[Resolved] Win32:Trojan-gen found

[janeyb]

4 of these have showed up on my computer and I need help to remove them if anyone can help me?

Warning - I am a complete simpleton on the computer, so patience needed!

The virus original location is C:\Users\name\Downloads and AppData\Local\Temp

I have put them into the Avast chest, now what?

I have windows 7 (I think!)

Thank you

[DavidR]

You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[janeyb]

Ok thanks David.  I re-scanned Avast and nothing was found.

However, there was still stuff found by malwarebytes! I know this is an avast forum, but does anyone know what I should do with the one's in malwarebytes?

[Pondus]

can you post Malwarebytes scan log ?

[janeyb]

I should be able to, it's on the other 'infected' laptop, it won't hurt to e-mail the log from that laptop to this one will it?

Also, is that really it for the avast virus? It seems too easy just to put it in the chest?

[janeyb]

The other thing I should add about Malwarebytes (MWB), is that when I go to open the programme a I get a User Account Control message up which says "do you want to allow the following programe to make changes to this computer"?

Then it says programe name, verified publisher: file origin etc:

MWB never used to do this and I notice from the scanned log that some of the viruses have the words 'security hijack' in the information, so am not sure whether by clicking yes to the above question, i'm allowing the virus in?

[Pondus]

Also, is that really it for the avast virus? It seems too easy just to put it in the chest?

deepends on the virus......

MWB never used to do this and I notice from the scanned log that some of the viruses have the words 'security hijack'

maybe you had an infection that turned off the User Account Control ?

[janeyb]

Here's the log from MWB.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5184

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24/11/2010 22:47:00
mbam-log-2010-11-24 (22-47-00).txt

Scan type: Quick scan
Objects scanned: 143183
Time elapsed: 23 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 17
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\ProgramData\67fac4\IS67f_2121.exe (Trojan.InternetSecuritySuite) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security suite (Trojan.InternetSecuritySuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=2121&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\67fac4\IS67f_2121.exe (Trojan.InternetSecuritySuite) -> Delete on reboot.
C:\Users\Watts\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Security Suite.lnk (Rogue.InternetSecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Watts\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security Suite.lnk (Rogue.InternetSecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Watts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Security Suite.lnk (Rogue.InternetSecuritySuite) -> Quarantined and deleted successfully.

[SafeSurf]

Thank you for your MBAM log.

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTL logs.  Post two (2) OTL logs as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Please do not make any further changes to your machine after you have provided the logs.

Use your uninfected machine to check the forum and try to not use your infected machine except for the malware removal process.

Let me know if you have any questions.  Thank you.

[Pondus]

Memory Processes Infected:
C:\ProgramData\67fac4\IS67f_2121.exe (Trojan.InternetSecuritySuite) -> Failed to unload process.

If you update Malwarebytes and scan again, is this detection back or gone ?

you can post that log when you post the OTL log as SafeSurf suggested

[janeyb]

Thanks safesurf, will take a look a bit later and try and follow the instructions!

If you update Malwarebytes and scan again, is this detection back or gone ?

I don't know as when I try to open MWB i get the message which i posted earlier which asks me if I want to allow a programme to make changes, which i've never had before, and wondered if by clicking yes i'm continuing to allow the virus access, if that makes sense!

Anyway, will follow the instructions above and post later

[SafeSurf]

The virus will continue to infect until we remove it, but we need more information from you with diagnostic tools.  MBAM and OTL are just the start of the tools, there will be several more of them.

Please update MBAM, and run it again allowing it to quarantine anything it finds.  You can attach the MBAM log to your post.  You can then do your OTL log as soon as possible because I already notified Essexboy to assist you.  Thank you.

[janeyb]

Hi, have got as far as downloading the OTL, copying & pasting the text and running a quick scan.  However when I click on the quick scan button nothing seems to happen.  Have tried again and re-downloaded it and left it, but it just sits there.  Any ideas?

[janeyb]

Ignore me, first log done, it's taken about half hour, not sure if that's a good thing, anyway, watch this space!

[janeyb]

Two OTL logs attached.

I've also run and updated MWB's and no infected files have been found.