A trojan I cant get rid of...

I scanned a computer at work with spybot search and destroy. super antispyware, and mbam.  

SPBOD comes up with a key # HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]      * svchost.exe = 0x000022B8

And even though it says it will remove it, it never does.  The rest can't either.  Ive done some research on it and all my findings are bad but no removal instructions except to buy their product.  

I have tried manually deleting it but when I try to log back on the profile will hang until it reloads itself.  I cannot work on this computer until the morning when the user comes back in and I get back to work but any and all help is greatly appreciated.  

Thanks!
MsAileenSAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan MuzrallEHS SpecialistCommented:
Try ComboFix from http://www.bleepingcomputer.com
Here's the download page:  http://www.bleepingcomputer.com/download/anti-virus/combofix

ComboFix has been pretty effective at removing stubborn malware/spyware/viruses.  Bleepingcomputer also offers online support for use of ComboFix.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MsAileenSAuthor Commented:
Okay thanks!  I will try that in the morning and post my results back.  
0
HapexamendiosCommented:
Hi,

I've found that using MS's Malicious Software Removal Tool also does a good job of these, if you download it and run a full scan.

Quite surprising to some extent; however the purpose of it is to remove malware from infected computers - as opposed to detecting it pre-infection.

Download from http://www.microsoft.com/downloads/en/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en&pf=true and run it from a command prompt with the /F switch - a link to usage instructions can be found on the "Download Details:..." page.

Good luck! - and post back if you think I/we can help further.
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

notacomputergeekCommented:
Click Start-Run, type msconfig, click the Startup tab, check to make sure all programs listed are valid. If not, this may give you a clue where it is hiding - look at the path.

Look at your processes in task manager - is anything running that's suspicious? A more detailed tool is Process Explorer. Go to the bottom of this page (http://technet.microsoft.com/en-us/sysinternals/bb896653) and run it live rather than download it.

Also, you can use www.ubcd4win.com to create a bootable CD to work on the hard drive and registry remotely. This way nothing malicious is running as you're trying to fix it.
0
MsAileenSAuthor Commented:
I ran combox fix and it didn't work.  I did MSConfig and ccleaner and took out any unneccessary startup items and the task manager is sitting around 50 processes which is not real high for a laptop and I didn't see any really unusual but I also didn't google all the processes that I was unfamiliar with either.  I went through the registry in safe mode and took out the items I KNOW are malicious.

But when I rebooted they ALL came back. :(

I haven't tried MS's Malicious Software Removal Tool yet the user had to leave.  

This is one stubborn trojan......   the characteristics seem to track browsing and do a lot of redirection.  I don't want to wipe the computer becasue this person has expensive software that I cant locate (it was installed before me)  
0
Dan MuzrallEHS SpecialistCommented:
Did you disable system restore prior to attempting to repair?
0
notacomputergeekCommented:
Have you tried to do a System Restore back to a time before the symptoms occurred?

In Explore (not IE), turn View Hidden Files on and look in the Program Files folder for any dlls. I've seen IE redirection dlls get copied here that many programs can't detect - including MBAM.

Go to your %SystemRoot% folder, sort by date. Any dlls showing a very recent date that you know you didn't install?

Also, search the drive for autorun.inf files. Right-click -> Open it (NOT RUN), see if it's executing a maliscious file).
0
MsAileenSAuthor Commented:
I did a system restore but apparently not far enough.  I went off what the user said; because when she came to me with the virus it was much worse then I did the system restore and this is what I have been left with.  

I will sort through the system root folder and check the dlls so maybe I can pinpoint when it was installed.  Also, I knwo I should already probably know this but will a system restore also delete any files she has created since that point?  Will I have to back up her docs first?  
0
notacomputergeekCommented:
No, it does not delete user files, such as Word, Excel, etc.
0
MsAileenSAuthor Commented:
So I don't have to worry about backing everything up I can just do a restore.  Because she hasn't added any new programs or anything like that.  That makes things more optimistic.  Thank you!  She isn't in today but I will post back when I do some more work on this!
0
notacomputergeekCommented:
I would still make sure you have a backup of critical files to flash drive or something. You never know when the computer may become inoperable. Better safe than sorry.
0
MsAileenSAuthor Commented:
Will do of course.  Thanks!
0
notacomputergeekCommented:
Can you post the ComboFix file?
0
MsAileenSAuthor Commented:
that would probably be on her computer right?  And she isn't here right now and she has her laptop with her.  
0
notacomputergeekCommented:
Yes. c:\combofix.txt
0
MsAileenSAuthor Commented:
Ill get it to you as soon as I can, thanks!
0
MsAileenSAuthor Commented:
Actually I thought I had ran combofix but it never ran.  I had never run it before and so I thought it just ran in the background or something.  But I tired again and got it to run and it worked!  No more redirection.  

But I tried it on another computer that looked like it had the same virus and it didn't work.  

Thanks so much!! I love combofix its great!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.