Jump to content
Sign in to follow this  
baldeguy56

Removal of malware ebedded in system memory

Recommended Posts

Removal of TrojanDownloader:JS/Whirl.A, VirusTool:Win32/VBInject.gen!DG, Virus:Win32/Alureon.H is continuing to fool SuperAntiSpyware and rewrites itself after every reboot. I'm not sure which .exe began the rewriting of other malware processes (possibly TrojanDropper), but I seem to not be able to kill the malware completely. The computer infected has been running infected for over seven months.

Is it possible to run SuperAntiSpyware in Safemode to remove infection? Very frustrated with this mess! Any suggestions are welcome. thank-you...baldeguy56

Share this post


Link to post
Share on other sites

Welcome to the SAS forum Baldeguy.

From Normal Mode, right click on the SAS icon in the tray or notification area, and choose Check For Updates. Once the update is complete, run a complete scan with SAS from Safe Mode. If the infection re-appears following that, then I suggest running a full scan with MalwareBytes, as well as an online scan with Eset:

http://www.malwarebytes.org/

http://www.eset.com/online-scanner

Share this post


Link to post
Share on other sites

Thank you for your replies. I will try all your suggestions as this bugger really has me stumped. I'll return with any results. Again, thank-you...Garry

Edit: Advanced Member, I have already tried MBAM to no avail.

Share this post


Link to post
Share on other sites

[quote name='I have already tried MBAM to no avail.

Then it's probably best to proceed right to the support ticket. That way, SAS can analyze the infection and make the appropriate additions to the definition files.

Share this post


Link to post
Share on other sites

Then it's probably best to proceed right to the support ticket. That way, SAS can analyze the infection and make the appropriate additions to the definition files.

I followed the first suggestion to run SAS in safemode after updating it. SAS detected Trojan.SystemDriver, which, had four entries located in the registry. After a reboot Microsoft Security Essentials detected TrojanDownloader:JS/Whirl.A and was able to disinfect it (MSE failed at disinfecting and came back with an error in the first few attempts. SAS succeeded at disinfecting). All seems well so far, but am not totally convinced, though I ran another deep scan and SAS reported no malware detected.Thank you for the continued help...Garry

Share this post


Link to post
Share on other sites

That's good to hear Garry.

Go ahead and run MalwareBytes and the online scan with Eset.

Share this post


Link to post
Share on other sites

Hello.

I ran Malwarebytes with no malware detected. Rebooted and Microsoft Security Essentials detected TrojanDownloader:JS/Whirl.A but again failed to clean. Sometimes MSE cleans it(until next reboot), though only temporarily. Now running ESET from the link provided above...thanks. Okay, SAS and MBAM have always done a great job at disinfecting mine and others systems. Why are they having difficulty with this Win32 Trojan variant? While anti-virus applications are not doing their customers right by increasing costs each year, but not doing their part in fighting this social malware epidemic, SAS and MBAM are well becoming the standard in this fight. I belong to many tech help sites and this seems to be the ongoing conclusion. Very thankful for these programs.

I will reply back as to my progress (ESET; scanning @40% complete with 4 nasties detected. I disabled MSE)

Thanks...Garry

Share this post


Link to post
Share on other sites

When any antimalware program detects an infection, it doesn't necessarily mean that the infection will be removed successfully.

Let's see how the Eset scan goes...

Share this post


Link to post
Share on other sites

ESET detected 3 variants of the Win32 trojan, but only removed 2. I have temporarily disabled System Restore to delete all restore points, used Ccleaner to delete all Temperary Files and will reboot to give malware a chance to rewrite itself.

Downloaded and installed ESET NOD32 Antivirus 4 trial. Ran a complete scan. Here is the log...

C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe - probably a variant of Win32/Genetik trojan - cleaned by deleting - quarantined [1]

C:\WINDOWS\Downloaded Program Files\unagiuninst.exe » NSIS - bad archive

Number of scanned objects: 266472

Number of threats found: 1

Number of cleaned objects: 1

Time of completion: 11:29:57 AM Total scanning time: 7716 sec (02:08:36)

Notes:

[1] Object has been deleted as it only contained the virus body.

[4] Object cannot be opened. It may be in use by another application or operating system.

Ran a Custom scan excluding known clean locations to shorten the four hr. scan. Came back clean. I think I may of found the issue logged as [4] in Notes. Hidden was a program called FolderLockIt. I was able to un-installl this, though it was password protected, which uncovered the folders it was hiding. I deleted all. Further ESET scans come back negative as to infections.I'm fairly sure that this computer is fixed, but given the malware's persistence to remaining active,I have some reservations.

Thank-you both for your help...Garry

Edit:

Still not completely convinced of disinfection I started poking around some and came across three processes in Task Manager named dl1.exe. Being something I've never seen before I put a search on it and found it to be the executionable to Win32 trojan and its' varibles. I couldn't find the correct syntax to use with CMD, so I stopped the processes in Task Manager then using the Search feature in XP searched for dl1.exe. Three files of the same name were found but in different locations and are as follows...

#DL1.EXE locations;

1. C:\WINDOWS\Prefetch

2. C:\WINDOWS\Temp

3. C:\Documents and Settings\rose\Local Settings\Temp

I deleted each one, rebooted and ran a complete scan using ESET. No infections detected and the Task Manager showed no unknown processes.

I am mostly convinced that this computers issue is resolved, though I'll keep just a small doubt to myself due to the adaptability of this type of worm.

Many thanks, as I couldn't of gotten this far and possibly no-where at all without the help...Garry

Edited by baldeguy56

Share this post


Link to post
Share on other sites

So submit a dianostic report to support instead of using all sort of scanners not fully detecting it. It will also give SAS the chance to add the malware to it's bases for the good of all instead of removing with other products. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...