Link to home
Create AccountLog in
Avatar of thenelson
thenelson

asked on

Unable to get rid of Trojans in Windows 7

HitmanPro displays several Trojans (see list below) and states they were deleted after reboot but they come back after a couple hours. I sent an email to HitmanPro about this and got a response to start hitman while holding down the left control key. I did this but it did not help. I downloaded and ran Super Anti-spyware. It stated it found and deleted several malwares but Hitmanpro still comes up with a list of Trojans. I am using Bitdefender Total Security 2017 as my antivirus. A complete scan with that turns up nothing.

Some symptoms that I am experiencing since the Trojans started showing up are I get a pop-up that states "failed to connect to a Windows service" when I reboot and Windows Aero is disabled when I reboot until I manually restart the Themes service in services.msc.

Here is a log from Hitmanpro:
HitmanPro 3.7.18.284
www.hitmanpro.com

   Computer name . . . . : LATITUDE_E6410
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Latitude_E6410\Nelson
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (873 days left)

   Scan date . . . . . . : 2017-04-03 04:13:18
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 10m 16s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 14
   Traces  . . . . . . . : 14

   Objects scanned . . . : 2,031,243
   Files scanned . . . . : 106,370
   Remnants scanned  . . : 509,754 files / 1,415,119 keys

Malware remnants ____________________________________________________________

   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)

Any suggestions will be greatly appreciated.
SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ASKER CERTIFIED SOLUTION
Avatar of aravind anche
aravind anche
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
It seems like only the registry entries left on the system which are not getting removed, may be due to permissions on those registries.

So what I would like to see if those entries exists on the system. To do that copy the code below.
paste it in the notepad.
Save the file as try.bat
Right click the bat file created above and click on Run As Administrator.
Once the file ran it would open a notepad window. Just copy everthing on that file and paste it here

reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s > %temp%\temp.txt
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s >> %temp%\temp.txt
notepad C:\temp.txt

Open in new window


Thanks,
Sudeep
I use the bitdefender rescue CD which works well. I hardwire the PC or laptop to the network and boot off the CD and then Bitdefender updates itself then you can run a full scan.

http://download.bitdefender.com/rescue_cd/latest/bitdefender-rescue-cd.iso
1. did you check if those keys in executable name are actually existent under Image File Execution Options key?
2. if yes, did you check if those executables listed under Image File Execution Options key are actually existent somewhere on your hard disk?
3. if yes, did you check if those keys have any String values showing a path name of another executable file?

if the answer are all NO, this was just a false positive alarm.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yes, but if your system if up to date, that tool installs automatically (Windows 7, 8.1 and 10)
Windows computers with trojans and viruses rarely are up-to-date
If you say so.
Avatar of Ramin
Ramin

Do you have any Backup image on this computer ?
if yes move them to external Hard Drive and Rescan and let us know the result.
also Uninstall all Antivirus and Malware scanner except one
Could be false positives. While a number of malware scanners do work well, you cannot blindly trust them. Items that you can tell truly don't belong are the most obvious, which others it's best to actually check into what they really are before you decide to remove them. Do you recall what you had already removed? A subset of issues could be caused by what you removed.
Avatar of thenelson

ASKER

John,

I downloaded and ran process explorer but did not see anything that I would need to shut down. I've attached a log from it.
Process-Explorer.TXT
Yes, I think I see that. Run Maiwarebytes anyway and one or two of the other tools above.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Personal opinion, is that once you had a trojan or an infection, you cannot truly trust your system anymore.
AV cannot pick up all potential viruses it could have embedded, and repairing bad files might not work.
Once you been in this state, you can truck along post removal knowing there is a risk that an infection might still be hidden on there potentially, and hope that the system remains stable, but the fastest solution compared to spending hours scanning for virusses, immunizing PC, running health checks & repairs, would be to simply bite the bullet.

Backup your data, make sure you got a copy of the licenses & software you need, and format plus re-install,
You avoid spending hours on trying to clean/repair a PC, and end up with a fully serviced fast & speedy PC.
Other than that, if you still prefer to scan and try to remove viruses, then use 2-3 programs, run 1-2 rootkit killers, and run 1-2 Spyware detection apps.

Malwarebytes, Sophos, McAfee, Kaspersky, NOD32, F-Protect, Vipre all do a pretty good job for AV removal,
McAfee, Kaspersky & MalwareBytes got proper rootkit scanners.
SupperAntiSpyware, SpyBot do pretty good on the Spyware end.

Once you ran the 6-7 different app scans, don't forget to run sfc /scannow, and potentially do a full windows 7 repair over current OS.
Its a lot of work imo, hence I prefer rebuilds myself.
i also do a fresh install, if i have no clean result after running these :
http://www.malwarebytes.org/mbam.php                         MBAM
http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
http://www.lavasoft.com/   adaware
I ran several different cleaner routines and emailed Hitmanpro. They created an update of Hitmanpro to clean the viruses. After all that, all apps are showing that the computer is clean and it is running without the problems I mentioned. Thanks to all.
You are very welcome and I was happy to help
Glad we could help.

@OP, Experts and future visitors:
Please remember to endorse my, or any other expert's comments that you found helpful by clicking on the "Thumb's Up" button

Read more on endorsements
https://www.experts-exchange.com/discussions/218503/What-are-Endorsements.html