Author Topic: Trojan infection found  (Read 2502 times)

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #15 on: August 28, 2016, 05:13:27 PM »
Of course I want to continue. I value your advice and it's clearly already made a difference. I've read your references and understand the issues with XP.

I might be missing something from your post, which I got as "If you want to proceed with cleaning, please run the following scan:[/SIZE]". I'll proceed with the scan you already advised, namely:

Do the RogueKiller deletions,
Run Junk Removal Tool and send its report,
Run AdwCleaner and send its report.

If this is still the plan then there's no need for you to reply before receiving the logs.

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #16 on: August 29, 2016, 05:06:31 AM »
Below are the log files from Junkware Removal Tool and AdwCleaner.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Microsoft Windows XP x86
Ran by Administrator (Administrator) on Mon 08/29/2016 at  3:32:43.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EDV5MUHU (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NBFUKTCE (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NGBY5AJ0 (Temporary Internet Files Folder)
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R2WZ29PM (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EDV5MUHU (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NBFUKTCE (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NGBY5AJ0 (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R2WZ29PM (Temporary Internet Files Folder)



Registry: 3

Successfully deleted: HKLM\Software\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/29/2016 at  3:34:56.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# AdwCleaner v6.010 - Logfile created 29/08/2016 at 03:45:56
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-24.2 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : Administrator - SPANIEL-REDUX
# Running from : C:\Documents and Settings\db\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Documents and Settings\All Users\Start Menu\Programs\SereneScreen
[-] Folder deleted: C:\Program Files\SereneScreen


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock2 - Deleted C:\Program Files\Bonjour\mdnsNSP.dll
:: Winsock settings cleared

*************************

\AdwCleaner\AdwCleaner[C0].txt - [1728 Bytes] - [29/08/2016 03:45:56]
\AdwCleaner\AdwCleaner[S0].txt - [1929 Bytes] - [29/08/2016 03:42:32]

########## EOF - \AdwCleaner\AdwCleaner[C0].txt - [1870 Bytes] ##########

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: Trojan infection found
« Reply #17 on: August 29, 2016, 05:13:27 AM »

Hello SpeedBrophy,


  It is necessary that you are made aware of your risk status.
  It is your computer & it is your choice, I only advise.
  So if you wish to keep any program please do so.

  Now please proceed with instructions given in Reply 11 above.

  I need the JRT.txt log & AdwCleaner log please.
 
  N.B anything posted below my signature is extraneous.
  Thank you.
  Platypuss 

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #18 on: August 29, 2016, 11:46:56 AM »
I already did post the logs. Just before your message, so maybe it wasn't yet showing up. I'd be very grateful to know what you see in the logs.

Yes, I understand the situation with retaining Windows XP.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: Trojan infection found
« Reply #19 on: August 29, 2016, 02:23:57 PM »

Hello SpeedBrophy,

Please scan your computer with ESET Online Scanner.

It may take a long time to run, it is very thorough.Do not use your computer whilst your antivirus is disabled.

NOTE: ESET Online Scanner can be run from Internet Explorer, Firefox, or Chrome.
If using Firefox or Chrome, you will need to download a small utility.
        Double-click esetsmartinstaller_enu.exe to run it.

  • Click on this link to open ESET Online Scanner in a new window.
  • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  • Close all your programs and browsers.
  • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications
  • Then click Advanced settings and check mark the following options:
  • Enable detection of potentially unsafe applications
  • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked
  • Scan archives[/color]
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.[/*]
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.
Copy the contents of the log and paste in your next reply please.
>>>>>>>>>>>>>>>>>>>>>>>>

Quote
I'd be very grateful to know what you see in the logs.

Nothing exciting. Trojan signs & of course the PUPs

Platypuss




Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #20 on: September 01, 2016, 02:36:33 AM »
Hello Platypuss,

Below is the scan log from ESET. It found only one item, the installation file for CCleaner, which I had kept. It objected apparently because the Google Toolbar is bundled with the installer. I don't have the toolbar installed.

The PUPs were all put down before ESET ran, so that's why they don't show up.

Two things about the ESET scan which are just maybe relevant:

[1] In the Initialization part ESET reported "Another antivirus software was detected", referring to Microsoft Security Essentials. MSSE is indeed on my computer but it's disabled as a startup and neither its service nor msseces.exe was running. I'm very sure of this. I don't use it any more. MBAM was disabled before the scan.

[2] In Computer Scan Settings I did not check "enable detection of suspicious applications" , meaning programs compressed with packets or protectors, because you didn't explicitly include this in your instructions.

Please let me know if these are problematical and I'll rerun the scan.

============ Here's the  ESET scan log ===========================
F:\Downloads\ccsetup520.exe   Win32/Bundled.Toolbar.Google.D potentially unsafe application


Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: Trojan infection found
« Reply #21 on: September 01, 2016, 09:37:46 AM »

Hello SpeedBrophy,

I asked for the Eset log but I will take your word for the contents.

Your computer is now free of malware, just tidying up to do:-
 
 Please download Delfix by Xplode and save it to your desktop.

Or use the following if first link is down:

Delfix link mirror

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore  <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
    • Reset system settings.The tool displays (if enabled) extensions of recognized files, if the "Reset System Settings" option is checked.

    Now click on Run and wait patiently until the tool has completed.

    The tool will create a log when it has completed. I don't need you to post this.

    Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:C:\Windows\ERUNT.
    >>>>>>>>>>>>>>>>

    How is the computer running currently ?
    Platypuss

    Offline SpeedBrophy

    • Bronze Member
    • Posts: 20
    Re: Trojan infection found
    « Reply #22 on: September 01, 2016, 02:21:08 PM »
    I'll run the Eset scan again tonight to be sure I didn't miss anything. The onscreen menus were a little different than the Spyware Hammer description, but there was an Export button, and the .txt file it produced was what I sent - a single line, identical to the onscreen display of results.

    I will post again after the Delfix cleanup. Thanks, Platypuss.

    Offline SpeedBrophy

    • Bronze Member
    • Posts: 20
    Re: Trojan infection found
    « Reply #23 on: September 03, 2016, 05:10:53 PM »
    Hello Platypuss,

    Sorry for the delay. I did rerun the eset-online scan: same result, only the one  Google Toolbar  "threat".

    Delfix cleaned things up some and I'm cleaning too. PUPs gone, Chrome out, Firefox in (supports XP), updated display drivers, etc.

    The PC is running MUCH better. No program faults at all, no crashes, lots faster. And steadier, smoother somehow; it's a little hard to describe and maybe subjective.
     
    There's one  remaining quirk, not enough to be called an issue, but something that's been there for quite a while. Little OS tasks sometimes - but not always - take longer than expected, like restoring the desktop and all its icons after closing an application program. Or popping up the "All Programs" list when it's clicked on in the Start menu. I keep thinking these could be hardware related (it's a 10+ year old Dell desktop), but all Dell's and others' extensive hardware diagnostics  are passed: memory, disk drive, fan, power supply all OK. Does this sound familiar to you?

    Platypuss, thankyou very much indeed  for all your help. I've already made a donation. We seem to be done. But I'm still referring to your posts on continued Windows XP use and the disinfection procedure you advised, so it would help me if this post remained on Spyware Hammer for another  month or so, if possible.

    Offline Foxfire

    • Malware Removal Staff
    • Bronze Member
    • Posts: 443
    Re: Trojan infection found
    « Reply #24 on: September 05, 2016, 02:58:28 AM »

     
     Hello SpeedBrophy,

    Pleased to learn that your machine is functioning normally now.

    Regarding the OS intermittent "quirk", it could be software.
    Have you tried a Windows repair as detailed  Here.
    It is comprehensive, widely used  & free. Use the portable version & direct download.

    Now that your machine is malware free & knowing of your OS exposure, I suggest that it is a good time to make a complete system
    backup, such that you have a clean basis in reserve.


    You might find this program useful:
    -

        WOT,(Web of Trust), Here warns you about risky websites that try to scam visitors, deliver malware or send spam.
     Protect your computer against online threats by using WOT as your front-line of protection when browsing or searching in unfamiliar territory. WOT`s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green
    to go
    Yellow for caution
    Red to stop
    WOT has an addon available for both Firefox and IE.

    The following link may be of interest:-

    http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-bess/#entry2316629t-practice.

    On behalf of SpywareHammer thank you very much indeed for the donation, it was most kind.

    This thread will certainly be visible for an extended period & of course you will always welcome to post again for any query.

    Platypuss