Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Trojan.Downloader' infecting my machine


  • Please log in to reply
9 replies to this topic

#1 LacunaSF

LacunaSF

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 24 March 2011 - 11:35 AM

I have a malicious trojan that Malwarebytes detects and supposedly successfuly removes but the file is still present after the removal process. Malwarebytes is the only removal tool that detects the file. My Windows are running extremely slow and/or are unresponsive at times. OS is Vista.

The file is called 'Trojan.Downloader' and located in 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

I have run the following removal software: Norton, LavaSoft Adaware, Spybot, Malwarebytes, Windows Live OneCare Safety Scanner, MS Windows Security Essentials, Linux based AVG bootable Rescue CD, MS Windows Malicious Software Removal Tool, MS Windows Defender.

I reeeeally do not want to have to re-install my OS! :-(

Edited by LacunaSF, 24 March 2011 - 12:13 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:50 AM

Posted 24 March 2011 - 02:19 PM

Lets' do one more scan please.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Well actually 2...
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 LacunaSF

LacunaSF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 24 March 2011 - 04:13 PM

I downloaded and ran TDSSkiller and it did not find anything.
I then updated, ran a quick scan with MBAM. It detected the same file 'Trojan.Downloader'. I removed/quarantined the file and rebooted.

After rebooting, I again ran MBAM. It, again, found the file 'Trojan.Downloader'.
The file is located here: 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:50 AM

Posted 24 March 2011 - 09:44 PM

Look in Task Manger (press CTRL+SHIFT+ESC ) these may be there.
Under Applications Tablook for Windows Police Pro
and if there,highlight and select End Process.

Next click the Processes tab
Look for the process called Windows Police Pro.exe and left-click on it once so it becomes highlighted. Then click on the End Process button.


Either way run Rkill then MBAM once more.


RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 LacunaSF

LacunaSF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 25 March 2011 - 01:01 PM

I followed your instructions using Task Manager to locate and End the process of Windows Police Pro. Windows Police Pro was not present
in both 'Applications' and 'Processes' within Task Manager.

I next 'turned off' all Internet Security software.

I then downloaded and ran the 'rkill' app. This is the saved log after running it:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/25/2011 at 10:34:46.
Operating System: Windows ™ Vista Ultimate


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe


Rkill completed on 03/25/2011 at 10:35:02.

I next ran 'tdsskiller' and it found 'nothing'

I next ran MBAM and it detected the same trojan file, again, that is plaguing my machine. I, once again, removed/quarantined the file.
An IMPORTANT note: When I select 'remove/quarantine' MBAM requires me to reboot my PC to completed the removal process of the file. I receive the following message:
'All selected items have been removed successfully. Your computer needs to be restared to complete the removal process. Would you like to restart now?'

I believe that when I select 'yes' and reboot, it reinfects my pc, yes?

Wanted to say thank you for your help...really appreciate it :-)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:50 AM

Posted 25 March 2011 - 01:36 PM

OK, let's use MBAM's FileAssassin feature to kill this file.. . scandisk.Ink'

Open MBAM again.
Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to disastrous problems with your operating system.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 LacunaSF

LacunaSF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 25 March 2011 - 03:38 PM

Hi...
When attempting to locate the file using MBAM Assassin, the path options are not succinct with the file location documented in the MBAM initial scan results, thus I am unable to successfuly locate the file for removal within MBAM Assassin.

I am going to have to ask an IT friend for assistance in locating the file within MBAM Assassin.
Will post my results when completed. Thanks.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:50 AM

Posted 25 March 2011 - 07:05 PM

Ok,thanks. If needed we can move you and our MRL team will get it out.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 LacunaSF

LacunaSF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 26 March 2011 - 12:29 AM

I located the 'scandisk.Ink' file using MBAM's FileAssassin and removed it.
I then rebooted my machine. After rebooting, I noted my SKYPE app. no longer works. I will uninstall and reinstall SKYPE to hopefully correct the problem.

After rebooting, I ran a MBAM quick scan and the same trojan (Trojan.Download) was, again, detected in the same location: 'c:\Users\Ann\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.Ink'

I then ran MBAM Assassin yet when navigating to the file location, 'scandisk.Ink' was no longer present. The only file present within the 'Startup' folder was 'scandisk' but not 'scandisk.Ink'

Note: I also re-ran tdsskiller and rkill with no results found.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:50 AM

Posted 26 March 2011 - 10:41 AM

OK,I'm suspecting a hidden rootkit is reviving this. We need special toos to get this.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users