Nasty little trojan! (started as serauth1.dll etc.)

Hi. Well, it's one of those days...... My laptop has been bitten by a nasty little trojan and I am having difficulty removing it.

So it's like, I downloaded some proggy, and when I launched it, it shut down my Avast and re-started the PC. After that....... (deep breath):

- Avast and Sygate are disabled (I can see all Avast application have today's date)
- Wireless connection is disabled (lucky the LAN works!).
- When I try to launch SUPERAntiSpyware I get the message "Not a valid Win32 application".
- CCCleaner will not run (no message)
- Combofix will not run ("Not a valid Win32 application")
- Spybot will not run (no message)

Only Malwarebytes will run......

Now, the first time I ran it, it found two files:
- Serauth1.dll
- Serauth2.dll
I removed both and they seem not to have returned.

Second time I ran it, it found 12 (!) files (sorry I did not write them down), some Trojan Agent, some Spammer, etc. I deleted them and then.....

After rebooting, and scanning using Malwarebytes again, I found a registry key for mule_st_key - deleted that and rebooted.....

By the way, I updated the Malwarebytes definitions, and it worked the first time but on subsequent updates it says "not connected to net".... seems it is blocked.

Also, I tried to run Kapresky, and it did start the process but after downloading the program and some of the database it stopped working and again says, "not connected"

Oh, also by the way, system restore is off on my system....

OK, back to the Malwarebytes scan.....

Ahhh!!!! - 12 entries this time....
I have attached the log file.....

What now???

Thanks

 

Attached MBAM log after another clean/reboot....

 

All well that ends well - thanks to MBAM!!!

OK, so I was able to solve this myself..... through repeated runs of MBAM as well as manually cleaning out the registry and files where the trojan was hiding.

Now things are back to normal, and the ONLY one that worked was MBAM!! Thank you!!

By the way, like so many trojans, it also disabled my wireless. This is what you have to do to get it back:

However, I did find such Protocol Service in the regedit, and I found out it was disabled (it was set to 4). So, in sum, I recommend you to go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio
and check that the "Start" Value is set to 1, 2 or 3 (I set it to 1).

And this solved my problem, after a System Restart the Wireless Zero Config Service can be readily started.

(Original link)

http://www.techsupportforum.com/net...4273-solved-error-1068-when-starting-wzc.html

 

Return of the Bagle!! Help!

OK, maybe I spoke too soon..... Earlier today I posted this:
http://forums.majorgeeks.com/showthread.php?t=185316

I did manage to remove everything (or so I thought) and MBAM did not find anything. I completely un-installed Sygate, Spybot and SuperAntiSpyware and then re-installed them. No issues the entire day.

But just now.... I saw my MSN Live was offline so I launched it (from STAR/Programs) and.... boom! Avast was disabled, just as before, and I thought to myself....

(Unlike before, the system did not reboot - maybe a good sign that I acted quickly)

So - *quickly* I disabled the wireless card and ran MBAM. It did detect Bagle and removed it, not to be seen on subsequent scan. My Sygate etc. are still showing "Not a valid Win32 application" and I guess I have to re-install them again.

Another MBAM scan came up clean.

My questions are:

1. Apparently Bagle was hiding as MSN, why did the full system MBAM scan I did not detect it?

2. Even now though a MBAM scan reveals nothing, how do I make absolutely sure it is gone for good?

Thanks!

 

Re: Return of the Bagle!! Help!

OK, it's confirmed, even after all is "removed", clicking on Windows Live Messenger activates Bagle.

Fortunately I know where it drops its files and can kill the process and delete the files.

BUT

I can't make out which program is run by clicking on Windows Live Messenger (since they have disabled the "Find Target" button).

Any ideas?