Trojan.gen and trojan.ranson

Hello, all, and thank you in advance for volunteering your time to help us all on this forum!

Symantec has encounted the two threats in my subject line on a family member's computer. I've run all tools as indicated in the "read me first" sticky.

My files are attached with the exception of my MGLogs.zip file. I was able to run MGTools without any issue, but had to load it to my desktop versus my C: drive. I have no idea where those logs are now posted. (??)

My other logs are posted as requested.

Again, my sincere appreciation for any assistance you can provide.

 

Hello steelhdr

It should be at C:\MGlogs.zip
This is the file that should be attached.

Also according to MBAM you did not take any action versus the threat detected:

__

Please delete all the files that are in Norton's quarantine and then proceed with the below:


http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Ok, I believe I've got everything you've requested. Thanks again for helping.

The reason I took no action with MBAM is that it was the second time running. MBAM finds "trojan.ranson" but when restarting, the computer hangs on "Shutting Down," so I don't think it ever completes removal. Not sure why it's hanging, but it will not go through a restart. I have to manually shut off.

 

No problem.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 20

__

Try the below while in Normal Mode first, if you notice that OTL is not responding after 5+ minutes, reboot and try the same fix except this time while in Safe Mode. See: How to start your computer in Safe mode

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\S-1-5-21-1292393901-444733938-3654917889-1000\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=1
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
[2 C:\Users\Jason and Linda\Documents\*.tmp files -> C:\Users\Jason and Linda\Documents\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[2012/07/12 20:10:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/07/12 20:10:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/07/12 20:10:46 | 000,001,926 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
F3 - HKU\S-1-5-21-1292393901-444733938-3654917889-1000 WinNT: Load - (C:\Users\JASONA~1\LOCALS~1\Temp\vjtaflaiidfi.bat) -  File not found
F3:64bit: - HKU\S-1-5-21-1292393901-444733938-3654917889-1000 WinNT: Load - (C:\Users\JASONA~1\LOCALS~1\Temp\vjtaflaiidfi.bat) -  File not found
[COLOR="DarkRed"]:files[/COLOR]
type "C:\Users\Jason and Linda\AppData\Local\Temp\vjtaflaiidfi.bat" /c
C:\Users\Jason and Linda\AppData\Local\Temp\vjtaflaiidfi.bat /d
C:\Users\Jason and Linda\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*.txt /d
C:\Users\Jason and Linda\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\*.data /d
C:\Users\Jason and Linda\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\*.quar /d
C:\ProgramData\Symantec\SRTSP\Quarantine\*.tmp /d
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will require a reboot. Allow OTL to reboot your computer.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Uninstalled the Java update and ran OTL successfully in normal mode. Haad to compress the log due to file size.

Standing by for guidance!

 

Looks good so far.

• Open Malwarebytes again.
• Update Malwarebytes
• Run another Quick Scan
• Attach its latest log.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems you are still experiencing, if any, after completing the above steps.

 

Here's the latest!

 

Your latest logs are clean. Unless you are still experiencing malware related issues you can proceed with the below:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Symantec is still picking up "Trojan.Gen." Interestingly, if I scan using Symantec, nothing comes up, and if I open Symantec, it states my status as "no problems detected." But auto-protect picks up the trojan.

Confused...

 

What are the details on trojan being detected? Trojan.Gen. just a name Symantec has given the infection. What's the file path?

 

I cut and pasted a portion of the logs from Symantec. Does this help narrow the source?

 

These are not malware, just bugs with Symantec's software.

http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

 

Hmmm. That's interesting. I'll read through the link and replies you provided.
I'll also go back and take the actions you advised regarding "final steps." Sincerely appreciate both the help cleaning and understanding of the Symantec issue!

 

No problem.
Be safe.