8 replies to this topic

[ch3952rva]

Hi, - Hoping to get assistance in removing this. I've run the Spybot program. It found something and removed it but it wasn't this one. Repeat scans reveals this trojan every time. I can't find the culprit when I look for it in Regedit where MBAM tells me it is: HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) Here's my Malwarebytes log file:

Malwarebytes' Anti-Malware 1.30
Database version: 1345
Windows 5.1.2600 Service Pack 3

10/31/2008 5:36:29 PM
mbam-log-2008-10-31 (17-36-29).txt

Scan type: Quick Scan
Objects scanned: 51757
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Rorschach112]

Hello

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[ch3952rva]

Thanks ! I've uploaded the combofix text file.

Attached Files

•  combofix.txt   18.54K   135 downloads

[ch3952rva]

ch3952rva, on Oct 31 2008, 09:56 PM, said:

Thanks ! I've uploaded the combofix text file.

Oh, and MBAM scan was clean just a minute ago. Thanks again for the help !

RDL

[Rorschach112]

Have got most of it then

No need to attach these logs


Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\FOUND.003
  C:\V2*.tmp
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

  
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[ch3952rva]

Ok, here's the OTmoveIT3 log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\FOUND.003 moved successfully.
C:\V2T4.tmp moved successfully.
C:\V2T7.tmp moved successfully.
C:\V2T18.tmp moved successfully.
C:\V2T19.tmp moved successfully.
C:\V2T1A.tmp moved successfully.
C:\V2T1B.tmp moved successfully.
C:\V2T75.tmp moved successfully.
C:\V2T78.tmp moved successfully.
C:\V2T7B.tmp moved successfully.
C:\V2T7E.tmp moved successfully.
C:\V2T81.tmp moved successfully.
C:\V2T85.tmp moved successfully.
C:\V2T1C.tmp moved successfully.
C:\V2T1D.tmp moved successfully.
C:\V2T4F.tmp moved successfully.
C:\V2T56.tmp moved successfully.
C:\V2T8.tmp moved successfully.
C:\V2T9.tmp moved successfully.
C:\V2TA.tmp moved successfully.
C:\V2TB.tmp moved successfully.
C:\V2TC.tmp moved successfully.
C:\V2TD.tmp moved successfully.
C:\V2TE.tmp moved successfully.
C:\V2TF.tmp moved successfully.
C:\V2T10.tmp moved successfully.
C:\V2T2F.tmp moved successfully.
C:\V2T39.tmp moved successfully.
C:\V2T3B.tmp moved successfully.
C:\V2T3C.tmp moved successfully.
C:\V2T3D.tmp moved successfully.
C:\V2T3E.tmp moved successfully.
C:\V2T3F.tmp moved successfully.
C:\V2T40.tmp moved successfully.
C:\V2T5.tmp moved successfully.
C:\V2T2.tmp moved successfully.
C:\V2T11.tmp moved successfully.
C:\V2T13.tmp moved successfully.
C:\V2T14.tmp moved successfully.
C:\V2T16.tmp moved successfully.
C:\V2T1E.tmp moved successfully.
C:\V2T1F.tmp moved successfully.
C:\V2T21.tmp moved successfully.
C:\V2T22.tmp moved successfully.
C:\V2T57.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\frw2.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\ZLT05a77.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT05a81.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_828.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 10312008_223748

Files moved on Reboot...
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\frw2.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\ZLT05a77.TMP not found!
File C:\WINDOWS\temp\ZLT05a81.TMP not found!
C:\WINDOWS\temp\Perflib_Perfdata_828.dat moved successfully.


RDL

Edited by AdvancedSetup, 01 November 2008 - 04:33 AM.
[AS removed un-needed full quoting]

[ch3952rva]

Wow ! 15 minutes into the Kaspersky scan and it's telling me that I'm 1% into the full scan. I'm probably not going to stay connected much longer. Will running my AVG do the trick ?

RDL

[Rorschach112]

It takes a while, please run it all.

[JeanInMontana]

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.