Trojan Detected - Unable to Remove

**Dakeyras** · 2013-09-20, 14:46

Hi.

The computer seems to be running fine. No signs of viral activity.

Good.

Tried to paste OTL.txt but it's too large. Please find it attached

Not a problem.

Next:

Uninstall the following as they are leftovers from prior Symantec software...

Now please go to Start(Windows 7 Orb) >> Control Panel >> Uninstall a program or Programs and Features and remove the following (if present):

LiveReg
LiveUpdate

To do so click once on each of the above in turn to highlight, then click on Uninstall/Change and follow the prompts.

Note: If any of the above will not uninstall, merely proceed to the below Custom OTL Script, as I have included them as a extra precaution in-case such a event does occur.

Custom OTL Script:

Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the code-box to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Commands
[CreateRestorePoint]

:Services
awhost32
LiveUpdate

:OTL
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: airmilesshops.ca ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...Control_32.CAB (Reg Error: Key error.)

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Java
C:\Program Files (x86)\Symantec
C:\Users\Rick\AppData\Roaming\inst.exe
C:\Windows\SysWOW64\npDeployJava1.dll
netsh advfirewall reset /c 
netsh advfirewall set allprofiles state on /c 

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate]
[HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-

:Commands
[EmptyTemp]

Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

I deem it prudent to check for updates and run another scan to err on the side of caution, taking into account the malware we have been dealing with.

Note: Remember to right click the executable for MBAM and select Run As Administrator.

Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:

OTL Log from the Custom Script.
Malwarebytes Anti-Malware Log.

**Lexi321** · 2013-09-21, 17:52

Hello,

I removed LiveUpdate, however when attempting to remove LiveReg, I received the error that it could not be removed because I still had active Symantec products (PCAW). I need to keep PCanywhere installed, as I use it as a last resource to connect to remote PCs, therefore I didn't remove it or LiveReg using your script, hence I didn't run OTL. Please advise if running the script will leave PCAW intact, then I'll proceed. Otherwise, everything looks fine, Avast scans are clean as is the MBAM scan.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.21.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Rick :: RICK-PC [administrator]

21/09/2013 11:43:35 AM
mbam-log-2013-09-21 (11-43-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311926
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

**Dakeyras** · 2013-09-21, 20:59

Hi.

Not a problem what you mentioned, merely run this modified custom script below please:

Code:

:Commands
[CreateRestorePoint]

:OTL
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: airmilesshops.ca ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...Control_32.CAB (Reg Error: Key error.)

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Java
C:\Users\Rick\AppData\Roaming\inst.exe
C:\Windows\SysWOW64\npDeployJava1.dll
netsh advfirewall reset /c 
netsh advfirewall set allprofiles state on /c 

:Reg
[HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-

Next:

Let check/update some software as follows shall we...

Download and install FileHippo Update Checker from here.
Once installed(during the installation process deselect the option:- Run at Startup >> Start(Windows 7 Orb) >> All Programs >> right-click on Update Checker and select Run as Administrator >> a browser window will open after the scan is complete.
Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Uninstall a program or Programs and Features in the Control Panel.
Re-install the updated software, delete the installers and then empty the Recycle Bin.

Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.

Next:

Attach your external Hard-Drive >> right click on the drives icon(found via Start(Windows 7 Orb) >> Computer) and select Scan with Malwarebytes Anti-Malware

Perform the same again but this time scan with avast! Free Antivirus

Note: Check for updates with both of the above security applications prior to scanning.

Next:

Let myself know when completed the above, post the the OTL Log from the Custom Script. Also inform myself if any further issue's remaining, thank you.

**Lexi321** · 2013-09-22, 23:46

Hello,

Everything seems to be running well except for a problem I have installing a new printer. I don't think this has anything to do with this computer, as I cant get it to work with any of my computers. Brother support was also unable to help me. At any rate, I believe the virus situation has been resolved (from what I can tell). Here is the OTL log, and once again

========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2\ deleted successfully.
C:\Windows\SysWOW64\npDeployJava1.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\airmilesshops.ca\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
C:\Program Files (x86)\Java\jre7\lib\ext folder moved successfully.
C:\Program Files (x86)\Java\jre7\lib folder moved successfully.
C:\Program Files (x86)\Java\jre7 folder moved successfully.
C:\Program Files (x86)\Java folder moved successfully.
C:\Users\Rick\AppData\Roaming\inst.exe moved successfully.
File\Folder C:\Windows\SysWOW64\npDeployJava1.dll not found.
< netsh advfirewall reset /c >
Ok.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state on /c >
Ok.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run not found.

OTL by OldTimer - Version 3.2.69.0 log created on 09222013_172557

**Dakeyras** · 2013-09-23, 11:07

Hi.

a problem I have installing a new printer. I don't think this has anything to do with this computer, as I cant get it to work with any of my computers. Brother support was also unable to help me

Hmmm as a rule Windows 7 is quite good at installing Printers, without any third party software if all you wish to do is print of say documents and not use any of the printers more advanced features like scanning for example. So you could try uninstalling any printer related software then re-connect the printer and it should auto be detected and then check if a Test Page can be printed. If still problems my best advice would be to seek further assistance in either of the below forums...

Geeks to Go - Hardware, Components and Peripherals

Or:

What the tech - General Hardware

I am a member of both of the above and they have excellent IT Tech Support staff.

Next:

Congratulations your computer appears to be malware free!

Disclaimer: Given the nature of the infections that were present on the machine, I give no guarantees about the security of this computer and have to the best of my abilities tried too both identify and eradicate all malware.

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

AdwCleaner Uninstall:

Right-click on AdwCleaner.exe and select Run as Administrator to start the program
Click on Uninstall >> Yes, this will remove the application and its log(s) etc.

ComboFix Uninstall :

Click on Start(Windows 7 Orb) >> Run...(or depress both the Windows key and R together to launch the run box)
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Clean up with OTL:

Right-click OTL and select Run as Administrator to start the program.
Close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, depress the CleanUp button.
Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

Create a new, clean System Restore point:-

Right click on Computer and select Properties >> System protection >> Create....
Give this restore point a descriptive name and click Create.
When the new restore point is created click on OK >> close the System Properties window.

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush Old System Restore points:-

Click on Start(Windows 7 Orb) >> All Programs >> Accessories >> System Tools >> right-click on Disk Cleanup and select Run as Administrator.
Select the system drive, C >> OK.
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Click on Clean up system files >> Select the system drive, C >> OK.
Now click on the More Options tab.
Under:-

System Restore and Shadow Copies

Click on Clean up... >> Delete >> OK >> Delete Files.

Now some advice for on-line safety:

The below are worth reading/bookmarking for future reference...

So how did I get infected in the first place?

Computer Security - a short guide to staying safer online

Next:

Any questions? Feel free to ask, if not stay safe!

**Lexi321** · 2013-09-24, 06:14

Hello,

An interesting development. I tried printing from another PC and couldn't only to find that all the settings to allow access through Windows Firewall had been turned off (file and print sharing for one). I didn't do anything to cause this to happen. Any thoughts?

**Dakeyras** · 2013-09-24, 09:55

Hi.

An interesting development. I tried printing from another PC and couldn't only to find that all the settings to allow access through Windows Firewall had been turned off (file and print sharing for one). I didn't do anything to cause this to happen. Any thoughts?

Do you mean the settings for this machine we have been working on ?

If so the part of the prior custom OTL fix reset the Windows 7 Firewall back to default to remove the P2P related entries etc. Anyway to rectify what you mentioned, follow the advice in the below Microsoft article:-

Enable file and printer sharing

Any further questions ?

**Lexi321** · 2013-09-24, 14:40

I also do not have any restore points before September 21 even when "show more restore points" is checked. Also, with the resetting of the firewall, wont all my programs that need to go through the firewall, now not work?

**Dakeyras** · 2013-09-24, 14:56

I also do not have any restore points before September 21 even when "show more restore points" is checked.

That is because part of the clean up process in post #25(Reset the System Restore points) will have purged the older(and infected ones) and created a new safe clean one. This is standard procedure upon completion of a malware removal process.

Also, with the resetting of the firewall, wont all my programs that need to go through the firewall, now not work?

No they will work/be granted the appropriate access.

**Lexi321** · 2013-09-24, 15:18

That is because part of the clean up process in post #25(Reset the System Restore points) will have purged the older(and infected ones) and created a new safe clean one. This is standard procedure upon completion of a malware removal process.

I realize that, but I hadn't done that step yet. Would something else have gotten rid of them?

Thread: Trojan Detected - Unable to Remove

Thread Tools

Display

Posting Permissions