Trojan Removal Trouble

Discussion in 'Malware Help (A Specialist Will Reply)' started by rcmck, Apr 27, 2009.

  1. rcmck

    rcmck Private E-2

    I have been trying to remove an apparent trojan, could use some assistance. Whenever I open firefox I get 2 warnings from comodo defense+ one states that "tmp5B1B.tmp.exe is attempting to create file called msuotuinva.dll in system32" and the second is sfl5B79.tmp.exe is about to modify the contents of tmp5B1B.tmp.exe which I choose to block both. The numbers and letters following tmp and sfl sometimes change. They are located in the /local settings/temp directory and there are quite a few similarly named files. I uploaded one to virustotal and got the following results. Also, recently comodo av finally detected a trojan in the tmp files which I choose to quarantine and then removed, but they are back and it has not detected the trojan since, The name given was TrojWare.Win32.Trojan.Agent.Gen@15238798
    Also was experiencing occasional redirects on clicked links, but nothing consistent and going back and clicking again would bring me to the correct link. I have not seen this in a little while now.

    Virustotal log

    File tmp5B1B.tmp.exe received on 04.16.2009 06:36:24 (CET)
    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.04.16 -
    AhnLab-V3 5.0.0.2 2009.04.15 -
    AntiVir 7.9.0.143 2009.04.15 -
    Antiy-AVL 2.0.3.1 2009.04.16 -
    Authentium 5.1.2.4 2009.04.16 -
    Avast 4.8.1335.0 2009.04.15 -
    AVG 8.5.0.287 2009.04.16 -
    BitDefender 7.2 2009.04.16 Gen:Trojan.Heur.80B9D8C3C3
    CAT-QuickHeal 10.00 2009.04.16 -
    ClamAV 0.94.1 2009.04.16 -
    Comodo 1115 2009.04.15 -
    DrWeb 4.44.0.09170 2009.04.16 -
    eSafe 7.0.17.0 2009.04.13 Suspicious File
    eTrust-Vet 31.6.6455 2009.04.14 -
    F-Prot 4.4.4.56 2009.04.15 -
    Fortinet 3.117.0.0 2009.04.15 -
    GData 19 2009.04.16 Gen:Trojan.Heur.80B9D8C3C3
    Ikarus T3.1.1.49.0 2009.04.16 -
    K7AntiVirus 7.10.704 2009.04.15 -
    Kaspersky 7.0.0.125 2009.04.16 -
    McAfee 5585 2009.04.15 -
    McAfee+Artemis 5585 2009.04.15 -
    McAfee-GW-Edition 6.7.6 2009.04.15 -
    Microsoft 1.4502 2009.04.15 Trojan:Win32/Safel.A
    NOD32 4012 2009.04.16 -
    Norman 6.00.06 2009.04.15 -
    nProtect 2009.1.8.0 2009.04.16 -
    Panda 10.0.0.14 2009.04.15 -
    PCTools 4.4.2.0 2009.04.15 -
    Prevx1 V2 2009.04.16 -
    Rising 21.25.30.00 2009.04.16 -
    Sophos 4.40.0 2009.04.16 -
    Sunbelt 3.2.1858.2 2009.04.15 -
    Symantec 1.4.4.12 2009.04.16 -
    TheHacker 6.3.4.0.309 2009.04.16 -
    TrendMicro 8.700.0.1004 2009.04.16 PAK_Generic.001
    ViRobot 2009.4.16.1695 2009.04.16 -
    VirusBuster 4.6.5.0 2009.04.15 -
    Additional information
    File size: 175168 bytes
    MD5...: 2b7ac7445f145f3392c84104c26f271a
    SHA1..: 97ba03fa5c5bbb764c58c19dc5adbdedac86fa4b
    SHA256: b8455023db66d0f4eaa8b1282d9ae5ce020256ed202bd00e75f4d2b8d47aa6da
    SHA512: 860b2f10bc049e0765fc6a498481b2f0408f7a68ee2a610ad710fe38e67010d8<br>773ecde074508b9bf4e443823a2ebaf5c38009345d84c20b720c48a1e4a8186d
    ssdeep: 3072:z6QQkgwh7Bk1cn2nt5kn+iEig9wD9qnDzBqBdcGyb7uiNszzQ/C:z1QP1Jt<br>5knnzwDzMy1PC<br>
    PEiD..: ASPack v2.12
    TrID..: File type identification<br>UPX compressed Win32 Executable (42.6%)<br>Win32 EXE Yoda's Crypter (37.0%)<br>Win32 Executable Generic (11.8%)<br>Clipper DOS Executable (2.8%)<br>Generic Win/DOS Executable (2.7%)
    PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x11001<br>timedatestamp.....: 0x49e45a4d (Tue Apr 14 09:41:33 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xa000 0x5c00 7.99 2330d0d696d686e928ac911a4f282ab2<br>.bss 0xb000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0xc000 0x1000 0x400 7.77 31636aee56062a721f3b3cc39fd93d55<br>.data 0xd000 0x4000 0xa00 7.17 1c7682228832254f455892b5e4eaf5f4<br>.aspack 0x11000 0x1000 0x1000 6.04 24be2bd96e883d03537443dacdc2cada<br>.adata 0x12000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 1 imports ) <br>&gt; kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA<br><br>( 0 exports ) <br>
    RDS...: NSRL Reference Data Set<br>-
    packers (Kaspersky): ASPack, PE_Patch.UPX, UPX
    packers (F-Prot): UPX, Aspack

    I have scanned several times with mbam and found/removed infections but this problem remained, and finds nothing now, I can provide the logs if needed. Also with online scanners, nod32 and kaspersky, both found nothing.

    Any help would be appreciated, Thanks in advance.
     
    rcmck, Apr 27, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide


    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid addtional delay in getting a response, it is strongly advise that after completing the READ & RUN ME you also read this sticky Don't Bump! It Only Hurts You!!!. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Apr 30, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds