Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huer Trojan just won't go.


  • Please log in to reply
55 replies to this topic

#1 cnnashman

cnnashman

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 06 February 2013 - 04:08 AM

Hi everybody, i will explain what i have been through. I picked up a( win32 heur Trojan) about a month ago from a program named Reimage, (i know it's supposed to be malware free but i got infected). I consulted and worked with Kaspersky and supposedly it was claimed to be quarantined and no longer an issue. Well i kept noticing that every webpage i visited that Reimage program that gave me the infection popped up and always enticed me to click it (which i never did).

I have tried all the recommendations from Major Geeks and followed the step by step malware removal procedures twice and according to one tech no malware was noted but i wasn't convinced.

I came upon your site and something told me to try your Rkill program, and what do you know it picked up on the Heur malware when no other Rootkit scanner did.
I attached a log.

Now even though your program says the process was terminated i can't get rid of the popups and i ran some scans with my normal scanners, malwarebytes, Eset, Super anti spyware and nothing is being found but i am still getting the Reimage popups.

I am hoping you can help

Thank you very much. I am running win 7 64 bit






Rkill 2.4.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/06/2013 03:37:51 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 3940) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 02/06/2013 03:38:01 AM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)

Edited by cnnashman, 06 February 2013 - 05:12 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 06 February 2013 - 06:34 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 07 February 2013 - 06:09 PM

I clicked on the Security Check link and it takes me to a half man /half cat looking dude, is that the real link.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:19 AM

Posted 07 February 2013 - 10:24 PM

Should be ,if it says

 

Welcome to screen317's little corner of the
Internet


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 07 February 2013 - 10:29 PM

Click here for screen317's Security Check.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 08 February 2013 - 04:17 AM

I can't get the logs to post, i tried everything. I'll figure it out somehow.


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 AM

Posted 08 February 2013 - 09:17 AM

Hi Broni,

One of the attachemnts (Rkill) ended up here:
added attachment to "cant get ...

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 08 February 2013 - 09:58 AM

Hi Broni, i posted my logs in the logs forum under same title.

 

Attention Broni

 

Thank you



#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 08 February 2013 - 11:24 AM

Thanks etavares :)

 

@ cnnashman

What happens when you try to paste logs?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 08 February 2013 - 02:49 PM

Oh, it's not virus related, i'm just a complete idiot in regards to figuring out how to do basic computers things.  I take forever trying to circumvent the login screen, it took me days to figure out how to post a screenshot.  If i don't see the attachments option somewhere on the screen, i'm lost.



#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 08 February 2013 - 03:29 PM

You should post in appropriate forum then.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 08 February 2013 - 04:19 PM

So which forum should i start over in?   I was up all night figuring out how to get them to post in any forum and i finally did it and all my logs are in the forum below this "am i infected forum".  If you want me to start over in another forum just let me know which one please.

 

The below logs are in the forum (malware logs) under the same title Heur Trojan just won't go. I don't know how to transfer them here

 

 

 

Result.txt   26.38K   1 downloads
  aswMBR.txt   1.86K   0 downloads
  FSS.txt   2.38K   0 downloads
  mal latest log.txt   1.88K   0 downloads
  checkup.txt   958bytes   0 downloads

 

 


Edited by cnnashman, 08 February 2013 - 04:25 PM.


#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 08 February 2013 - 04:26 PM

In your previous post you said:

it's not virus related

 

Are you having any computer issues or you just want to ask questions how to use this board?

I'm little bit confused.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 cnnashman

cnnashman
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 08 February 2013 - 05:53 PM

My heur infection is what i'm here about.  ( the prog* C:\Windows\SysWOW64\ACEngSvr.exe (PID: 3940) [WD-HEUR])  .

 

i just don't know how to paste on this forum, that was the issue. I know i have an infection as the logs will help in getting rid of it i hope.


Edited by cnnashman, 08 February 2013 - 05:56 PM.


#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:19 AM

Posted 08 February 2013 - 06:00 PM

Open any log you created, sellect all text, copy it and paste it into your next reply.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users