Solved kaspersky found trojan virus

pcvista

Banned
kaspersky found a trojan virus in c:\windows\system32\services.exe and when i try to neutralize it nothing happens and i've scanned that file myself and it finds nothing and i did a full scan as well and finds nothing. So what can i do?

attached is hijackthis log with my pc info.
 

Attachments

  • hijackthis.log
    8.6 KB · Views: 79

My Computer

twex.exe is a variant of ZBot, which is a password and personal information stealer.

First let's flush your DNS cache, and restore MS's original Hosts file.

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right click on the .bat file and run as Administrator. Your computer will reboot itself.

After rebooting download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.46 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
Malwarebytes runs with pretty much every AV program I've ever heard about with no problems (unlike many or maybe even most other programs). But make sure that Kaspersky isn't scheduled to do a scan at the same time that you run the Malwarebytes scan (it wouldn't be good to run both scans at the same time - I don't know that it would cause a problem, but let's avoid it just to be on the safe side). Keep in mind it could take a few hours for a full scan depending on the amount of data you need to scan on however many drives/partitions you need to scan. You're safe running it without disabling or uninstalling Kaspersky.

Remember, Malwarebytes is just scanning and then it can remove what it finds - it is not operating in real time to protect your system so you should definitely leave Kaspersky enabled even during the Malwarebytes scan if you intend to go online (just make sure it isn't scheduled to scan and if so, disable the scan or delay it or whatever is necessary to keep it from starting until the Malwarebytes scan is complete).

In fact, you may want to keep Malwarebytes installed and update and run Malwarebytes every few weeks or month or so just as a backup to catch anything that might have been missed. I do that myself (though my primary program is MSE). It rarely catches anything because MSE is very good, but sometimes it does and so I'm happy to have it and glad I have this good habit.

I hope this helps and that the above suggestions and Malwarebytes resolve the problem. If not, there are other options available - so don't worry, we'll get rid of this infection (and perhaps other infections not noticed at the same time). The mere fact that it has been idenfied is an excellent sign as solutions for identified variants are easier to locate and are often included in some of the more common anti-malware tools already. I suspect that may be at least one of the reasons why this product was recommended (besides the fact that it is very good in general).

Good luck!
 
Last edited:

My Computer

System One

  • Manufacturer/Model
    Dell Inc. MP061 Inspiron E1705
    CPU
    2.00 gigahertz Intel Core 2 Duo 64 kilobyte primary memory
    Motherboard
    Board: Dell Inc. 0YD479 Bus Clock: 166 megahertz
    Memory
    2046 Megabytes Usable Installed Memory
    Graphics Card(s)
    ATI Mobility Radeon X1400 (Microsoft Corporation - WDDM) [Di
    Sound Card
    SigmaTel High Definition Audio CODEC
    Monitor(s) Displays
    Generic PnP Monitor (17.2"vis)
    Screen Resolution
    1920 x 1200 pixels
    Hard Drives
    Hitachi HTS541616J9SA00 [Hard drive] (160.04 GB) -- drive 0, s/n SB2411SJGLLRMB, rev SB4OC74P, SMART Status: Healthy
    Case
    Chassis Serial Number: 5YK95C1
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Logitech HID-compliant Cordless Mouse
    Internet Speed
    1958 Kbps download ; 754.8 Kbps upload
    Other Info
    Optiarc DVD+-RW AD-5540A ATA Device [CD-ROM drive]

    Dell AIO Printer A940

    Conexant HDA D110 MDC V.92 Modem

    6TO4 Adapter
    Broadcom 440x 10/100 Integrated Controller
    Broadcom 802.11n Network Adapter
    Microsoft ISATAP Adapter
    Teredo Tunneling Pseudo-Interface

    Router Linksys / WRT54G -01
Thank you for your response lorien. I ran malwarebytes and it did find 6 infected objects which i removed.

Here is the log from it like Jacee asked, attached
 

Attachments

  • mbam-log-2010-09-05 (15-42-09).txt
    1.6 KB · Views: 100

My Computer

I'm nowhere near a malware cleanup expert so I have nothing to offer here in terms of resolving the problem when someone like Jacee is already involved, but from viewing other threads on the subject, the expert often likes to see another MBAM log after the cleanup (if something was found) to confirm that nothing else is found or remains. Perhaps while waiting for Jacee, you could re-run MBAM and attach an updated log to verify how it now looks after the cleanup. I'm in no way trying to take over her job here - I'm just suggesting something to do while awaiting her reply that may assist her (and shouldn't be much trouble to do).

I hope this helps both of you.

Good luck!
 

My Computer

System One

  • Manufacturer/Model
    Dell Inc. MP061 Inspiron E1705
    CPU
    2.00 gigahertz Intel Core 2 Duo 64 kilobyte primary memory
    Motherboard
    Board: Dell Inc. 0YD479 Bus Clock: 166 megahertz
    Memory
    2046 Megabytes Usable Installed Memory
    Graphics Card(s)
    ATI Mobility Radeon X1400 (Microsoft Corporation - WDDM) [Di
    Sound Card
    SigmaTel High Definition Audio CODEC
    Monitor(s) Displays
    Generic PnP Monitor (17.2"vis)
    Screen Resolution
    1920 x 1200 pixels
    Hard Drives
    Hitachi HTS541616J9SA00 [Hard drive] (160.04 GB) -- drive 0, s/n SB2411SJGLLRMB, rev SB4OC74P, SMART Status: Healthy
    Case
    Chassis Serial Number: 5YK95C1
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Logitech HID-compliant Cordless Mouse
    Internet Speed
    1958 Kbps download ; 754.8 Kbps upload
    Other Info
    Optiarc DVD+-RW AD-5540A ATA Device [CD-ROM drive]

    Dell AIO Printer A940

    Conexant HDA D110 MDC V.92 Modem

    6TO4 Adapter
    Broadcom 440x 10/100 Integrated Controller
    Broadcom 802.11n Network Adapter
    Microsoft ISATAP Adapter
    Teredo Tunneling Pseudo-Interface

    Router Linksys / WRT54G -01
Change all your passwords using a known 'clean' computer. Do not use the infected one to do this.

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.

Save any unsaved work. TFC will close ALL open programs including your browser!
Using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps.
TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

Rescan with Malwarebytes' and post a fresh log.
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
OK done. Is it really necessary for me to do another full malwarebyte scan since it deleted everything it found already, just wondering.
 

My Computer

If it was my computer with a Zbot Trojan, I'd gladly run a deep scan again!
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
Ok will do. Also do you know its a Zbot trojan from the virus i posted or from my hijack file and how certain is it/are you, just basically wondering about it thats all.
running a new malware scan at the moment too
 

My Computer

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
Ok thanks for that info Jacee and here is my new malwarebyte scan log as asked.
 

Attachments

  • mbam-log-2010-09-06 (21-44-41).txt
    918 bytes · Views: 46

My Computer

Looks good! Now running Kaspersky, in full mode (not quick scan) report?
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
I've done it and it found nothing and I've cleared the virus from the list and kaspersky says im protected and no active threats so everything looks good. What about this zbot virus, is it gone? am i good now? ;p
 

My Computer

Let's take one more look.

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Right click the dds icon to run the tool as Administrator.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt <--- this will be minimized in the task tray
  • Save both reports to your desktop.
Include the contents of both logs in your next reply.
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
it didn't give me an option to choose run as administrator so i just opened it regularly.
 

Attachments

  • DDS.txt
    18.4 KB · Views: 58
  • Attach.zip
    2.3 KB · Views: 3

My Computer

Pcvista, why do you have a file on your computer called Keygen? Located here: C:\Users\shua\Desktop\Keygen.exe

What is it for, and why do you use it?

Tom
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Download HijackThis™ here:
HijackThis - Trend Micro USA
Right click on it and choose "Run as Administrator". Click 'Do a System Scan and Save logfile'.
The HJT log will open in notepad. Copy and paste the log in your next reply.
 

My Computer

System One

  • Manufacturer/Model
    Bruce ... somewhere in his 40's
    CPU
    Intel(R) Core(TM)2 Quad CPU
    Motherboard
    INTEL/D975XBX2
    Memory
    4 GB
    Graphics Card(s)
    ATI Radeon HD 2600 Pro
    Monitor(s) Displays
    Samsung SyncMaster 914v
    Screen Resolution
    1280 x 1024
    Hard Drives
    2/500GB each ... ST3500630AS ATA Device.
    One is not connected
    PSU
    Rocketfish 700 W
    Case
    G.Skill Gigabyte Chassis
    Keyboard
    Standard PS/2 Keyboard
    Mouse
    Microsoft PS/2 Mouse
    Internet Speed
    DSL
    Other Info
    ATI HDMI Audio
Viruses and malware usually do their best to hide themselves behind innocent names. You would never find a virus with a name such as "virus.exe", for obvious reasons. It is therefore fairly safe to assume that "conhost" does not relate to a con-job. AFAIK, it gets invoked by the Command Processor and "con" relates to "Console".
 

My Computer

i beleive that was an infected file that malwarebyte deleted, Tom, and i don't know how it got there.

Here is my new hijackthis log, jacee
 

Attachments

  • hijackthis.log
    8 KB · Views: 43

My Computer

Back
Top