Trojan Horse

[REDACTED]

Hi,

Since a couple of days Avast is giving me warnings that it has blocked malware, same as stated in previous topics. I managed to remove the malware but I'm left with a Trojan Horse that I can't remove. Everytime I start up Firefox the TH reinstalls itself in the cache. It's name is FBListener-A

Hope anyone can help me.

[Eddy]

https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

MBAM log, aswMBR and Farbar scan log attached to this post.

[REDACTED]

bump

[Eddy]

It looks like you are using a illegal version of windows.
It looks like you have not attached the complete frst log.
Only 5 processes running?
What are you trying to hide?

[REDACTED]

It looks like you are using a illegal version of windows.
It looks like you have not attached the complete frst log.
Only 5 processes running?
What are you trying to hide?

No and nothing,

This is a legit UK Windows 7 version, and I usually stop most of the processes upon start up. I can redo the scan with all the start up processes and upload a second log.

[REDACTED]

After rebooting the laptop I ran the frst scan right away, here are the logs from that scan:

[REDACTED]

Hi ,<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />

Greetings!

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
• Please do not install any new software while we are working on this system as it may hinder our process.
• Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
• Please do not try to fix anything without being ask.
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
• Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
• If you are confused about any instruction stop and ask. Do not keep on going.
• Do not repeat the steps if you face any problems.
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
• Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
• The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

• Step #1 Scan with CKScanner
  
  • Download CKScanner by askey127 to your Desktop from the link below.
    Download Link
  • Right-click on the program and choose Run as administrator;
  • Click Search for files;
  • After the scan is finished choose Save List to File;
  • You will get a notification that the file has been saved;
  • Attach the CKFiles.txt on your Desktop in your next reply.

• Step #2 Scan with RogueKiller
  
  • Download Rogue Killer from one of the suitable links below to your Desktop.
    
    • Download link for 32 bit system
    • Download link for 64 bit system
  • Click on Scan;
  • The scan won't take long;
  • Click on Report to open the log.
  • Attach the log in your next reply.

• Required Log(s):
  
  • CKScanner Log
  • RogueKiller Log

Regards,
Valinorum

[REDACTED]

Hello Valinorum,

Thank you for helping me. I have downloaded both scanners and ran the scans. The logs are attached to this post. The CKScan acted a bit odd though, the software froze from start to finish but did produce a log, hope nothing went wrong there.

When the RK scan stopped it opened this website for me: http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/
Are there keyloggers in my system?

[REDACTED]

Hi VolleyballWilson,

• Step #3Fix with RogueKiller
  
  • Re-run RogueKiller.
  • Let the pre-scan finish. After that click on Scan and wait for the scan to finish;
  • Click on Delete;
  • Now again click on Scan and wait for the scan to finish;
  • Click on Report and a log file will open;
  • Attach the report in your next reply.

• Step #4 Run ComboFix
  Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
  Download Link #1
  Download Link #2
  Donwload Link #3
  
  Warning
  Please acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence.
  ***
  • Disable your security software. For more information, peruse this thread;
  • Right-click and choose Run as administrator to run the program.
  • As a buit-in process, ComboFix will check if you system has Microsoft Windows Recovery Console installed. Let Combofix download and install Microsoft Windows Recovery Console.
    
    • It requires an active internet connection.
    • If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
  • ComboFix will now scan your system for malwares and will attempt to remove them.
  • • Note: ComboFix performs fifty steps during this fix. Please be patient.
  • After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
  • Attach the log in your next reply.
  Crucial Notes:
  
  • Do not mouse-click when ComboFix is running as it may stall.
  • Do not re-run ComboFix if you face a problem. Ask for my instruction here.
  • ComboFix will make Internet Explorer your default browser and will change number of different Internet Explorer settings.
  • ComboFix prevents autorun functions of all CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
  • It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
  • ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.

• Required Log(s):
  
  • RogueKiller Report
  • ComboFix Log

Regards,
Valinorum

[REDACTED]

Hi Valinorum,

The RogueKiller scan is running as we speak, I will post the delete log and the combofix log ASAP.

[REDACTED]

Here are the Rogue Killer log and the combofix log.

[REDACTED]

Hi,

Please delineate your PC's condition after applying the fix.

• Step #5  Run ComboFix Script
  Make sure that you still have Combofix on your Desktop. If not, download it from here.
  
  • Open Notepad.exe. Do not use any other text editor software;
  • Copy and Paste the contents inside the code-box to your Notepad --

Code: [Select]

KillAll::

File::
c:\windows\system32\drivers\TrueSight.sys

Driver::
TrueSight

DDS::
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm

Firefox::
FF - ExtSQL: 2014-08-24 14:46; magicplayer@acestream.org; c:\users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\8sch6l67.default\extensions\magicplayer@acestream.org

Reboot::


• • Click on File > Save as...
    
    • Inside the File Name box type CFScript.txt
    • From the Save as type drop down list, choose All Files
  • Save the file to your Desktop;
  • Make sure your security programs are disabled while performing the actions. If you have difficulties, peruse this thread;
  • Drag CFScript.txt into ComboFix.exe as shown in the screenshot below --
    
  • ComboFix will now run a scan on your system. After the scan finishes, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it. Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you.
  • Please attach the C:\ComboFix.txt in your next reply.

• Required Log(s):
  
  • ComboFix Fix Log

Regards,
Valinorum

[REDACTED]

ComboFix log is in the attachements.

What exactly do you mean with delineate? Want me to run another scan with Avast or Farbar?

[REDACTED]

Is avast! still showing alerts?