Trojans, Worms and Exploits

I have had a persistent infection by a Trojan virus. My computer was rendered inoperable (screen would go black and then it would cut off) about 3 months ago. I had it “fixed” by some “expert” associates of mine so I can now use my computer but apparently the virus is still present. I found the thread by essexboy, followed the instructions (Malwarebytes ----> OTL) but Avast still registers the viruses on a custom scan (not on a full or quick scan) and whats more it appears Avast is now compromised as I cannot perform any action after the scan (no repair, no delete, no move to chest, nothing). I copied all the scan info from avast and have attached it along with the Malwarebytes and OTL logs. Hopefully there are some true experts (no quotes) on here who can help.

And the final OTL log file.

Oh and I’m running a Toshiba Satellite laptop, Windows XP, Service Pack2 (recently been upgraded to Service Pack3).

Thoughts, suggestions, advice, resolutions? Anyone?

Have sendt a PM to Essexboy, so he will look at it when he enters the forum

Excellent. Thank you Pondus.

The two that Avast is catching are PCtools spyware doctor and Spybot teatimer as memory resident items

Are you experiencing any other problems

No, the occasional slow down but nothing serious. I just make it a point to run various scans (Spyware Doctor, SpyBot S&D, Avast) and these trojans, worms and whatnot keep showing up. The last Avast scan found five so if two are Spyware Doc and Spybot are the others also benign or are they true malware?

Lets go fishing ;D

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Done and done. I’ve attached the log but, as usual, I have no idea what it says/means which, I think, is the real problem here. Just one more thing I need to learn :P. Luckily you guys have the tools and talent.

Just two suspects from that - lets try a little TLC

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Okay, sorry for the delay. I ran the TFC, FlushFlash and Puran Defrager. I ran all my scans again. Avast came up clean although some files could not be scanned (log attached). Spyware Doctor found 4 Trojans (log attached) but it also registered ComboFix as an infection so I’m not sure if the Trojans are also false readings. I ran the Malwarebytes, OTL and ComboFix scans again (logs attached). I have two Toshiba external hardrives that are infected, at least I think they are, there is a folder that appeared on there which I do not remember seeing or loading myself. Will these various scans work on them or does that require a whole different fix?
Again sorry for the delay and thank you for all the assistance.

Edit:
The Avast log is too big, I don’t know how to get it on here. Is there a specific part you need to see that I can edit out or another way to present it?

There was nothing wrong with those registry keys as they are ones adjusted by Combofix to allow it to work

None of the tools I use will scan backup drives

Your best bet for those is to run AVP

Please click here to download AVP Tool by Kaspersky.

[*]Save it to your desktop.
[*]Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit [b]enter
.[/b]
[]Double click the setup file to run it.
[
]Click Next to continue.
[]It will by default install it to your desktop folder.Click Next.
[
]Hit ok at the prompt for scanning in Safe Mode.
[]It will then open a box There will be a tab that says Automatic scan.
[
]Under Automatic scan make sure these are checked.

[] System Memory
[
]Startup Objects
[]Disk Boot Sectors.
[
]My Computer.
[*]Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

[*]Then click on Scan at the to right hand Corner.
[*]It will automatically Neutralize any objects found.
[*]If some objects are left un-neutralized then click the button that says Neutralize all
[*]If it says it cannot be Neutralized then chooose The delete option when prompted.
[*]After that is done click on the reports button at the bottom and save it to file name it Kas.
[*]Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Okay, hit it with the AVP and attached the log. I had one of my externals attached to be scanned as well. The only thing is there was no “neutralize all” button after the scan. During the scan there were pop-ups that showed the threat (looks like the same Trojans Spyware Doctor found) and then asked you to quarantine, delete or do nothing. It said quarantine was recommended so I did that since I didn’t want to delete something that could have been a false positive like with ComboFix being flagged by Spyware Doctor. If that was a stupid noob mistake I’ll go back and delete those suckers this time. That folder is still on the external though (.Trash-1000) but I don’t think any of the trojans found were from there.

Again those looked like false positives as they were detected by heuristics

Is there onespecific folder you are trying to kill ? If so give me the file path and it will die

“…it will die” I like that :slight_smile: It is E:.Trash-1000
It is on both of my external drives and even my flash drive. I’m becoming convinced it’s why I keep seeing infections pop-up, but of course, noob that I am I can never be certain. Speaking of noobiness, can you recommend a good place to begin the journey from noob to evangelist? I don’t know if this is a specific are of expertise or something that develops as a result of overall computer/programming expertise, either way I’d like to get started.

OK lets clear the flash drives first ;D On completion of this can you let me know of any problems

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
[] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
[
] Wait until it has finished scanning and then exit the program.
[*] Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don’t delete this folder…it will help protect your drives from future infection.

THEN

Ensuring that e drive is plugged in

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
E:\.Trash-1000

Folder::
E:\.Trash-1000


  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.

Ref learning look here http://www.geekstogo.com/forum/Would-you-like-to-learn-to-fight-malware-t4817.html

Alright, the Flash Disinfector didn’t appear to do much (unless it’s job was just to place that autorun folder to help fight future infection) but that ComboFix worked it’s magic, the folder is gone. I only had one drive plugged in and it was G:\ not E:\ (don’t know how I messed that one up) so I got bold and changed the CFScript.txt accordingly. Looks like it worked. Can I just go ahead and do the same for my second external and my flash drive? Thanks also for the learning references.

For sure run it on all your flash drives and external drives

What problems do you have now ?