Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Possible Trojan Virus??

This is a discussion on Possible Trojan Virus?? within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, A couple of weeks ago I ran a full scan on MSE, it told me I had a Trojan:Win32/Dynamer!ac,


 
 
Thread Tools Search this Thread
Old 07-29-2015, 12:56 PM   #1
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7


Cry

Hi, A couple of weeks ago I ran a full scan on MSE, it told me I had a Trojan:Win32/Dynamer!ac, I tried to remove this but computer froze. I went on a malware support site and ran Kaspersky TDSSkiller which found nothing. Further support asked me to run Farbar Recovery Scan and Malwarebytes Antimalware, again neither found anything. Computer declared ok. Since then it has been running very slow and takes ages to start up. A few days ago it went into Startup repair when I switched it on. I found a file on C drive containing mpasbase and mpavbase.vdm._p which I believe are something to do with Microsoft Antivirus definitions.

If I still have a virus what do I do now? and how did I get it? always have MSE and update it. Have no access to a clean computer at the moment to change passwords etc. Have not done a back up as nothing in files that I really need. I don't have a windows install disc or boot cd. I've run DDS and hopefully you will receive the 2 logs.
Thanks in anticipation of your help

Jane
Attached Files
File Type: txt dds.txt (26.4 KB, 42 views)
File Type: txt attach.txt (7.8 KB, 43 views)
janeymac65 is offline  
Sponsored Links
Advertisement
 
Old 07-29-2015, 11:55 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello janeymac65,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

========================================================

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 07-30-2015, 07:47 AM   #3
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hello Tolga

Thanks for replying, just got home from work.
I've run Farbar and attach the results as asked. Hope to hear from you soon.

Thanks again

Jane
Attached Files
File Type: txt FRST.txt (43.4 KB, 37 views)
File Type: txt Addition.txt (29.3 KB, 40 views)
janeymac65 is offline  
Sponsored Links
Advertisement
 
Old 07-30-2015, 11:25 PM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jane,

Thanks for the logs. Let's move on. Please do the below instructions.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
start
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = https://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = https://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-2047564065-642253817-3008372363-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = https://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
EmptyTemp:
end
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system __________________
__________________
tekir06 is offline  
Old 08-01-2015, 03:03 AM   #5
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga
Sorry I'm being a bit stupid. Can't find FRST.exe maybe I didn't save it? What do I do now?
Thanks

Jane

I've got FRST64 saved as application in downloads which will run and the 2 logs saved.
janeymac65 is offline  
Old 08-01-2015, 12:53 PM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jane,

You're welcome. No problem. FRST.exe , below the file path. But please move it to the desktop. After, doing my instructions.
Quote:
C:\Users\jane\Downloads
__________________
tekir06 is offline  
Old 08-01-2015, 01:57 PM   #7
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Think I did it all ok.

Thanks
Jane

Loaded Profiles: jane (Available Profiles: jane)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = {searchterms} - Ask.com Search
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = {searchterms} - Ask.com Search
SearchScopes: HKU\S-1-5-21-2047564065-642253817-3008372363-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = {searchterms} - Ask.com Search
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
EmptyTemp:
end
*****************
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => key removed successfully
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => key removed successfully
HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found.
"HKU\S-1-5-21-2047564065-642253817-3008372363-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => key removed successfully
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
EmptyTemp: => 1.4 GB temporary data Removed.

The system needed a reboot..
==== End of Fixlog 21:40:49 ====
janeymac65 is offline  
Old 08-02-2015, 03:20 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jane,

Thanks for the log. Please do the following.

STEP 1

Please download AdwCleaner on to your desktop.
Close all open programs and internet browsers.
Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
Click on Scan.
After the scan is complete click on "Cleaning"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.

=========================================================

STEP 2

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup-2.1.8.1057.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

=====================================================

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 08-02-2015, 03:50 AM   #9
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Have to go to work soon, won't be back til very late. I will do all you've asked tomorrow morning and reply then.

Thanks
Jane
janeymac65 is offline  
Old 08-02-2015, 01:28 PM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hi Jane,

OK. I'll be waiting.
__________________
tekir06 is offline  
Old 08-02-2015, 04:48 PM   #11
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Decided to try and get it all done tonight so you could look at it in the morning and I could stay in bed a bit longer

Malwarebytes scan didn't find anything. Adware not sure.
If I understood correctly, am pasting adware log and attaching malware log.
Hope this is all ok.

Thanks

Jane
# AdwCleaner v4.208 - Logfile created 02/08/2015 at 23:22:01
# Updated 09/07/2015 by Xplode
# Database : 2015-08-01.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : jane - JANE-HP
# Running from : C:\Users\jane\Desktop\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17909

*************************
AdwCleaner[R0].txt - [1236 bytes] - [02/08/2015 23:22:01]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1295 bytes] ##########
janeymac65 is offline  
Old 08-02-2015, 04:55 PM   #12
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Sending both adware logs, here's the second.

# AdwCleaner v4.208 - Logfile created 02/08/2015 at 23:24:39
# Updated 09/07/2015 by Xplode
# Database : 2015-08-01.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : jane - JANE-HP
# Running from : C:\Users\jane\Desktop\AdwCleaner.exe
# Option : Cleaning
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17909

*************************
AdwCleaner[R0].txt - [1390 bytes] - [02/08/2015 23:22:01]
AdwCleaner[S0].txt - [1313 bytes] - [02/08/2015 23:24:39]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1372 bytes] ##########
Attached Files
File Type: txt malware scan.txt (1.0 KB, 29 views)
janeymac65 is offline  
Old 08-02-2015, 11:17 PM   #13
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

Please do the following.

Your java is out of date.

Please go to Start > Control Panel > Programs and Features and remove the above Java program(s) installed.
Next, download the latest Java, version 8 Update 51 from the following link
Download Free Java Software

==========================================================

Please go HERE then click on: Run Eset Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on Start buton.
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan Archives
  • Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start. The virus signature database will begin to download. This may take some time.
Wait for the scan to finish.
When completed, click on Finish.
When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 08-03-2015, 07:18 AM   #14
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Have installed new java as instructed.
Ran eset scan exactly as you said to. It took just over 4 hours.
It scanned 203487 files but it didn't find any threats at all.
Does this mean my computer is clean?

Thanks

Jane
janeymac65 is offline  
Old 08-04-2015, 01:33 AM   #15
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again,

No. We're not done yet. Please send me ESET online scanner report. Let's run different tools and see what we can see. Please do the below instructions.

Please download TDSSKiller here or here. to the desktop.
Right-click on TDSSKiller.exe and select Run as Administrator to start the program and follow the prompts.
Under Additional options, select both Verify driver digital signatures & Detect TDLFS File System >> OK
If a suspicious file is detected, the default action will be Skip, click on Continue.
Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
Copy and paste its contents in your next reply.
__________________
tekir06 is offline  
Old 08-04-2015, 02:22 AM   #16
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7


Hi Tolga
Am at work til 3pm. Will do what you ask when I get home. Sorry I didn't see how to save eset report if there was one. Do you want me to run scan again first before I do anything else?

Thanks
Jane
janeymac65 is offline  
Old 08-04-2015, 03:36 AM   #17
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jane,

No. You don't need to run again ESET. Report the following file path. I want to see this report.
Quote:
"C:\Program Files\ESET\ESET Online Scanner\log.txt"
Then, Please run the TDSSKiller and send me report.
__________________
tekir06 is offline  
Old 08-04-2015, 07:41 AM   #18
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Sorry for being stupid. Eset does not exist in programme files, I've checked and double checked. Is this because I clicked the uninstall button option after it finished? as you only told me to send you the threat log if there was one.
Am running the scan again and now there is an Eset file in program files(x86). Hopefully the report you need will be in there when the scan is finished.

Sorry again

Jane
janeymac65 is offline  
Old 08-04-2015, 01:18 PM   #19
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Have rerun Eset scan, the only txt file in programme files is below. There are no other logs contained here,no logs have been generated after I started the scan at 15.17. Everything else is:
File folders,Applications,Application extensions or ActiveX controls.
Have run TDSSkiller and the report is in next reply.

[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update Init
Update Download
Update Finalize
Updated modules version: 25115

This is all the log contained.
janeymac65 is offline  
Old 08-04-2015, 01:22 PM   #20
Registered Member
 
Join Date: Jul 2015
Posts: 31
OS: windows 7



Hi Tolga

Here is the TDSS report.

Sorry having trouble with this, will try again.

Jane
janeymac65 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
please help get rid of "Smart Guard" (fake anti-virus)
my laptop is infected by "Smart Guard Protection". it blocked everything. i cant run internet browser, mbam, dds, gmer. (i read the instruction, but i cant get the programs to run. please tell me what to do so i can provide the logs). dell inspiron 1525 windows vista home premium 2007 ...
plyp Resolved HJT Threads 39 06-07-2014 02:23 PM
Virus slowing down my PC and blocking me out to remove it.
Hi. I've been having this problem with a virus for sometime now it is slowing down my computer blocks me to use famous antiviruses websites and i keep getting this msg telling me that MBAM cough a Trojan.Downloader virus in system32 i keep getting it like every 15 minutes and i have alot of...
Znoti Resolved HJT Threads 15 04-18-2012 02:49 PM
can't install or uninstall programs
I've tried to install my printer software but when it gets to the last phase of the installation process it says 'unable to install software' I tried to download and install AVG 2012 and the same thing it got to the last step and said set up error: general internal error: additional message:MSI...
reedkwize1 Virus/Trojan/Spyware Help 59 11-10-2011 04:40 PM
Search engines (bing, yahoo...) & all google pages (mail, calendar...) refuse to load
Good morning! I think I am posting everything as requested - if there's anything else you need to help me or I am submitting incorrectly, please let me know. Thank you! ~Robyn My situation My computer started having problems a few days ago with redirects when clicking on search results. My...
robynrld Resolved HJT Threads 31 08-19-2011 01:00 PM
Redirecting and virus problems
My computer is redirecting and im sure i have a virus. When i try to run gmer it shuts my computer down even when only checking sections and c drive. Here is the logs that i could get. Thanks in advance. Timmy This is not the same computer as my previous problems. Thanks timmy DDS...
toliver30471 Resolved HJT Threads 21 02-23-2011 05:09 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:57 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts