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok

   

  [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner:

  Installing another scanner that you can run once or twice a week is always beneficial.

  Something like:

  Malwarebytes Anti-Malware

  SUPERAntiSypware

  Remember to update these programs each time before running.

  You can install more than one of these if you only run them as stand alone programs.

   

  [*] Use an alternative browser:

  Some excellent alternatives to MS Internet Explorer are:

   

  Firefox

  For added security, add the NoScript extension to this browser:

  Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks

  also consider adding:

  WOT - Safe Browsing Tool

   

  Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.

  Btw: you don't have to make a contribution.

   

  Opera

   

  They offer better security, more stability, and better speed.

   

  [*]Keep a backup of your registry

  Keeping a regular backup of your registry will help when something goes wrong.

  Use a program like:

  Erunt

   

  A full tutorial on how to set up and use Erunt can be found here:

  Erunt tutorial

   

  [*]Keep your system clean of temp files etc, using a 'Cleaner':

  Cleaners are programs that will help to clean out your:

  Windows temp files

  Current user temp files

  Cookies

  Temporary Internet flies

  Browser history

  Recycle bin

  Etc.......

  In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.

  Programs like:

  CCleaner

  TFC by OldTimer

  ATF Cleaner

   

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

   

  [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

   

  A tutorial on installing & using this product can be found here:

  Using and installing SpywareBlaster

   

  [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

 

Glad I was able to help.

 

Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif

[shawnh]

Sorry for the long delay in replying Starbuck... I did your last recommended steps, so I guess we are all done with this machine! Thanks SO much!!!

 

Anyhoo, like I had mentioned before, I have another machine with problems. OK if I open up a new thread regarding it, as you suggested?

 

Thanks!

Shawn