Trojan.trace, trojan.bot am i clean?

Boffinboy · 04-13-2009, 01:09 PM

Some time ago I had a problem with a trojan on my laptop. With the help of this forum I was able to remove it and upgraded my security measures. I have been ensuring all software was patched and up to date. I had employed spywareblaster and the immunize feature of spybot search and destroy. I use mcafee antivirus enterprise, comodo firewall (includes defence+) and also comodo BOclean. Windows XP is kept up to date. I do not use P2P software nor have I downloaded any cracked programs.

Yesterday I received a message from windows stating Mcafee was out of date, unusual as it never had been before. The DAT file was dated 2nd of April - so it was indeed out of date, but using the autoupdate did not fix it. I fixed it manually with dat update and patch. As a precaution I ran malewarebytes anti-malware in both normal and safe mode and this detected a trojan.trace and a trojan.bot which it cleaned. I have since run malewarebytes and mcafee scans and both come up clean. I have no idea how these trojans came to be as since my first problem I have been very security concious and consider myself reasonably computer literate. Perhaps they were old remnants not totally cleared? It is very frustrating to have something again when I had been using many precautions.

I am hopeful they have been successfully removed but I was wondering if a volunteer would be able to spare the time to check my logs and confirm for me. Many thanks - Boffinboy

DDS log:-

DDS (Ver_09-03-16.01) - NTFSx86
Run by Boffinboy at 14:54:17.23 on 13/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1012 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Boffinboy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://uk.mcafee.com/apps/vsh10/en-gb/redir.asp?affid=0-84&installtype=force&langid=40&systempopup=true
uInternet Settings,ProxyServer = poseidon.jesus.cam.ac.uk:2080
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Syncplicity] c:\program files\syncplicity\Syncplicity.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [Wireless Console 2] c:\program files\asus\wireless console 2\wcourier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\boffin~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174649055890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boffin~1\applic~1\mozilla\firefox\profiles\p3iuxwf6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\documents and settings\boffinboy\application data\mozilla\firefox\profiles\p3iuxwf6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-27 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-27 24336]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2008-12-27 73464]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-12-27 700152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-16 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-1-27 54608]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-23 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-23 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-23 177864]
S3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\drivers\bt4501g.sys --> c:\windows\system32\drivers\BT4501G.sys [?]

=============== Created Last 30 ================

2009-04-12 23:02 3,012,768 a------- c:\temp\spywareblastersetup42.exe
2009-04-12 22:46 <DIR> --d----- c:\temp\mcafee patch
2009-04-12 22:46 10,441,995 a------- c:\temp\VSE85P8.Zip
2009-04-12 22:46 13,766,656 a------- c:\temp\McAfeeAgent4.exe
2009-04-12 22:35 <DIR> --d----- c:\docume~1\boffin~1\applic~1\McAfee
2009-04-12 22:35 306,864 a------- c:\temp\mvtapp.exe
2009-04-12 15:18 <DIR> --d----- c:\documents and settings\boffinboy\Tracing
2009-04-12 15:11 <DIR> --d----- c:\program files\Microsoft
2009-04-12 15:10 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-12 15:06 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-11 17:12 254,237,272 a------- c:\temp\mow-singleplayer-demo.exe
2009-04-10 01:22 784 a------- c:\docume~1\boffin~1\applic~1\mpauth.dat
2009-04-09 13:25 823,152 a------- c:\temp\WindowsXP-KB938759-x86-ENU.exe
2009-04-04 11:53 16,742,799 a------- c:\temp\vlc-0.9.9-win32.exe
2009-04-03 14:25 <DIR> --d----- c:\docume~1\boffin~1\applic~1\QuosaDDM
2009-04-03 14:04 <DIR> --d----- c:\program files\LyX 1.6.2
2009-04-03 14:03 7,631,129 a------- c:\temp\LyX-162-4-18-AltInstaller-Update.exe
2009-03-31 11:38 3,542,456 -------- c:\temp\HSS-1.13-install-anchorfree-76-conduit.exe
2009-03-31 11:37 3,506,721 a------- c:\temp\HSS-1.13-install-anchorfree-76-conduit.zip
2009-03-27 23:21 <DIR> --d----- c:\program files\Remotepad server
2009-03-27 23:21 39,716 a------- c:\temp\RemotePadServer-2.0-Windows.zip
2009-03-26 18:37 1,536 a------- c:\windows\system32\bcevent.dll
2009-03-26 18:37 <DIR> --d----- c:\program files\Traffic Shaper XP Server
2009-03-26 18:34 4,476,928 a------- c:\temp\TrafficShaperXpSetup.exe
2009-03-21 23:59 <DIR> --d----- c:\program files\VLC
2009-03-21 23:57 16,320,472 a------- c:\temp\vlc-0.9.8a-win32.exe
2009-03-20 23:27 27,136 a------- c:\windows\system32\drivers\tapvpn.sys
2009-03-19 13:07 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-19 13:07 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-26 19:42 155,384 a------- c:\windows\system32\guard32.dll
2009-02-26 19:42 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-02-20 16:52 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2007-12-14 15:33 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-09-12 17:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 14:57:17.95 ===============

Boffinboy · 04-16-2009, 04:03 PM

BUMP, please

Ried · 04-16-2009, 05:03 PM

Hello Boffinboy,

I'm not seeing any malware in your logs. Often times these anti malware programs will find orphaned entries and remove them. Did you happen to save the Malwarebytes scan report? It would be most helpful to see the full entry that was detected and removed.

Boffinboy · 04-16-2009, 05:21 PM

Hi Ried thanks for your help, I performed a quick scan which cleared a couple of registry entries. The log for that is below. I then performed another quick scan which came up all clear. I then performed a full scan in safe mode which detected another file classed as trojan.bot but unfortunately MBAM didn't save a log for this scan. If I remember correctly the file it detected and cleared was a dll file located in my mIRC folder. I am hoping they are just leftovers from the old infection that have been picked up by newer MBAM updates! Here is the log for the initial quick scan:-

Malwarebytes' Anti-Malware 1.36
Database version: 1971
Windows 5.1.2600 Service Pack 3

12/04/2009 23:17:58
mbam-log-2009-04-12 (23-17-58).txt

Scan type: Quick Scan
Objects scanned: 84892
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Radeon Omega Drivers v3.8.231 Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Boffinboy · 04-16-2009, 06:23 PM

It's just occurred to me that the dll may have been malware.bot rather than trojan.bot, but without the log I can't say for certain!

Ried · 04-16-2009, 09:52 PM

Quote:

am hoping they are just leftovers from the old infection that have been picked up by newer MBAM updates!

I'm inclined to believe that is the case here. It's also possible that you happened across a legit site that has weak security and had some code parked on it.

I'd feel better if we performed an online scan to search for any remnants that may be lurking about. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Boffinboy · 04-17-2009, 06:16 AM

Hi Ried, looks like the scan didn't detect anything.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 17, 2009 10:10:12
Records in database: 2053377
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 135752
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:52:24

File name / Threat name / Threats count
C:\Temp\Laptop software\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1

The selected area was scanned.

Ried · 04-17-2009, 07:15 AM

Hi Boffinboy. Given the results of the online scan, I feel you've nothing to be concerned about. Continue to periodically scan your system with your anti-malware tools and let them do their job.

Boffinboy · 04-17-2009, 09:03 AM

Thanks for your help Ried, your forum is a great resource and your time is much appreciated!

Ried · 04-17-2009, 11:28 AM

You're quite welcome.

Enjoy the weekend.

04-16-2009, 04:03 PM	#2 (permalink)
Boffinboy Registered User Join Date: Dec 2008 Posts: 12 OS: XP sp3	Re: Trojan.trace, trojan.bot am i clean? BUMP, please

04-16-2009, 05:03 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Trojan.trace, trojan.bot am i clean? Hello Boffinboy, I'm not seeing any malware in your logs. Often times these anti malware programs will find orphaned entries and remove them. Did you happen to save the Malwarebytes scan report? It would be most helpful to see the full entry that was detected and removed. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-16-2009, 05:21 PM	#4 (permalink)
Boffinboy Registered User Join Date: Dec 2008 Posts: 12 OS: XP sp3	Re: Trojan.trace, trojan.bot am i clean? Hi Ried thanks for your help, I performed a quick scan which cleared a couple of registry entries. The log for that is below. I then performed another quick scan which came up all clear. I then performed a full scan in safe mode which detected another file classed as trojan.bot but unfortunately MBAM didn't save a log for this scan. If I remember correctly the file it detected and cleared was a dll file located in my mIRC folder. I am hoping they are just leftovers from the old infection that have been picked up by newer MBAM updates! Here is the log for the initial quick scan:- Malwarebytes' Anti-Malware 1.36 Database version: 1971 Windows 5.1.2600 Service Pack 3 12/04/2009 23:17:58 mbam-log-2009-04-12 (23-17-58).txt Scan type: Quick Scan Objects scanned: 84892 Time elapsed: 7 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Radeon Omega Drivers v3.8.231 Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

04-16-2009, 06:23 PM	#5 (permalink)
Boffinboy Registered User Join Date: Dec 2008 Posts: 12 OS: XP sp3	Re: Trojan.trace, trojan.bot am i clean? It's just occurred to me that the dll may have been malware.bot rather than trojan.bot, but without the log I can't say for certain!

04-17-2009, 06:16 AM	#7 (permalink)
Boffinboy Registered User Join Date: Dec 2008 Posts: 12 OS: XP sp3	Re: Trojan.trace, trojan.bot am i clean? Hi Ried, looks like the scan didn't detect anything. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Friday, April 17, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Friday, April 17, 2009 10:10:12 Records in database: 2053377 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 135752 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 02:52:24 File name / Threat name / Threats count C:\Temp\Laptop software\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1 The selected area was scanned.

04-17-2009, 07:15 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Trojan.trace, trojan.bot am i clean? Hi Boffinboy. Given the results of the online scan, I feel you've nothing to be concerned about. Continue to periodically scan your system with your anti-malware tools and let them do their job. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-17-2009, 09:03 AM	#9 (permalink)
Boffinboy Registered User Join Date: Dec 2008 Posts: 12 OS: XP sp3	Re: Trojan.trace, trojan.bot am i clean? Thanks for your help Ried, your forum is a great resource and your time is much appreciated!

04-17-2009, 11:28 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Trojan.trace, trojan.bot am i clean? You're quite welcome. Enjoy the weekend. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."