Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a trojan and malwarebytes will not remove it


  • Please log in to reply
6 replies to this topic

#1 lifeofrly1

lifeofrly1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 October 2009 - 02:05 AM

I have been trying for days to get this trojan off my computer, it keeps taking me to a feed link when i'm online. I have installed malwarebytes and it keeps saying that it will delete the trojan on reboot but it doesn't. Can anyone help me? I have Trend Microhijackthis loaded and have a log but I'm not really sure what to do next. Any help would be great, I'm not computer savy so detailed instructions would be awesome if anyone can help. Thanks in advance. :thumbsup:

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:55 PM

Posted 13 October 2009 - 09:43 AM

Welcome to BC

:inlove:
Update mbam and run a FULL scan
Please post the results
===========================

:flowers:
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

:thumbsup:
SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.


===============================================

:trumpet:

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 lifeofrly1

lifeofrly1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 October 2009 - 08:50 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2951
Windows 5.1.2600 Service Pack 3

10/15/2009 8:49:51 PM
mbam-log-2009-10-15 (20-49-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 165334
Time elapsed: 53 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LaVetta\ntuser.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP477\A0065697.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP477\A0065705.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LaVetta\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\LaVetta\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:55 PM

Posted 16 October 2009 - 04:40 PM

Don't forget :thumbsup: and :flowers:


Also run


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 lifeofrly1

lifeofrly1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 17 October 2009 - 12:07 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/16/2009 at 06:19 PM

Application Version : 4.29.1004

Core Rules Database Version : 4170
Trace Rules Database Version: 2092

Scan type : Complete Scan
Total Scan Time : 00:47:37

Memory items scanned : 256
Memory threats detected : 0
Registry items scanned : 6258
Registry threats detected : 2
File items scanned : 60229
File threats detected : 31

Trojan.Agent/Gen-FakeAlert[Calc]
[calc] C:\WINDOWS\SYSTEM32\CALC.DLL
C:\WINDOWS\SYSTEM32\CALC.DLL
[calc] C:\DOCUME~1\LOCALS~1\NTUSER.DLL
C:\DOCUME~1\LOCALS~1\NTUSER.DLL
C:\DOCUMENTS AND SETTINGS\LAVETTA\NTUSER.DLL
C:\DOCUMENTS AND SETTINGS\LAVETTA\START MENU\PROGRAMS\STARTUP\SCANDISK.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DLL

Adware.Tracking Cookie
C:\Documents and Settings\LaVetta\Cookies\lavetta@casalemedia[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@insightexpressai[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@hitbox[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@mediaplex[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@eyewonder[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@www.stopzilla[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@ehg-eset.hitbox[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@apmebf[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@revsci[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@advertising[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@ads.bleepingcomputer[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@ad.yieldmanager[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@collective-media[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@xiti[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@content.yieldmanager[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@doubleclick[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@kontera[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@trafficmp[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@www.googleadservices[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@stopzilla[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@richmedia.yahoo[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@statse.webtrendslive[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@chitika[2].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@atdmt[1].txt
C:\Documents and Settings\LaVetta\Cookies\lavetta@smartadserver[1].txt










This is from Dr. Web Cureit

GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Moved.;
A0065708.exe;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP477;Trojan.Fakealert.4983;Deleted.;
A0065953.dll;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP479;BackDoor.Podmena;Deleted.;
A0065964.dll;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP480;BackDoor.Podmena;Deleted.;
A0065965.dll;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP480;BackDoor.Podmena;Deleted.;
A0065966.dll;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP480;BackDoor.Podmena;Deleted.;
A0065967.dll;C:\System Volume Information\_restore{08FE06DE-74FB-43B7-BD26-497583CBFE3A}\RP480;BackDoor.Podmena;Deleted.;

#6 lifeofrly1

lifeofrly1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 17 October 2009 - 12:14 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/17 00:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_IdeChnDr.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_IdeChnDr.sys
Address: 0xAE7B2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xADE01000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcmsc_4cwpt15jr10athj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_cqpv84mj1xgimjr
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xae8e50b0

==EOF==

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:55 PM

Posted 17 October 2009 - 04:57 PM

Please run these for me too


:trumpet:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:flowers: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

======================

:thumbsup:
Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users