Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse generic14.CATM


  • Please log in to reply
4 replies to this topic

#1 lauralynn

lauralynn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 October 2009 - 10:47 AM

Hi I'm new here, thought maybe someone could help me get rid of a trojan on my computer that avg can't get rid of.

Avg found a trojan in my wise installation wizard but unable to heal and I need that file. I downloaded MBAM and ran a malwarebytes scan yesterday which found a trojan agent which it deleted but nothing on the wise installation file. I don't want to attempt combofix without someone's professional help. If anyone can be of assistance to my problem I would be very grateful. Thank you in advance.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:57 PM

Posted 13 October 2009 - 12:15 PM

Hi lauralynn and :thumbsup: to Bleeping Computer!

Good you didn't run Combofix on your own. It is a tool that is not allowed in this forum anyway.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Do you know the file-location of the file that is detected by AVG? If so, please try to do the following steps.

UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

suspected file

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 lauralynn

lauralynn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 October 2009 - 12:53 PM

I tried sending the file to virus total but came back with this:

Bigger than max permited size

The file is a couple mb so it exceeds the file size limit.

#4 lauralynn

lauralynn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 October 2009 - 01:03 PM

I had 3 files that came up on avg this one was able to scan and the results were:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.13 -
AhnLab-V3 5.0.0.2 2009.10.13 -
AntiVir 7.9.1.35 2009.10.13 -
Antiy-AVL 2.0.3.7 2009.10.13 -
Authentium 5.1.2.4 2009.10.13 -
Avast 4.8.1351.0 2009.10.13 -
AVG 8.5.0.420 2009.10.13 -
BitDefender 7.2 2009.10.13 -
CAT-QuickHeal 10.00 2009.10.13 -
ClamAV 0.94.1 2009.10.13 -
Comodo 2596 2009.10.13 -
DrWeb 5.0.0.12182 2009.10.13 -
eSafe 7.0.17.0 2009.10.13 -
eTrust-Vet 35.1.7065 2009.10.13 -
F-Prot 4.5.1.85 2009.10.13 -
F-Secure 8.0.14470.0 2009.10.13 -
Fortinet 3.120.0.0 2009.10.13 -
GData 19 2009.10.13 -
Ikarus T3.1.1.72.0 2009.10.13 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.869 2009.10.13 -
Kaspersky 7.0.0.125 2009.10.13 -
McAfee 5769 2009.10.12 -
McAfee+Artemis 5769 2009.10.12 -
McAfee-GW-Edition 6.8.5 2009.10.13 -
Microsoft 1.5101 2009.10.13 -
NOD32 4504 2009.10.13 -
Norman 6.01.09 2009.10.12 -
nProtect 2009.1.8.0 2009.10.13 -
Panda 10.0.2.2 2009.10.12 Trj/CI.A

PCTools 4.4.2.0 2009.10.13 -
Prevx 3.0 2009.10.13 -
Rising 21.51.14.00 2009.10.13 Trojan.Win32.VBDownLoaderU.a

Sophos 4.46.0 2009.10.13 -
Sunbelt 3.2.1858.2 2009.10.13 -
Symantec 1.4.4.12 2009.10.13 Downloader

TheHacker 6.5.0.2.040 2009.10.13 -
TrendMicro 8.950.0.1094 2009.10.13 -
VBA32 3.12.10.11 2009.10.13 -
ViRobot 2009.10.13.1982 2009.10.13 -
VirusBuster 4.6.5.0 2009.10.13 -
Additional information
File size: 8498688 bytes
MD5...: 0867d43f29a31f287ad41cd6fa7c23eb
SHA1..: 101a5011ea7b892acb42e402dab204f2774fa267
SHA256: 2236c111713e30a844afc8261d145f641722db8fe8477d944ad29c4abf1ef0de
ssdeep: 196608:icKamp5eBfWrYXZAlKytaeiylbhc02pBrs4R+p:icRKyO6Zjy132zry
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Microsoft Windows Installer (92.7%)
Windows SDK Setup Transform Script (6.3%)
Generic OLE2 / Multistream Compound File (0.8%)
Corel Photo Paint (0.0%)
packers (Kaspersky): UPX, PE_Patch.UPX, UPX, PE_Patch.PECompact, PecBundle, PECompact, PE_Patch.UPX, UPX
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Edited by lauralynn, 13 October 2009 - 01:03 PM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:57 PM

Posted 13 October 2009 - 01:32 PM

Well, this one seems like a false positive, most scanners report it safe.

Please follow the steps below.

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users