Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan problems... not sure where to start


  • Please log in to reply
5 replies to this topic

#1 fibonaccisquared

fibonaccisquared

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 27 November 2008 - 01:31 PM

Hello. I'm not really sure where to start as I've never really had virus/trojan problems before and I'm kinda clueless. I've posted on one other forum but either due to the holiday or a long line of others needing help haven't really gotten an answer so I'm hoping this might extend my net.

I was running symantec antivirus and it detected a trojan threat and quarantined it but was unable to clean or remove it. The files were:
"evenst.dll" and "mspush.dll" (in the C:\windows\system32 folder)
I hoped this was enough but about 3 days later I got autoprotect results saying that a .tmp file that was a trojan had been quarantined but was unable to be deleted as well. It proceeded to do this about once every 4 minutes finding another trojan with the name "APQ***.tmp" (the *** just denotes various letters/numbers)
One message board told me to try system restore which did not work... it told me that the date was unavailable for all the dates I tried including the oldest one available.

A friend told me to try Kaspersky Antivirus which has found some of the problem files but not everything because the autoprotect keeps popping up. Kaspersky found these files:

Trojan.Win32.patched.dq in C:\windows\system32\spoolsv.exe
Trojan-Downloader.Win32.Agent.aohf in C:\windows\system32\wmdmpmsvc.dll
Trojan.Win32.Patched.dq in C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP100\A0022763.EXE
Trojan.Win32.StartPage.cyk in C:\windows\system32\taskmagr.exe
Trojan.Win32.StartPage.cyk in C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP100\A0022742.EXE
Trojan-Downloader.Win32.Agent.aohf in C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP100\A0022762.EXE
Trojan.Win32.StartPage.cyk C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP100\A0022748.EXE::$data

When I found your message board I noticed that a suggestion that seems to be a first start was to try the malwarebytes tool... I've run a quick scan and a full scan and it came up with nothing...

Hopefully someone can give me an idea on where to go next or if I've done anything wrong.
Appreciate anyone's help at this stage.
Thanks

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 November 2008 - 01:33 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 fibonaccisquared

fibonaccisquared
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 27 November 2008 - 04:01 PM

Another compounding issue is that I am unable to use the internet on my computer I'm using a different computer to post issues/results. I can connect to the router but neither internet explorer or firefox will access webpages... comes up with error message.

I had already downloaded the malwarebytes Anti-Malware and the most recent rules update and the scan came up with no results. I scanned it once more and here is the log from that scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 3

11/27/2008 3:55:12 PM
mbam-log-2008-11-27 (15-55-12).txt

Scan type: Quick Scan
Objects scanned: 61742
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by fibonaccisquared, 27 November 2008 - 04:05 PM.


#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 November 2008 - 03:20 AM

Hi,

Did you already do an online scan? If yes, which one? :thumbsup:

#5 fibonaccisquared

fibonaccisquared
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 28 November 2008 - 01:34 PM

I tried the trend micro online virus scan and came up with no infections when this all started but now I can't connect to the internet on the computer with the issue.
My next step was to install kaspersky which is the reason I have names of the trojans... symantec had only been able to quarantine some files but not all and couldn't clean them. Kaspersky has cleaned/disinfected several files including some of the restore point issues but the computer is still running and booting super slow and if I allow symantec to load it still quarantines .tmp files :thumbsup:
A friend who works IT is out of town but is going to try to help tomorrow but I was hoping to get this taken care of today its been about a week and some change already.
Thanks so much for those who are trying to help.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 November 2008 - 01:55 PM

Hi,

I'm going to redirect you to the HijackThissection of this forum. I think you have a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Give them a link to this topic

Good luck. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users