.EXE Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by Joyfulsong11, Dec 29, 2012.

  1. Joyfulsong11

    Joyfulsong11 Private E-2

    This computer is a friends and he started having a Windows error message. Another friend tried to run the Recovery Disks (the kind you burn when you get a new computer) and the computer would not accept them. After running scans a Trojan was found, which I assume is the reason the recovery disks were not effective.

    I don't have any further details about the problems it was manifesting other than that it was VERY slow when I was asked to look at it.

    The scans were all run in Safe Mode due to the extreme slowness in normal windows mode.

    I also forgot to run CCleaner before running the scans. I apologize, I did run it, but the effects will not show up in the except the MGtools. I ran CCleaner after HitmanPro when it found all the temp files that should have been deleted. I also forgot to run the Defogger, but I don't think there is anything on here that would qualify or interfere with the scans. Hopefully these things won't hinder the process, and again I apologize.

    Attached are the logs for the scans.

    The machine is now running slightly (emphasis on "slightly") faster, but not by much. I'm sure there's more going on. Even if I can't get the machine completely clean, my main concern is to ensure that the trojan hasn't invaded the registry. If the registry is clean, I have the recovery disks, and if we can restore the function to allow them to be used and can wipe the HD, I can reinstall the software.

    Thank you for any help !

    Joyfulsong11
     

    Attached Files:

    Joyfulsong11, Dec 29, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is some adware junk in the logs but nothing too significant. I'm not sure if the item Malwarebytes removed was anything of significance.

    Many Windows Errors are Windows problems and not malware.

    Also logs from safe boot mode will not necessarily show us the problem since the problems are only occurring in normal boot mode. Typically this can mean something you are running/loading in normal mode but not safe mode is the problem. Could even be a driver issue. Running stuff like the below can even be the cause of issues like this:

    O4 - HKCU\..\Run: [AROReminder] C:\Program Files (x86)\Advanced Registry Optimizer\ARO.exe -rem

    Uninstall Advanced Registry Optimizer now! If not installed anymore then the steps further down will remove this startup anyway. Also uninstall the below right now too:

    Ask Toolbar
    SaveTheChildren Reminder by We-Care.com v4.0.20.4


    Registry cleaning is not a good idea and neither is optimizing it. It provides insignificant improvement and in the long run can cause more harm then good.

    We wil run a few other tools (like below) to see what happens but I'm not sure how much it will help.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still exist but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O2 - BHO: WeCareReminder - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
    O3 - Toolbar: ooVoo toolbar, powered by Ask.com - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files (x86)\Advanced Registry Optimizer\ARO.exe -rem

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Ask.com
C:\ProgramData\WeCareReminder
C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
ipconfig /flushdns /c
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AROReminder"=-
"swg"=-
[HKEY_USERS\S-1-5-21-4041585665-2515472670-623572687-1001\Software\Microsoft\Windows\CurrentVersion\run]
"AROReminder"=-
"swg"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6722D34E-D530-4A07-89E3-3805D07D806D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7CC11503-20F4-44D7-93D4-C0F4479DD9FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.
    If OTM does not cause the PC to reboot then reboot it yourself now. Then after reboot, continue with the below.


    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now reboot one more time and attempt to use normal boot mode to do the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 29, 2012
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds