Jump to content

Trojan and possible rootkit infection


Recommended Posts

My wife's notebook received a trojan warning through Avast. She removed it through Avast, and shortly thereafter encountered the wondrous BSOD. Computer would not boot at all (normal, last good config, or safe mode). I ended up doing a windows repair installation, at which point I did get the computer to boot. After scanning, (and following instructions for this forum), I received the following logs to post...

Thanks in advance for any help in removing these from the system.

Link to comment
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.


1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Done. here are the new logs...

IE still isn't working properly. I get an error message "The requested lookup key was not found in any active activation context" when I try to type a website in the address bar. Further, since the repair installation of windows, an error message pops up every few minutes that says "Microsoft Feeds Synchronization has encountered a problem ad needs to close..." That's a new one for me. Furthermore, it appears that I still cannot browse to microsoft's update site (page displays blank in firefox).

Link to comment
Share on other sites

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u17 available from Sun Microsystems.


Using Add or Remove Programs in the Control Panel; uninstall the following:

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 13

Java 6 Update 5

Java SE Runtime Environment 6 Update 1


Download Avenger from HERE and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{AE7CD045-E861-484f-8273-0445EE161910}
    Folders to delete:
    C:\Documents and Settings\Jen\Local Settings\Application Data\mbhuew

    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.


Attach fresh logs for:

  • Avenger (C:\avenger.txt)
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

You are still using IE6, upgrade to IE8.


Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to comment
Share on other sites

Ok. upgrade to ie8 was easier said than done. still unable to do updates, so I downloaded the network admin version of sp3 update. once I installed that, ie8 was able to be installed. once ie8 was installed, the updates worked. browser issues are resolved, and the pop up error about Microsoft Feeds Sync is gone.

Nevertheless, I have attached the requested log files (I ran OTL after installing sp3 and the ie8 update).

Is there a scan I should run and log file I should post to confirm that the malware has been completely removed?

Link to comment
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) 
    SRV - (winvnc) --  File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    [start explorer]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to comment
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...