Help with removal of a trojan malware

check link and test ur system for conflicker


http://www.identitytheftblog.info/identity-theft/conficker-eye-chart-test-conficker-malware/1356/

ohh sorry...... wrong post.... just ignore it...

Thanks - will try these ideas out this evening and come back to you.

Thank you both for your help.
splait - virus prevented the process being stopped. Had previously looked for the file but it was hidden. Removing O4 - HKCU\..\Run: [yaiexi] C:\Documents and Settings\Family\yaiexi.exe was of some help but I was certain the virus was still present. Accordingly proceeded along the lines proposed by optoma. I think the computer is clean now. I have attached the logs and would be grateful if these could be checked.
ComboFix-log.txt
hijackthis-Jan6.log
mbam-log-2010-01-06--23-32-23-.txt

It looks like you got it all!  @optoma is more practiced at reading ComboFix logs than I am, but I think you're clean.

Thanks for logfiles

Upload these to online scanner  http://www.virustotal.com/ :
c:\windows\BHvxfq.batc:\windows\CwhCEa.bat

Run Nod online scan http://www.eset.com/onlinescan/

Make note of detections, if any :)

Good catch!  I missed them totally!

You should write an article about reading ComboFix reports!

Thank you for your help. AVG has indicated a persistent threat (see attached jpg) - I am not sure if this is just a virus signature in a restore file. The first batch file was clean on all scans. The second had one positive result by Fortinet, with the comment BAT/Vobfus. The ESET scanner found and removed several trojans see text file.

When running ComboFix it detected Rootkit activity and then rebooted the computer. Is this a concern?

I will re run all my scanners and post a further HijackThis file.

Many thanks again.
AVG-warning.jpg
ESETscanner.txt

Run Combofix again after reboot and attach new logfile.

Avg scanner detected System Restore infections-ok for now-dorment
Eset detected already caught viruses

SuperAntiSpyWare detected a Trojan - see log. Spybot was negative as was Malwarebytes. Ran Combofix and Hijack this. Logs attached.
SUPERAntiSpyware-Scan-Log---01-0.log
Combofix-Jan7.txt
hijackthis-Jan7.log

SAS detected more restore point infections + Hijackthis is ok.
      ....................................................
Those two .bat files. Unsure of them but will get back to them.
.........................................................
With Combofix detecting a rootkit is a sign that system is not fully clean, unless its a false positive on something like cd emulation software.

1-You could run a boot scanner cd to scan the system "outside" of Windows, but the consequences can be that a Windows repair would be required afterwards if system files are infected+deleted>>>>>>>>>>results in Windows not starting up correctly.

Would you have your Windows XP Professional installation cd?

2-Another option would be to try an get another Expert in on this thread who could advise you on running rootkit detection scanners within Windows.

Let us know and can go further then.

Thank you optoma. The Combofix detected root activity only with the first scan and then rebooted and continued scanning. The second time there was no detection of root activity. I do run CD emulation software (VirtualCD). I have upgraded AVG to 9.0 and rescanned and it reports no rootkits. All other scans seem to be clear.

I do have the Windows XP installation cd and my ultimate solution would be to reinstall the operating system.

In view of the above I thought a reasonable approach might be to use the computer for 48 hours watching for suspicious activity and then run all the scans again and only proceed as you suggest above if further infestation. What do you think?

You can try a live cd scanner but they can take hours to run(downside to them)

Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.



Since you have your installation media:
You may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm

Attach its logfile after

optoma
I did as you suggested above. Updated virus database successfully. But the scanning only took 22 seconds and reports nothing. Tried several times and checked all the settings. Saved a log but can't find it under Windows.

Does this sound right?

My other scans on the machine remain clean.

No, should take longer.
In the boot cd interface, did you check the boxes to scan boot sector and all other folders?

When it completes hit the reports tab to save logfile. Note where its being saved to

Have a look at this link
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/

Hi optoma
I didn't pick up that I had a partition on the hard disk, with my main drive confusingly labelled D:
Scanned okay, log file attached. Other scans remain clean.
Kapersky.txt

Good that all came back clear!
Last few steps:
1-get latest flash player (uncheck free toolbar/security scan addon)
http://get.adobe.com/flashplayer/
2-get latest Java
http://www.java.com/en/
3-Turn off System Restore + Turn Back on
4-get latest Microsoft updates
http://windowsupdate.microsoft.com/

optoma
All done. You made an earlier comment about two bat files which I uploaded to be examined. Any further thoughts? Accept as solution now?

Both .bat files are most likely malware related. Right click on them and go to Edit. Copy & paste the contents of those files here so we can take a look at them.

I recommend upgrading your AVG to version 9 also when you get a chance.

Yes, both batch files look dodgy with the naming of them. Make sure you dont double click or run them. Post them as suggested.

Have upgraded to AVG version 9. Batch files contents posted below:
BHvxfq.exe :
:1
Erase "C:\WINDOWS\BHvxfq.exe"
If exist "C:\WINDOWS\BHvxfq.exe" Goto 1
Erase "C:\WINDOWS\BHvxfq.bat"

CwhCEa.bat :
:A
del C:\DOCUME~1\Family\iexplore.exe
If Exist C:\DOCUME~1\Family\iexplore.exe Goto A
:1
del yyWWMj.exe
If Exist yyWWMj.exe Goto 1
:3
del BHvxfq.exe
If Exist BHvxfq.exe Goto 3
del CwhCEa.bat

Should I delete them?
Thanks

They dont look right.
Wait for Greyknight to give an opinion :)

I am very happy with the outcome. Shall I accept a solution and close this off?

You can. Those *.bat files were indeed pending!! :)

optoma - I would like to thank you for your very patient and thorough help with this problem. Thank you also greyknight and splait for your input.

Very thorough approach to successful remove a tenacious trojan. Thanks to all.

You're welcome.