Malware won't go away!

system · February 14, 2011, 11:48pm

I ran MBAM, and ever time I run it I get 2 Trojan-Agents. It won’t go away!!
Please help, Thanks

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5763

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/14/2011 4:42:12 PM
mbam-log-2011-02-14 (16-42-12).txt

Scan type: Quick scan
Objects scanned: 157107
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\f3pssavr.scr (Trojan.Agent) → Quarantined and deleted successfully.
c:\windows\syswow64\f3pssavr.scr (Trojan.Agent) → Quarantined and deleted successfully.

system · February 15, 2011, 5:53am

Ok, here are my logs.

mikaelrask · February 15, 2011, 7:00am

welcome to the forum. when malwarebytes did quarantine the threats did it ask for reboot? if so did you reboot?

hopefully someone check your log there I’m no expert on them.

a few step i would recommend is a boot scan with avast for start and see it avast pick up anything.

http://www.schmahl.net/avastbootscan.php

meaby a scan with superantispyware might be a good one for sometimes it picks up things malwarebytes misses and vice versa.

http://filehippo.com/download_superantispyware/

good luck and lets us know on your progress.

system · February 15, 2011, 7:42am

I scanned with MBAM and it stated reboot, so I rebooted, then I scanned again and it is still there. I also scanned in “Safe Mode” and there was no Trojan detected, it’s weird, I can’t figure it out. I also scanned with Avast, Threatfire and SuperAntiSpyware. It was not picked up.

I have windows 7 x64, no Boot time Scan

Thanks for the info though.

Pondus · February 15, 2011, 8:21am

I have windows 7 x64, no Boot time Scan

latest avast version have x64 BootScan....

You may try this, Kaspersky TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
Then update and rerun Malwarebytes…

Essexboy is notified and will check your log`s when he arrives

he is usually in here at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/

essexboy · February 15, 2011, 8:16pm

Hi I can see no sign of that in your log so lets see if OTL can search and destroy

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV:64bit: - [2010/03/04 17:05:11 | 000,029,976 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\avgfwd6a.sys -- (Avgfwfd)
:Files
ipconfig /flushdns /c
c:\windows\system32\f3pssavr.scr

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · February 16, 2011, 2:56am

Ok, I did what you requested, here are the logs.

Thanks again for your help.

system · February 16, 2011, 3:19am

I forgot to tell you that I had to use “Run Fix” twice because Threatfire stopped the process, I had to disable Threatfire and had to open it during the scan. So I canceled the first run after reboot (when OTL asked to continue “run program”).

I just started the process again, I hope I didn’t mess things up. I hope I did not confuse you.

system · February 16, 2011, 5:47am

Awhile back I tried the latest Avast5.1 something and it froze my computer, so i went back to 5.0, I’m scared to try the lastest just yet, until Avast has perfected it.

FYI, I downloaded TDSSKiller and updated it, then scan and nothing detected.
Sorry about all the posts.

essexboy · February 16, 2011, 6:45pm

File\Folder c:\windows\system32\f3pssavr.scr not found.

Is MBAM still finding this ?

system · February 16, 2011, 11:22pm

Yes, and this c:\windows\syswow64\f3pssavr.scr

Thanks again

system · February 16, 2011, 11:35pm

It say’s “no action taken” on the scan.

Pondus · February 17, 2011, 12:13am

removed

DavidR · February 17, 2011, 1:03am

If you check Walt baby luv’s first post it contains the MBAM log which shows that is what the OP did, but it keeps coming back, which is the whole issue about the topic subject “Malware won’t go away!”

So we have to find the underlying infection that is restoring it.

system · February 17, 2011, 5:02pm

I am starting to think maybe it’s something i downloaded for use, I mean I downloaded some “skins” for Win media player, icons, cursor, etc… Maybe it’s a False Postive? Only MBAM is picking it up. I have used TDSSkiller, Threatfire, Avast (full scan), Superantispy. I don’t know, Thanks again for your patience and support.

DavidR · February 17, 2011, 5:36pm

Given the file name and its location in the system folders, plus its coming back I rather doubt it is a false positive.

Also see http://www.threatexpert.com/files/f3pssavr.scr.html. Essexboy was also involved in removing this in geeks-to-go topic, http://www.geekstogo.com/forum/topic/269890-serious-infection-solved/. Although this is an old topic, the strange thing is that using the same tools he used here it did work. So perhaps this is a stronger strain. So we will need him to work his magic again.

This file is associated with the MyWebSearch which is adware/spyware.

So you need to remove MyWebSearch from your system,

essexboy · February 17, 2011, 6:41pm

OK lets put the big boy on the job - if it does not find it the first time around I will create a script for a search and destroy

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

system · February 18, 2011, 4:49pm

I just want to thanks again for all your help. I downloaded what you requested and i did not know it would start right then and there. I tried to turn off avast and it would not let me, so i had to uninstall avast. Threatfire only came back on after the computer rebooted. and I think superantispy and MBAM is only on demand scanner. Anyways, I ran the scan and alot of my desktop icons disappeared??? I hope i did everything right? I only know the basics when it comes to computers.

Here is my log, and let me know if I need to do it again (in case i messed up).

Thanks again

essexboy · February 18, 2011, 6:46pm

No sign there either - lets try something different … Uninstall MBAM and then install a fresh copy. Let me know if the detections re-appear

system · February 20, 2011, 10:15pm

Sorry for the delay, been busy. I uninstalled MBAM, then reinstalled, scanned, same problem, there still there. I will attach the log. It’s pretty much the same.

Thanks again,

Malware won't go away!

Announcements