[Resolved] Win32:Trojan-gen found

[janeyb]

Only seems to have attached one of the OTL logs, here's the other

[essexboy]

Hi on completion of this run can you let me know what your problems are

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1269415
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\..\URLSearchHook: {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll (Conduit Ltd.)
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
  IE - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25392
  IE - HKLM\..\URLSearchHook: {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll (Conduit Ltd.)
  FF - prefs.js..extensions.enabledItems: toolbar@alot.com:2.4.4000
  FF - prefs.js..extensions.enabledItems: {ad708c09-d51b-45b3-9d28-4eba2681febf}:2.7.1.3
  [2010/09/18 10:29:51 | 000,000,000 | ---D | M] (Download Energy Toolbar) -- C:\Users\Watts\AppData\Roaming\mozilla\Firefox\Profiles\qamr5a6w.default\extensions\{ad708c09-d51b-45b3-9d28-4eba2681febf}
  O2 - BHO: (PriceGongBHO Class) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll (PriceGong)
  O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
  O2 - BHO: (Download Energy Toolbar) - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll (Conduit Ltd.)
  O3 - HKLM\..\Toolbar: (Download Energy Toolbar) - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll (Conduit Ltd.)
  O3 - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\..\Toolbar\WebBrowser: (Download Energy Toolbar) - {AD708C09-D51B-45B3-9D28-4EBA2681FEBF} - C:\Program Files\Download_Energy\tbDow0.dll (Conduit Ltd.)
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
  O7 - HKU\S-1-5-21-530884780-2559161900-1187449692-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.24.134.1 62.24.134.2
  [2010/11/24 07:19:30 | 000,000,000 | ---D | C] -- C:\Program Files\ConduitEngine
  [2010/11/23 23:52:10 | 000,000,000 | -HSD | C] -- C:\Users\Watts\AppData\Roaming\Internet Security Suite
  [2010/11/23 23:52:09 | 000,000,000 | -HSD | C] -- C:\ProgramData\ISRMRBS
  [2010/11/23 23:50:14 | 000,000,000 | -HSD | C] -- C:\ProgramData\67fac4
  [2010/06/06 16:01:54 | 000,000,000 | -HSD | M] -- C:\Users\Watts\AppData\Roaming\.#
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[janeyb]

After re-booting a log appeared, which i've saved and attached here.

[janeyb]

I then re-scanned, although you didn't say whether to tick the Scan All Users box, so I didn't.  Log attached

[essexboy]

What problems do you have now ?

[janeyb]

how do I tell what problems I have?

I've re-scanned avast and MBAM and both are negative, although the virus's are still in the chest in avast

[essexboy]

By problems - is the computer booting properly, is the speed of the system OK, do programmes start correctly etc..

As for the file in the chest they can be safely deleted now

 

[janeyb]

Just re-booted and the only differences i've noticed is that Firefox opens in 'safe mode' and there are two .ini notepad files on my desk top, which I can't attach as the system won't let me, so have pasted the text below.

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[LocalizedFileNames]
Microsoft Office - 60 Day Trial.lnk=@C:\PROGRA~1\MICROS~4\mui\oaa.dll,-103

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

[essexboy]

Those are system files which we will now return to their hidden status 

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

You are now done

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes.  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

[janeyb]

Ok will do all that tomorrow, thank you so much for your help.

Is MBAM Malwarebytes? (sorry  )

We currently use Avast and Malwarebytes (both free versions) in this house.  I've had no problems with infection on this computer (touch wood), but the other one seemed to pick the infection up.  It's as though Avast & Malwarebytes didn't update automatically and then the versions became out of date.

Are you suggesting below not to use Avast?

[Pondus]

Is MBAM Malwarebytes? (sorry  )

Yes

Malwarebytes didn't update automatically

The free version does not have autoupdate, but the new 1.50 (in beta) does have a warning popup if the database is to old

[SafeSurf]

Are you suggesting below not to use Avast?

No...you will be keeping Avast Free and MBAM.  Essexboy needs to remove tools he put on your machine that he used to remove malware on your machine.  Follow the directions in his last post.  Then report back on how your machine is running.  Keep your machine on for at least 24  - 48 hour for a good test.  While your machine is running during this "test" period, I will give you some other tips as well, but I will wait for Essexboy to finish up his part.

[essexboy]

Sounds to me like it is the other system that should be checked out 

[janeyb]

Got to this bit

Now we can purge the infected ones

    * Go back to the System and Maintenance page
    * Select Performance Information and Tools
    * On the left select Open Disk Cleanup

But can't find performance and tools?   

[janeyb]

Sorry, found this, but can't find this

Select Files from all users  and accept the warning if you get one

When I click the Open Disc Cleanup another box comes up with a few things ticked, but I can't see anything that says Select Files from all Users?