Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan? [Moved]


  • This topic is locked This topic is locked
18 replies to this topic

#1 jman1014

jman1014

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 18 May 2009 - 02:36 PM

Regedit will not open and the AVG updater says that access if forbidden. Saw an earlier post on this from April 22nd 2009 by ruold2 who was helped by farbar. Seems like I am having the same issue. I followed the steps in that post but one of the files I am supposed to delete is not there. I assume maybe that is case sensitive so I have no idea where to go from there. Help would be greatly appreciated!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:48 PM

Posted 18 May 2009 - 10:59 PM

Hello jman1014,

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Also, please note that disinfection instructions, particularly in the HJT forum, are designed with a specific computer and user in mind. Someone else following those instructions for a different computer could cause severe damage to the computer. It's akin to someone following a medication regime prescribed for someone else.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 19 May 2009 - 11:15 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode, then perform your scan in normal mode..

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 19 May 2009 - 03:04 PM

I did all that as said.

Here is the Dr. Web log:


RegUBP2b-Joshua Chess.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0079854.reg;C:\System Volume Information\_restore{754F4C28-9C71-4D57-855C-1B25D858D6E5}\RP491;Trojan.StartPage.1505;Deleted.;
A0080218.reg;C:\System Volume Information\_restore{754F4C28-9C71-4D57-855C-1B25D858D6E5}\RP493;Trojan.StartPage.1505;Deleted.;
A0081285.reg;C:\System Volume Information\_restore{754F4C28-9C71-4D57-855C-1B25D858D6E5}\RP496;Trojan.StartPage.1505;Deleted.;

It did not find any files that could not be cured and had to be moved.


Here is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/19/2009 2:55:44 PM
mbam-log-2009-05-19 (14-55-44).txt

Scan type: Quick Scan
Objects scanned: 89550
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Let me know if there is anything else I need to do. Thanks for the help.

Edited by jman1014, 19 May 2009 - 03:09 PM.


#5 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 19 May 2009 - 03:38 PM

I just thought I would try AVG and see if this made a difference and the AVG updater is still saying access forbidden.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 20 May 2009 - 06:51 AM

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version. Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.Your database shows 1945. Last I checked it was 2156.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 May 2009 - 12:47 PM

All links I can find via the ones you gave me update to 2110 and that results in no infections found as well. I was able to get 2158 or 2159 (can't remember) on other computers but when I transfer the file to my computer via memory stick, it will not run. It either just does not open or it says run time error.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 20 May 2009 - 12:55 PM

Are you placing a copy of rules.ref in the correct folder so that it overrides the existing one?

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware <- it goes in this folder
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 May 2009 - 01:07 PM

I uninstalled the old version totally from my computer and then moved over the files from the other computer. It does not run or it comes back up as version 1945.

#10 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 May 2009 - 01:19 PM

Where in the folder can I get the rules from on the newer version? I think that may be what you wanted me to do originally but I didn't see anything that said "rules" on it.

Also, under All Users I do not have a folder called Application Data. I can find Malwarebytes under my desktop, but its the shortcut. Anywhere else I should search for it?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 20 May 2009 - 01:30 PM

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

If you cannot see the folder, you may have to Reconfigure Windows to show it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 May 2009 - 01:44 PM

OK. I found the folder.

Again, where in the 2158 version can I find the rules to transfer? All of the links I can find (either that you provided or that I searched for) lead to 2110, which I now have on this computer. Is there a file within the Malwarebytes folder where I can copy the file?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 20 May 2009 - 02:05 PM

All of the links leading to v2110 are manual download links that you double-click on to install.

rules.ref is the actual database file created after install and it is saved in the Application Data\Malwarebytes\Malwarebytes' Anti-Malware folder. If you only see rules, then the . ref extension is hidden but that's the one you would be looking for. If you updated and downloaded from another computer today, then transferred rules.ref to the infected computer, the date should be today's date.

When placing rules.ref in the Application Data\Malwarebytes\Malwarebytes' Anti-Malware folder, it overwrites the existing file so the definitions are automatically updated when performing your scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 jman1014

jman1014
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 May 2009 - 02:40 PM

Here is the latest report with the 2158 version.

Malwarebytes' Anti-Malware 1.36
Database version: 2158
Windows 5.1.2600 Service Pack 3

5/20/2009 2:36:02 PM
mbam-log-2009-05-20 (14-36-02).txt

Scan type: Quick Scan
Objects scanned: 105862
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 20 May 2009 - 02:44 PM

That log looks good.

Other than the AVG updater what issues are you still having?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users