I got a trojan

Solved
Thread Status:
Not open for further replies.
  1. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    Hi, I was surfing the web using firefox in my Windows 7 x64 virtual machine, and I got a trojan. When I was surfing the web, I got a pop up that looked like a anti-virus scanner program. It took me a minute to realize it wasn't Comodo, and when I realized it, I closed it, opened up Comodo, updated the anti-virus definitions, and ran a scan. It found something. It gives 0.0.0.0 as the location, and says the Malware Name is TrojWare.Win32.Qhost.~~14S9@116242354. I then ran updated Malwarebytes Anti-malware and ran a scan. It found c:\Users\dave\AppData\Roaming\privacy.exe (Trojan.Agent.CoXGen) -> Quarantined and deleted successfully. I ran Hijack This, and everything looks good to me, but I can here for a professional opinion :)
  2. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    And here are the log files from OTL and aswMBR.

    Attached Files:

  3. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    Hi,

    Can you post the MBAM log as well?
  4. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    Here you are.

    Attached Files:

  5. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    Hi,



    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    Link 3

    When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


    Refer to this image:

    To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
    • Close any open windows and double click PCHelpForum.exe to run it.

      You will see the following image:
    [​IMG]

    Click I Agree to start the program.

    ComboFix will then extract the necessary files and you will see this:

    [​IMG]

    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

    It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If you did not have it installed, you will see the prompt below. Choose YES.

    [​IMG]

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

    Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

    Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
  6. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    I ran combofix, and here is the log file.

    Attached Files:

  7. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    How are things running now?
  8. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    It's running fine. But then again, it was running fine even after I got the trojan.
  9. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  10. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK It did not find anything.
  11. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    To uninstall ComboFix


    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall

    [​IMG]

    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)


    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
    =========



    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      :Commands
      [emptytemp]
      [emptyflash]
      [clearallrestorepoints]
      [reboot]

      Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ======

    Remove OTL:

    To remove all of the tools we used and the files and folders they created do the following:
    Double click OTL.exe.

    • Click the CleanUp button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    =======

    Download Security Check by screen317 and save it to your Desktop.
    • Double-click Security Check.exe to start the application
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.
    =======

    There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

    For some helpful tips regarding why you were infected in the first place, what you can do to keep this from happening again, and routine basic maintenance you should be performing on your PC to keep it running, you may wish to review the following threads:

    So, you want to keep this from happening again?
    How Did I Get Infected?
    [​IMG]

    In your next reply:

    Please confirm removal of the tools
    Post the SecurityCheck log
  12. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    When I ran OTL, it was unable to create a log file for some reason. Here is the SecurityCheck log: Results of screen317's Security Check version 0.99.24 Windows 7 x64 (UAC is enabled) Internet Explorer 9 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Malwarebytes' Anti-Malware mbamservice.exe Malwarebytes' Anti-Malware mbamgui.exe Comodo Firewall cmdagent.exe Comodo Firewall cfp.exe ``````````End of Log````````````
  13. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    1
    Location:
    New Jersey
    Local time:
    19:37
    My System
    Loading...

    Looks good :). Any more questions?
  14. dave843

    dave843 New Member Bronze Member

    Joined:
    Nov 26, 2011
    Posts:
    8
    Likes Received:
    0
    Local time:
    19:37
    My System
    Loading...

    Nope. Thanks for your help :)
Similar Threads
Forum Title Date
System Security Trojan.Ciusky.Gen.13 Jun 17, 2014
System Security 3rd Vista has same or similar trojan (?) Jun 6, 2014
System Security after cleaning trojan Fake Federal German Police (BKA) Windows security center service does not star Jun 1, 2014
System Security Malware/Trojan virus? Help! Mar 13, 2014

Thread Status:
Not open for further replies.