trojans.

avz antiviral toolkit found trojans on my computer, the ones detected was Trojan.Win32.Agent2.byu and Trojan-Downloader.Win32.AutoIt.q

the computer is still freezing after deleting the trojans, can anybody help me with this? the logs is attached.

Can you run a Malwarebytes quick scan, check everything and click remove selected?

Attach the log from MBAM here.

here is the malwarebytes log, malwarebytes detected nothing

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Databaseversjon: v2014.02.18.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16518
Bruker1 :: PC-123 [administrator]

18.02.2014 18:03:55
mbam-log-2014-02-18 (18-03-55).txt

Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 208562
Tid tilbakelagt: 5 minutt(er), 33 sekund(er)

Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)

Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)

Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)

Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)

Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)

Mapper oppdaget: 0
(Ingen skadelige objekter funnet)

Filer oppdaget 0
(Ingen skadelige objekter funnet)

(klar)

Hi,

First we shall hit with ComboFix. Then post me fresh OTL.txt logreprot.

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Re-run OTL, click on QuickScan and post me fresh created OTL.txt logfile.

here is the logs

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:5C321E34

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log


Download TDSSKiller and save it to your desktop.

[*]Run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*]Click OK, and then click Start Scan button.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next replyNote:It will also create a log in the [b]C:[/b] directory.

here

Hi,

Posted logs doesn’t show the malware activity. I wanna check something:

Download AVZ Antiviral Toolkit from the following link:

http://z-oleg.com/avz4.zip

[*] Extract the archive to a folder.
[*] Run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);

[*] Click on File > Scripts Standard ;

[*] In the window that opens check options 2 and click Execute Selected Scripts;

[*] Click Yes ;

[*] When scan is finished you will get a note: Script Executed ;

[*] Exit the program.

Attach file virusinfo_syscheck.zip contained in folder AVZ \ Log on the forum.

here is the message from the forum i get when attaching the file You cannot upload that type of file. The only allowed extensions are txt,jpg,gif,png,log

Upload it on wikisend.com and post download link here. :wink:

http://wikisend.com/download/698326/virusinfo_syscheck.zip

i have not experienced that the computer is freezing anymore, but internet explorer can not connect to websites.

…and AVZ and other logreprot doesn’t shows the malware in your system. Therefore, I shall remove used tools.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

have used delfix now, but do you have a solution to get internet explorer to work?

First, I do not know why do you use IE in Windows when you have Firefox and Chrome browsers but let’s check that anyway. :slight_smile:

Zoek shall attempt to reset IE settings back to default + it shall preform some additional cleaning route. After zoek’s run, tell me is the problem with IE fixed?

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

the problem with internet explorer is not fixed. the log is attached.

it seems it is only my startpage wich isnt showing in internet explorer, my startpage is www.google.no ,other sites work. no big deal then, thanks for the help :slight_smile:

Ok. Run DelFix one more time to remove zoek’s files. :wink:

i am scanning with avast now, it has found 4 infections. i will post back when avast is finished scanning.

Hm…weird. The detections could be just the remains, nothing dangerous but post here the results.