Infected with win32 trojan

Mick Sanger · Jul 21, 2012

Forgot to mention...I did disable my Avast until I reboot. I didn't know of any other way to shut it off completely without going into safe mode.

Broni · Jul 21, 2012

Try different browser.

Mick Sanger · Jul 21, 2012

Ok ... got it to work in internet explorer.

ESETScan log

C:\Users\Sydney Rae\Pictures\Nicholas\setup-converterlite-ic-1.5.0.exe a variant of Win32/InstallCore.W application cleaned by deleting - quarantined

Broni · Jul 22, 2012

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

Mick Sanger · Jul 22, 2012

OTL custom fix log

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sydney Rae
->Temp folder emptied: 151304 bytes
->Temporary Internet Files folder emptied: 21410982 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48196314 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 700 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 936 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 67.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Sydney Rae
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Sydney Rae
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.54.0 log created on 07222012_130718

Files\Folders moved on Reboot...
C:\Users\Sydney Rae\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Sydney Rae\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

Broni · Jul 22, 2012

13. Please, let me know, how your computer is doing.

Mick Sanger · Jul 22, 2012

Well, I have all my windows updates done and have just saved down PSI. Everything seems good except two things.

1. I'm still having the same graphic issues on both firefox and internet explorer.
2. I'm getting a windows action center warning telling me that I need to insert a dvd/cd or usb drive to finish the backup process.

How should I proceed?

Broni · Jul 22, 2012

2. Do you use Windows backup? If not disable action center message.

1.
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Do NOT post JavaRa log.

Mick Sanger · Jul 22, 2012

ok, I got the backup notice to go away. I installed and updated with PSI. I installed Java but I did not do the JavaRa as this laptop had no previous version of it.

Question: Will the restore point I made remain on file or will it be deleted automatically as time goes on?

The graphics problem is still there.

Broni · Jul 22, 2012

Will the restore point I made remain on file or will it be deleted automatically as time goes on?

It'll eventually get replaced in the future by newer restore points.

The graphics problem is still there.

Only in browsers?
In both, IE and Firefox?
Can you post a screenshot?

Mick Sanger · Jul 22, 2012

Sorry its so large, but I don't have any photo editing software on this machine. Basically its only used by the family for internet services like facebook, email and youtube.

Broni · Jul 22, 2012

Only in browsers?
In both, IE and Firefox?

Mick Sanger · Jul 22, 2012

yes its the same in both. as a side note, when I posted the print scree image it showed it but once I hit post reply it disappeared.

Broni · Jul 22, 2012

Open IE, go Tools>Internet options>Advanced tab and click on "Reset" button.
Restart IE and see if it helped.

Mick Sanger · Jul 22, 2012

I followed the above instruction. It told me to close and reopen to activate new settings. When I did that a window popped up asking me to set up internet explorer 9. It has two check boxes.

1.recommended security and compatibility settings. It talks about something called smartscreen.
2. don't use recommended settings.

I can either select a box and proceed or ask me later. which would you rather me do?

Broni · Jul 22, 2012

Use 1.

Mick Sanger · Jul 23, 2012

It updated but it did not fix the graphic issue. Do you want me to try the same thing with Firefox?

Broni · Jul 23, 2012

No. At this point....

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck

Mick Sanger · Jul 23, 2012

Ok, I can do that. Thank you so very much for your help with getting my computer clean. You have no idea what a life saver you have been!

Broni · Jul 23, 2012

You're very welcome

TechSpot

Welcome to TechSpot

Infected with win32 trojan

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Mick Sanger Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,231 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.