Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Data Recovery Woes

  • Please log in to reply
1 reply to this topic

#1 sproffice


  • Members
  • 12 posts
  • Local time:07:36 AM

Posted 13 June 2012 - 02:55 PM

I am having a problem getting rid of a program called Data Recovery, installed when trojan.dropper got on the computer. I followed the removal instructions on this site, and Malwarebytes did find and remove the trojan and a rootkit. Now all the MBAM scans come up clean, but there is still a program icon on the taskbar next to Start, a Start menu item, a desktop icon, and under Documents and Settings/All Users/Application data, there are several files with no file extension and an .exe file. I don't think this program has actually been eliminated.

This is a Windows domain, and the rootkit and trojan both downloaded on a user account. I scanned as administrator and as the user (limited privileges). I couldn't scan with TDSS KIller on the user account as it needs an elevated account, and Run as... did not work. Also, RKill did not run properly after many tries, in both safe mode and normal mode.

For now I just added some extra characters in the filenames for the suspicious files. I want to make sure this is absolutely gone, as problems keep cropping up on this computer. Allso, if there's any way to prevent this type of thing from downloading, please advise. Our AV finds these things, but sometimes not till after the user clicked off and allowed the malware to install.

Steps I took:

Booted in safe mode, logged in as infected user.
Ran RKill (IExplore variant). Access denied.
Ran Malwarebytes. Found and deleted files. Rebooted.
Logged in as administrator, ran Malwarebytes. Found and deleted trojan.dropper. Rebooted.
Logged back in as user, ran TDSS Killer. Would not initialize.
Logged back in as administrator. Ran TDSS Killer. Nothing found.
Ran SUPERantispyware custom scan. Only cookies found.
Logged in as user. Ran SUPERantispyware. No infections found.

Program on taskbar, desktop icon, Start Menu entry, and suspicious files in All User/Application Data still remain. The Start menu listing has an uninstall option, but I didn't want to try that without advice.

Computer is running Win XP SP3.


Edited by sproffice, 13 June 2012 - 02:56 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,530 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:07:36 AM

Posted 13 June 2012 - 04:00 PM

hllo, to get the rest of this we will need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users