TechSpot

Trojan.Win32.Obfuscated.bl doesn't go away

By Jaguarsworld
Feb 6, 2007
  1. Hello, I have tried to remove Trojan.Win32.Obfuscated.bl by looking at some earlier threads on how to remove this Trojan and am not sure if I succeeded or not. I use Kaspersky, Adaware, AVG AntiSpyware. Here is my HIJACKTHIS log:
    it is an attachment


    Any Help in determining if I have the Trojan would be helpful. Thank YOu.
    If someone can please help me, I would appreciate it.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I can find no info for this file elsecash.exe Unless you know for a fact it`s safe, please do the following.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\DOCUME~1\Owner\APPLIC~1\proxydebug\elsecash.exe
    * Click Open
    * Please let me know the results.

    I`d also like you to install, run and post an AVG Antispyware log as per the instructions in this thread HERE.

    Regards Howard :wave: :wave:

    This thread is for the use of Jaguarsworld only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    That file is an instance of the TROJAN

    Hello Howard

    Thank you for your prompt response, I apologize for not posting the avg scan report, I did have the report but forgot to post it. I followed all your instructions before my first post. In any case I checked that file and clicked on fix in Hijackthis because I already knew this was an instance of the trojan. I have included the avg report and a Kaspersky report in this post. I have also included a fresh Hijackthis log. Thanks for your Help
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    elsecash.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [Stop Burn] C:\DOCUME~1\Owner\APPLIC~1\proxydebug\elsecash.exe

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\Owner\APPLIC~1\proxydebug<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Jaguarsworld only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. biggidy

    biggidy TS Rookie

    mothantrojan

    have you tried xoftspy ran in safe mode?
     
  6. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    Followed your Instructions

    Hello,
    I have followed all of your instructions. There was no instance of elsecash.exe and there was no proxydebug folder anymore. I think it is gone. I have attached the hijackthis log. I am curious though as to why Kaspersky detected this Trojan a few times at first but then did not detect it anymore while it was still there? Any ideas?

    Thank YOU Very Much for all your help.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    I have no idea why Kaspersky would detect it, then not detect it, unless of course it was able to neutralise it in some way. Anyhow, it`s not showing up in your HJT log, so that`s good.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Jaguarsworld only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    Win32.Trojan.Agent, Trojan.IrcHole, Trojan.Keygen.s cleaned but still have infection

    Hello, I have posted here before and received help from you guys. Thank You Very Much. This is a different computer and I recently discovered a trojan on this machine (Win32.Trojan.Agent) I had kaspersky and it expired so I downloaded avast and it detected this threat. The original problem was that explorer.exe was attempting to access the internet and I would block it via Zonealarm, however I let it through once to see what it was and Avast immediately detected a trojan. When I started running all the tools and fixes from your preliminary removal instructions, I noticed there were a few other threats. I have followed all of your instructions and it appears that all the threats have been eliminated, however I still think I am infected. My logs are attached.
    Panda found no rootkits and vundofix restarted the computer. Thank You in advance for the help.
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    2. Save this as CFScript on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of Jaguarsworld only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  10. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    Followed Your Instructions Logs Attached

    Thank you Momok, I followed your instructions and the logs are attached. Were the wild tangent and blawkhawk striker 2 infected? If so, I will delete the download and not use it anymore. Thank You again for your help
     
  11. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    The Combofix log was too big for an attachment, so i split it into two attachments

    Thanks For all Your Help
     
  12. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    Win32:TratBHO [Trj] Trojan Horse Found

    Avast has notified me that Win32:TratBHO [Trj] Trojan Horse has been found
    I think I may be infected with something else but am not sure. Please help me out. Thanks in advance.
     
  13. Jaguarsworld

    Jaguarsworld TS Rookie Topic Starter

    Can someone please Review my logs. Greatly Appreciated.

    I also wanted to mention that the there is no rootkit based on the panda results
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...