Stolen.Data and Malware.Tace Keep Coming Back After Removing Using Malwarebytes

[Resourceful]

Hello Essexboy i hope you can help me remove this 2 Malware . they will keep coming back to my computer after rebooting. I deleted them and restarted com and it didnt helps. Thanks

Here is My Logs For Malwarebytes


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6954

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

27/6/2011 1:12:14 AM
mbam-log-2011-06-27 (01-12-14).txt

Scan type: Quick scan
Objects scanned: 174379
Time elapsed: 12 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Wen Jie\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.

 OTS log for Essexboy

[essexboy]

On completion of the OTS fix then run Malwarebytes, fix all you find.  Reboot and then re-run Malwarebytes letting me know the result

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Processes - Safe List]
YY -> i2coh.exe -> C:\Users\Wen Jie\AppData\Local\Temp\I2cOh.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\] > ->
YN -> HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\: URLSearchHooks\\"{1392b8d2-5c05-419f-a8f6-b9f15a596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\] > -> HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{1392B8D2-5C05-419F-A8F6-B9F15A596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\] > -> HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "sICVFD9RHmawY" -> C:\Users\Wen Jie\AppData\Local\Temp\I2cOh.exe [C:\Users\WENJIE~1\AppData\Local\Temp\I2cOh.exe]
[Files/Folders - Created Within 30 Days]
NY ->  Dexpot -> C:\Users\Wen Jie\AppData\Roaming\Dexpot
[File - Lop Check]
NY ->  .# -> C:\Users\Wen Jie\AppData\Roaming\.#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[Resourceful]

All Processes Killed
[Processes - Safe List]
No active process named i2coh.exe was found!
C:\Users\Wen Jie\AppData\Local\Temp\I2cOh.exe moved successfully.
[Registry - Safe List]
Registry key HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1392B8D2-5C05-419F-A8F6-B9F15A596612} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392B8D2-5C05-419F-A8F6-B9F15A596612}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-538389176-1545575555-1437392800-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sICVFD9RHmawY deleted successfully.
File C:\Users\Wen Jie\AppData\Local\Temp\I2cOh.exe not found.
[Files/Folders - Created Within 30 Days]
C:\Users\Wen Jie\AppData\Roaming\Dexpot\profile folder moved successfully.
C:\Users\Wen Jie\AppData\Roaming\Dexpot folder moved successfully.
[File - Lop Check]
C:\Users\Wen Jie\AppData\Roaming\.# folder moved successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
 
User: Wen Jie
->Temp folder emptied: 7477282 bytes
->Temporary Internet Files folder emptied: 2692462 bytes
->Java cache emptied: 994117 bytes
->FireFox cache emptied: 13364793 bytes
->Google Chrome cache emptied: 15724793 bytes
->Apple Safari cache emptied: 969728 bytes
->Flash cache emptied: 486 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49024 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5367357 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 45.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Flash cache emptied: 0 bytes
 
User: Wen Jie
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06272011_081651

Files\Folders moved on Reboot...
File\Folder C:\Users\Wen Jie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(129)\Content.IE5\5E9XEEY1\Rr6oPtUlWGbS4FeunHZao0qux3tfHSGFH4AFEptanUHQ7XUb91bB90qqqSrJHWUQXWHQWnFJrPbBNYqFs4EZbf5Ev1oT7IXUY9UHj0nPvJnVfwW8mhwmqeucjswUeIQPiLwWqNvRuqMD3nMdbbVijfDj[1].gif not found!
File\Folder C:\Users\Wen Jie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(129)\Content.IE5\5E9XEEY1\WWFjDWP7XPEjRPGrmStFM0drmT6Uu2GZbWYrFJV6im46M9QAbK2HZbs1HBKpdZav4PYY4GraTVMjWVMeSA3OTH3TWr7P2FPoWqMxWEYdQEJFspI6tBBmtVyaoDqQN6fqRsf1uAUQx8BZd3rftPlkZcNq[1].gif not found!
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[Resourceful]

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6956

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

27/6/2011 10:12:07 AM
mbam-log-2011-06-27 (10-12-07).txt

Scan type: Quick scan
Objects scanned: 173951
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Wen Jie\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.

[Resourceful]

may i ask is there a (Stolent.Data)keylogger in my computer 

[Resourceful]

after the Fix they were still this both malware been found (Quick Scan)<< i restarted the com . After that i go for my lunch i came back n do a (Full scan) MBM didnt detect anything now. i Am Still safe or possible the malware is hiding     

[Resourceful]

ignore this post

[Resourceful]

ignore this post

[Resourceful]

  Sorry the both malware still in Quarantine

[essexboy]

So this time Malwarebytes managed to permanently keep them in quarantine and the scans now come up clean

I saw no further indication of a keylogger apart from the trace MBAM found

[Resourceful]

So this time Malwarebytes managed to permanently keep them in quarantine and the scans now come up clean

I saw no further indication of a keylogger apart from the trace MBAM found

so how do i delete them ?

[Pondus]

so how do i delete them ?

you have...they are in malwarebytes quarantine


and always update malwarebytes before you scan  

[essexboy]

Do you mean they are still appearing on every scan - or if they are in the quarantine then just empty it

[Resourceful]

Do you mean they are still appearing on every scan - or if they are in the quarantine then just empty it

so how do i delete them ?

you have...they are in malwarebytes quarantine


and always update malwarebytes before you scan  

thanks both of you! i trying out a full scan now , hope it is clean now . Any safety precaution that i can take note to prevent getting malware or virus next time ?   

[essexboy]

Run OTS and hit the cleanup button


SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System
  
• Select System
  
• On the left select System Protection and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools
  
• Right click Disc cleanup an select run as administrator
  
• Select Your main drive and accept the warning if you get one
  
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: