Author Topic: Did I remove the virus? please help  (Read 6330 times)

0 Members and 1 Guest are viewing this topic.

January 26, 2015, 02:31:12 AM

Greekhorses

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Did I remove the virus? please help
« on: January 26, 2015, 02:31:12 AM »
Hello everyone! Today windows kept asking me "do you want to let this program make changes to your system registry?" The program was located in my Windows folder somewhere and the signature was "Microsoft Windows," but I was not comfortable with it and hit no. However every time I hit no, the message would reappear. So I rebooted into safe mode and ran Malwarebytes Anti-Malware which found 3 instances of "Trojan.agent.ed" It then quarantined the virus.

One of the instances was somewhere in my program files with a bunch of numbers as the name. When I rebooted the computer back to normal mode, I saw a message "program files/#######" (those same numbers) could not be loaded because the module is not detected. I figured this means the malicious file is deleted, but why was the computer still trying to run it unless it's not completely gone? So I also ran TDSSkiller, which detected 0 harmful objects, and now just ran Roguekiller. I am pasting the report below....please let me know if you see anything suspicious indicating maybe this is not over! Thank you so much!!!


"RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Administrator]
Mode : Scan -- Date : 01/25/2015  20:11:49

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 15 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-212433180-803636607-2174226894-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-212433180-803636607-2174226894-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 138.5.1.12 138.5.50.6 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 138.5.1.12 138.5.50.6 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4F3814B6-8598-4A27-A2CD-A72C18A6DBDD} | DhcpNameServer : 138.5.1.12 138.5.50.6 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B779DA7D-7D87-489D-8BA9-D51864E271F5} | DhcpNameServer : 167.206.13.180 167.206.13.181 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4F3814B6-8598-4A27-A2CD-A72C18A6DBDD} | DhcpNameServer : 138.5.1.12 138.5.50.6 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B779DA7D-7D87-489D-8BA9-D51864E271F5} | DhcpNameServer : 167.206.13.180 167.206.13.181 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4F3814B6-8598-4A27-A2CD-A72C18A6DBDD} | DhcpNameServer : 138.5.1.12 138.5.50.6 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B779DA7D-7D87-489D-8BA9-D51864E271F5} | DhcpNameServer : 167.206.13.180 167.206.13.181 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 633ea7197a9e358f05b868bc912e08cc
[BSP] 1fab275b97c437161528e64b7ee29c34 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 456072 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 934445056 | Size: 20564 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 976560128 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST9500325AS +++++
--- User ---
[MBR] ae5d670a644185961373c2d34ddb7fc3
[BSP] 4eaeca9bbf9155d253dbdf2ff2bb623a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK"

Thank you again!

Reply #1January 26, 2015, 03:48:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Did I remove the virus? please help
« Reply #1 on: January 26, 2015, 03:48:48 PM »
Hi Greekhorses,

Welcome to Adlice.com Forum.

Your report is clean.
Could you post Malwarebytes Anti-Malware's report in your next reply ?

Regards.

Reply #2January 26, 2015, 08:59:53 PM

Greekhorses

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: Did I remove the virus? please help
« Reply #2 on: January 26, 2015, 08:59:53 PM »
Thank you so much for your reply and information!
Below is the log of the anti-malware scan that picked up the virus.
I would also like to contribute that I used Emsisoft Emergency Kit (which found 14 "no risk" PUPs) and MalwareBytes Anti-rootkit Beta, which came out clean.

"Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/25/2015
Scan Time: 5:24:55 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.25.11
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: David

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 579718
Time Elapsed: 2 hr, 22 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
Trojan.Agent.ED, C:\Users\David\AppData\Local\Temp\KefP.dll, Quarantined, [dd74a94e414821159455f020768c2ad6],
Trojan.Agent.ED, C:\Users\David\AppData\Local\Temp\MOBl.dll, Quarantined, [8fc207f0216879bdf4f5c9476e9452ae],
Trojan.Agent.ED, C:\ProgramData\830F35847.cpp, Quarantined, [d67b2acd31588babf0f9b35d966c44bc],

Physical Sectors: 0
(No malicious items detected)


(end)"

Please let me know if there is more I should do, thank you again!

Reply #3January 26, 2015, 11:35:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Did I remove the virus? please help
« Reply #3 on: January 26, 2015, 11:35:56 PM »
Hi Greekhorses,

It is quite possible that these detections are false positives.
Quote
Trojan.Agent.ED, C:\ProgramData\830F35847.cpp, Quarantined, [d67b2acd31588babf0f9b35d966c44bc]
This element is a C++ source file and it cannot be malicous on its own.

Could you please restore it and attach it within your next reply ?

Regards.