A trojan I cant get rid of...

I scanned a computer at work with spybot search and destroy. super antispyware, and mbam.  

SPBOD comes up with a key # HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]      * svchost.exe = 0x000022B8

And even though it says it will remove it, it never does.  The rest can't either.  Ive done some research on it and all my findings are bad but no removal instructions except to buy their product.  

I have tried manually deleting it but when I try to log back on the profile will hang until it reloads itself.  I cannot work on this computer until the morning when the user comes back in and I get back to work but any and all help is greatly appreciated.  

Thanks!
MsAileenSAsked:
Who is Participating?
 
Dan MuzrallEHS SpecialistCommented:
Try ComboFix from http://www.bleepingcomputer.com
Here's the download page:  http://www.bleepingcomputer.com/download/anti-virus/combofix

ComboFix has been pretty effective at removing stubborn malware/spyware/viruses.  Bleepingcomputer also offers online support for use of ComboFix.
0
 
MsAileenSAuthor Commented:
Okay thanks!  I will try that in the morning and post my results back.  
0
 
HapexamendiosCommented:
Hi,

I've found that using MS's Malicious Software Removal Tool also does a good job of these, if you download it and run a full scan.

Quite surprising to some extent; however the purpose of it is to remove malware from infected computers - as opposed to detecting it pre-infection.

Download from http://www.microsoft.com/downloads/en/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en&pf=true and run it from a command prompt with the /F switch - a link to usage instructions can be found on the "Download Details:..." page.

Good luck! - and post back if you think I/we can help further.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
notacomputergeekCommented:
Click Start-Run, type msconfig, click the Startup tab, check to make sure all programs listed are valid. If not, this may give you a clue where it is hiding - look at the path.

Look at your processes in task manager - is anything running that's suspicious? A more detailed tool is Process Explorer. Go to the bottom of this page (http://technet.microsoft.com/en-us/sysinternals/bb896653) and run it live rather than download it.

Also, you can use www.ubcd4win.com to create a bootable CD to work on the hard drive and registry remotely. This way nothing malicious is running as you're trying to fix it.
0
 
MsAileenSAuthor Commented:
I ran combox fix and it didn't work.  I did MSConfig and ccleaner and took out any unneccessary startup items and the task manager is sitting around 50 processes which is not real high for a laptop and I didn't see any really unusual but I also didn't google all the processes that I was unfamiliar with either.  I went through the registry in safe mode and took out the items I KNOW are malicious.

But when I rebooted they ALL came back. :(

I haven't tried MS's Malicious Software Removal Tool yet the user had to leave.  

This is one stubborn trojan......   the characteristics seem to track browsing and do a lot of redirection.  I don't want to wipe the computer becasue this person has expensive software that I cant locate (it was installed before me)  
0
 
Dan MuzrallEHS SpecialistCommented:
Did you disable system restore prior to attempting to repair?
0
 
notacomputergeekCommented:
Have you tried to do a System Restore back to a time before the symptoms occurred?

In Explore (not IE), turn View Hidden Files on and look in the Program Files folder for any dlls. I've seen IE redirection dlls get copied here that many programs can't detect - including MBAM.

Go to your %SystemRoot% folder, sort by date. Any dlls showing a very recent date that you know you didn't install?

Also, search the drive for autorun.inf files. Right-click -> Open it (NOT RUN), see if it's executing a maliscious file).
0
 
MsAileenSAuthor Commented:
I did a system restore but apparently not far enough.  I went off what the user said; because when she came to me with the virus it was much worse then I did the system restore and this is what I have been left with.  

I will sort through the system root folder and check the dlls so maybe I can pinpoint when it was installed.  Also, I knwo I should already probably know this but will a system restore also delete any files she has created since that point?  Will I have to back up her docs first?  
0
 
notacomputergeekCommented:
No, it does not delete user files, such as Word, Excel, etc.
0
 
MsAileenSAuthor Commented:
So I don't have to worry about backing everything up I can just do a restore.  Because she hasn't added any new programs or anything like that.  That makes things more optimistic.  Thank you!  She isn't in today but I will post back when I do some more work on this!
0
 
notacomputergeekCommented:
I would still make sure you have a backup of critical files to flash drive or something. You never know when the computer may become inoperable. Better safe than sorry.
0
 
MsAileenSAuthor Commented:
Will do of course.  Thanks!
0
 
notacomputergeekCommented:
Can you post the ComboFix file?
0
 
MsAileenSAuthor Commented:
that would probably be on her computer right?  And she isn't here right now and she has her laptop with her.  
0
 
notacomputergeekCommented:
Yes. c:\combofix.txt
0
 
MsAileenSAuthor Commented:
Ill get it to you as soon as I can, thanks!
0
 
MsAileenSAuthor Commented:
Actually I thought I had ran combofix but it never ran.  I had never run it before and so I thought it just ran in the background or something.  But I tired again and got it to run and it worked!  No more redirection.  

But I tried it on another computer that looked like it had the same virus and it didn't work.  

Thanks so much!! I love combofix its great!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.