BleepingComputer.com: 'Trojan.Downloader' infecting my machine

I have a malicious trojan that Malwarebytes detects and supposedly successfuly removes but the file is still present after the removal process. Malwarebytes is the only removal tool that detects the file. My Windows are running extremely slow and/or are unresponsive at times. OS is Vista.

The file is called 'Trojan.Downloader' and located in 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

I have run the following removal software: Norton, LavaSoft Adaware, Spybot, Malwarebytes, Windows Live OneCare Safety Scanner, MS Windows Security Essentials, Linux based AVG bootable Rescue CD, MS Windows Malicious Software Removal Tool, MS Windows Defender.

I reeeeally do not want to have to re-install my OS! :-(

This post has been edited by LacunaSF: 24 March 2011 - 12:13 PM

Lets' do one more scan please.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Well actually 2...
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

I downloaded and ran TDSSkiller and it did not find anything.
I then updated, ran a quick scan with MBAM. It detected the same file 'Trojan.Downloader'. I removed/quarantined the file and rebooted.

After rebooting, I again ran MBAM. It, again, found the file 'Trojan.Downloader'.
The file is located here: 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

Look in Task Manger (press CTRL+SHIFT+ESC ) these may be there.
Under Applications Tablook for Windows Police Pro
and if there,highlight and select End Process.

Next click the Processes tab
Look for the process called Windows Police Pro.exe and left-click on it once so it becomes highlighted. Then click on the End Process button.


Either way run Rkill then MBAM once more.


RKill....

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4



• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
  
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  
  
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  
  
• If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

I followed your instructions using Task Manager to locate and End the process of Windows Police Pro. Windows Police Pro was not present
in both 'Applications' and 'Processes' within Task Manager.

I next 'turned off' all Internet Security software.

I then downloaded and ran the 'rkill' app. This is the saved log after running it:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/25/2011 at 10:34:46.
Operating System: Windows ™ Vista Ultimate


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe


Rkill completed on 03/25/2011 at 10:35:02.

I next ran 'tdsskiller' and it found 'nothing'

I next ran MBAM and it detected the same trojan file, again, that is plaguing my machine. I, once again, removed/quarantined the file.
An IMPORTANT note: When I select 'remove/quarantine' MBAM requires me to reboot my PC to completed the removal process of the file. I receive the following message:
'All selected items have been removed successfully. Your computer needs to be restared to complete the removal process. Would you like to restart now?'

I believe that when I select 'yes' and reboot, it reinfects my pc, yes?

Wanted to say thank you for your help...really appreciate it :-)

OK, let's use MBAM's FileAssassin feature to kill this file.. . scandisk.Ink'

Open MBAM again.

Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Quote

Hi...
When attempting to locate the file using MBAM Assassin, the path options are not succinct with the file location documented in the MBAM initial scan results, thus I am unable to successfuly locate the file for removal within MBAM Assassin.

I am going to have to ask an IT friend for assistance in locating the file within MBAM Assassin.
Will post my results when completed. Thanks.

Ok,thanks. If needed we can move you and our MRL team will get it out.

I located the 'scandisk.Ink' file using MBAM's FileAssassin and removed it.
I then rebooted my machine. After rebooting, I noted my SKYPE app. no longer works. I will uninstall and reinstall SKYPE to hopefully correct the problem.

After rebooting, I ran a MBAM quick scan and the same trojan (Trojan.Download) was, again, detected in the same location: 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

I then ran MBAM Assassin yet when navigating to the file location, 'scandisk.Ink' was no longer present. The only file present within the 'Startup' folder was 'scandisk' but not 'scandisk.Ink'

Note: I also re-ran tdsskiller and rkill with no results found.

OK,I'm suspecting a hidden rootkit is reviving this. We need special toos to get this.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.