PDA

View Full Version : Trojan Heads Up



linw
06-12-2012, 01:08 PM
Just dealt with two machines where Malwarebytes had signalled a Trojan presence. MBAM removed the executable but on a rerun still reported the Trojan.

In both cases the executable was in the user's AppData\Local\Temp folder. The file name was random letters.

The Trojan installer had entered a Load entry into the Registry and it had changed the Permissions so that the entry couldn't be deleted. This is what MBAM was responding to on subsequent runs.

The registry entry was at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows. Under the Windows entry was the Load exe entry. The permissions for 'Windows' only had Everyone with no rights. I ticked Full Control and was then able to delete the Load line.

MBAM ran clean after this.

That registry entry needs to be checked, it seems, as a 'Load' entry is executed at boot time.

Speedy Gonzales
06-12-2012, 01:53 PM
Use ccleaner and it should delete whats in the temp folders. USe tdsskiller, and scan it for rootkits. Use something like trojan remover, and scan it as well after you update it

wainuitech
06-12-2012, 03:56 PM
Actually Ccleaner doesn't get all the temp files.

Try running TFC, that really cleans out the lot.

http://www.bleepingcomputer.com/download/tfc/