thenelson
asked on
Unable to get rid of Trojans in Windows 7
HitmanPro displays several Trojans (see list below) and states they were deleted after reboot but they come back after a couple hours. I sent an email to HitmanPro about this and got a response to start hitman while holding down the left control key. I did this but it did not help. I downloaded and ran Super Anti-spyware. It stated it found and deleted several malwares but Hitmanpro still comes up with a list of Trojans. I am using Bitdefender Total Security 2017 as my antivirus. A complete scan with that turns up nothing.
Some symptoms that I am experiencing since the Trojans started showing up are I get a pop-up that states "failed to connect to a Windows service" when I reboot and Windows Aero is disabled when I reboot until I manually restart the Themes service in services.msc.
Here is a log from Hitmanpro:
HitmanPro 3.7.18.284
www.hitmanpro.com
Computer name . . . . : LATITUDE_E6410
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : Latitude_E6410\Nelson
UAC . . . . . . . . . : Enabled
License . . . . . . . : Paid (873 days left)
Scan date . . . . . . : 2017-04-03 04:13:18
Scan mode . . . . . . : Normal
Scan duration . . . . : 10m 16s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 14
Traces . . . . . . . : 14
Objects scanned . . . : 2,031,243
Files scanned . . . . : 106,370
Remnants scanned . . : 509,754 files / 1,415,119 keys
Malware remnants __________________________ __________ __________ __________ ____
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
HKLM\SOFTWARE\Wow6432Node\ Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
Any suggestions will be greatly appreciated.
Some symptoms that I am experiencing since the Trojans started showing up are I get a pop-up that states "failed to connect to a Windows service" when I reboot and Windows Aero is disabled when I reboot until I manually restart the Themes service in services.msc.
Here is a log from Hitmanpro:
HitmanPro 3.7.18.284
www.hitmanpro.com
Computer name . . . . : LATITUDE_E6410
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : Latitude_E6410\Nelson
UAC . . . . . . . . . : Enabled
License . . . . . . . : Paid (873 days left)
Scan date . . . . . . : 2017-04-03 04:13:18
Scan mode . . . . . . : Normal
Scan duration . . . . : 10m 16s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 14
Traces . . . . . . . : 14
Objects scanned . . . : 2,031,243
Files scanned . . . . : 106,370
Remnants scanned . . : 509,754 files / 1,415,119 keys
Malware remnants __________________________
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
HKLM\SOFTWARE\Wow6432Node\
Any suggestions will be greatly appreciated.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I use the bitdefender rescue CD which works well. I hardwire the PC or laptop to the network and boot off the CD and then Bitdefender updates itself then you can run a full scan.
http://download.bitdefender.com/rescue_cd/latest/bitdefender-rescue-cd.iso
http://download.bitdefender.com/rescue_cd/latest/bitdefender-rescue-cd.iso
1. did you check if those keys in executable name are actually existent under Image File Execution Options key?
2. if yes, did you check if those executables listed under Image File Execution Options key are actually existent somewhere on your hard disk?
3. if yes, did you check if those keys have any String values showing a path name of another executable file?
if the answer are all NO, this was just a false positive alarm.
2. if yes, did you check if those executables listed under Image File Execution Options key are actually existent somewhere on your hard disk?
3. if yes, did you check if those keys have any String values showing a path name of another executable file?
if the answer are all NO, this was just a false positive alarm.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yes, but if your system if up to date, that tool installs automatically (Windows 7, 8.1 and 10)
Windows computers with trojans and viruses rarely are up-to-date
If you say so.
Do you have any Backup image on this computer ?
if yes move them to external Hard Drive and Rescan and let us know the result.
also Uninstall all Antivirus and Malware scanner except one
if yes move them to external Hard Drive and Rescan and let us know the result.
also Uninstall all Antivirus and Malware scanner except one
Could be false positives. While a number of malware scanners do work well, you cannot blindly trust them. Items that you can tell truly don't belong are the most obvious, which others it's best to actually check into what they really are before you decide to remove them. Do you recall what you had already removed? A subset of issues could be caused by what you removed.
ASKER
John,
I downloaded and ran process explorer but did not see anything that I would need to shut down. I've attached a log from it.
Process-Explorer.TXT
I downloaded and ran process explorer but did not see anything that I would need to shut down. I've attached a log from it.
Process-Explorer.TXT
Yes, I think I see that. Run Maiwarebytes anyway and one or two of the other tools above.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Personal opinion, is that once you had a trojan or an infection, you cannot truly trust your system anymore.
AV cannot pick up all potential viruses it could have embedded, and repairing bad files might not work.
Once you been in this state, you can truck along post removal knowing there is a risk that an infection might still be hidden on there potentially, and hope that the system remains stable, but the fastest solution compared to spending hours scanning for virusses, immunizing PC, running health checks & repairs, would be to simply bite the bullet.
Backup your data, make sure you got a copy of the licenses & software you need, and format plus re-install,
You avoid spending hours on trying to clean/repair a PC, and end up with a fully serviced fast & speedy PC.
Other than that, if you still prefer to scan and try to remove viruses, then use 2-3 programs, run 1-2 rootkit killers, and run 1-2 Spyware detection apps.
Malwarebytes, Sophos, McAfee, Kaspersky, NOD32, F-Protect, Vipre all do a pretty good job for AV removal,
McAfee, Kaspersky & MalwareBytes got proper rootkit scanners.
SupperAntiSpyware, SpyBot do pretty good on the Spyware end.
Once you ran the 6-7 different app scans, don't forget to run sfc /scannow, and potentially do a full windows 7 repair over current OS.
Its a lot of work imo, hence I prefer rebuilds myself.
AV cannot pick up all potential viruses it could have embedded, and repairing bad files might not work.
Once you been in this state, you can truck along post removal knowing there is a risk that an infection might still be hidden on there potentially, and hope that the system remains stable, but the fastest solution compared to spending hours scanning for virusses, immunizing PC, running health checks & repairs, would be to simply bite the bullet.
Backup your data, make sure you got a copy of the licenses & software you need, and format plus re-install,
You avoid spending hours on trying to clean/repair a PC, and end up with a fully serviced fast & speedy PC.
Other than that, if you still prefer to scan and try to remove viruses, then use 2-3 programs, run 1-2 rootkit killers, and run 1-2 Spyware detection apps.
Malwarebytes, Sophos, McAfee, Kaspersky, NOD32, F-Protect, Vipre all do a pretty good job for AV removal,
McAfee, Kaspersky & MalwareBytes got proper rootkit scanners.
SupperAntiSpyware, SpyBot do pretty good on the Spyware end.
Once you ran the 6-7 different app scans, don't forget to run sfc /scannow, and potentially do a full windows 7 repair over current OS.
Its a lot of work imo, hence I prefer rebuilds myself.
i also do a fresh install, if i have no clean result after running these :
http://www.malwarebytes.org/mbam.php MBAM
http://majorgeeks.com/RogueKiller_d6983.html Roguekiller
http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/ JRT
http://www.lavasoft.com/ adaware
http://www.malwarebytes.org/mbam.php MBAM
http://majorgeeks.com/RogueKiller_d6983.html Roguekiller
http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/ JRT
http://www.lavasoft.com/ adaware
ASKER
I ran several different cleaner routines and emailed Hitmanpro. They created an update of Hitmanpro to clean the viruses. After all that, all apps are showing that the computer is clean and it is running without the problems I mentioned. Thanks to all.
You are very welcome and I was happy to help
Glad we could help.
@OP, Experts and future visitors:
Please remember to endorse my, or any other expert's comments that you found helpful by clicking on the "Thumb's Up" button
Read more on endorsements
https://www.experts-exchange.com/discussions/218503/What-are-Endorsements.html
@OP, Experts and future visitors:
Please remember to endorse my, or any other expert's comments that you found helpful by clicking on the "Thumb's Up" button
Read more on endorsements
https://www.experts-exchange.com/discussions/218503/What-are-Endorsements.html
So what I would like to see if those entries exists on the system. To do that copy the code below.
paste it in the notepad.
Save the file as try.bat
Right click the bat file created above and click on Run As Administrator.
Once the file ran it would open a notepad window. Just copy everthing on that file and paste it here
Open in new window
Thanks,
Sudeep