Trojan keeps commimg back

On a customers machine the Trojan “Trojan.HTML.Exploit.Codebase.~Exec@226875254” keeps commimg back after quarantine.

then I suggest you manually delete it if you know its location. if that doesn’t help add in d+ to block it and also in the firewall just to be sure.

when it would be so simple to get rid of that trojan, by just deleting it manually, i guess that the antivirus had been able to quarantine it. and whats with the done damage?

to explain someone how he can keep a trojan, and move on, is not what i expect when its about security.

sometimes its better to bite into the bitter fresh apple and install the operation system new, than to close the eyes until this apple is rotten.
better safe than sorry.

From what folder does it get continuously reported? If it is from browser cache let the customer clean browser cache and restart the browser. Then let him or her see if going to specific websites infects the computer with the trojan.

It sits in the Internet expl. temp folder

Let him try cleaning IE cache while IE is not running. That can be done in Control Panel → Internet Options → General. Now the trojan should be gone unless it has a self protection mechanism.

Is the trojan active in memory or is just a file sitting on the hd?

Then let him see when the pop up shows up. In particular with what web site; I am assuming the trojan, or may a false positive, gets caught on one or more web sites/

Malware that seems to survive deletion or quarantine is usually caused by a “master” malware file which the malware scanner is not catching; and which re-creates the deleted or quarantined file (usually giving it a whole new name) on reboot. It’s actually quite common.

The “master” file is often missed because of the clever way it’s hiddon on the hard drive, in alternate NTFS streams, or as a rootkit, etc.

The solution, I’ve found, is to just give-up on trying to fix it using something like Comodo Internet Security (CIS), or SuperAntiSpyware, or Malware Bytes, or any of the normal tools.

Instead, I go, once I realize what I’m up against, straight to ComboFix.

Granted, ComboFix can be a little rough on a system. I joke that it’s the computer system equivalent of (gently) using steel wool on Teflon. It “scrapes” the system just enough to remove pretty much any an all malware on it – even the seemingly impossible stuff – yet without really damaging the system very much… just a few light scratches here and there.

For example, on my machine, ComboFix resets certain Internet settings back to Microsoft defaults, necessitating that I go back in and loosen them up again to where I want them.

And ComboFix undoes my setting of Extensoft’s Free Extended Task Manager as the default task manager, and returns it to the regular Windows Task Manager (which, again, is no big deal… I just put it back to Extensoft after running ComboFix).

ComboFix also tends to undo a couple (actually, several) registry hacks I implemented in order to make Vista less insufferable, and make it stop hounding me so much with pop-ups and security warnings. Again, though, since I have those hacks documented, it’s no big deal to re-apply them after running ComboFix.

ComboFix also doesn’t seem to like certain software utilities that I have running on my machine… none of which are infected with malware, or adversely affect the computer in any way; so I don’ know why ComboFix automatically removes them whenever it runs, but it is what it is. They are, just for reference, the freeware HostsMan utility which I use to manage my HOSTS file; and the Advanced Launcher utility that I use to launch certan key apps; and the freeware version of Direct Folders, which I use to more easily access certain key folders; and, finally, a freeware RAM manager (which I’m not sure even really does much, in the master scheme of things) called RamRush. Again, I don’t know why ComboFix doesn’t like them, but it doesn’t; and so it removes them every time, for whatever reason. But, again, its no big deal to just reinstall them. And, upon reinstallation, they even “remember” how they were configured before ComboFix removed them, and so I don’t even have to do anything to make them work again other than just reinstall them. So it’s just not that big a deal.

Finally, if one is using illegal software using patches to end-run copy protection schemes, ComboFix will sometimes spot those and undo them (though not as often as one might expect). Be aware of that. That said, one could argue that one’s not supposed to be doing that in the first place, so one gets what one deserves… except that I actually have two apps on my machine, the makers of which went out of business, and for which I paid, fair and square back when they were in business; but the only way I can now make them run is by means of what would normally be a completely illegal patch. So if ComboFix were to find those (which, gratefully, it does not), then I’d be hurting. Such patches usually generate a lot of false positives by such as CIS and SuperAntiSpyware, etc., so I don’t know why ComboFix ignores them. Perhaps it’s smart enough to know that they are, indeed, false positives. I’m grateful, in any case, that I don’t have to worry about it.

Anyway, my point is: Those are examples of how ComboFix, in the process of doing good, sometimes does just a little tiny bit of bad, too… hence the steel wool on Teflon analogy. So one should make sure that one’s eyes are wide open about all that before using it.

However, the good that ComboFix does is so good that it’s well worth the trouble of cleaning-up after it a little. ComboFix, for all its faults, will pretty much fix anything that’s wrong with a computer related to malware. It’s the tool of last resort which has never let me down. Ever. That said, like lightly using steel wool on Teflon, ComboFix should only be used when absolutely nothing else seems to work.

And ComboFix is free. Read more about it on the Bleeping Computer web site. Make sure to COMPLETELY read the guide/instructions so that you know what you’re doing (and getting into). A text file will be opened in Notepad in full-screen mode on the computer after ComboFix runs, telling you everything it found and did. Be sure to read that, too. And remember, then, to close the Notepad file and then reboot. ComboFix reboots as part of what it does; but I’m saying reboot even one more time after that so that you’ll be starting a bit more fresh.

Most of the time, once the machine has been scanned/repaired by ComboFix, one may reasonably assume that it’s clean; and can then use the CIS settings which can only be implemented if one is absolutely certain that there’s nothing bad on the machine.

To be clear: ComboFix comes about as close as anything out there to being a “miracle worker,” but it, too, sometimes fails. But if you read the guide/instructions, you’ll learn of its limitations so you’ll have eye wide open about all that, too. For the most part, ComboFix finds and fixes pretty much anything that most users would ever, in their lives, encounter. It’s sufficiently good at it that one can use it and then, afterwards, have a high degree of reasonable certainty that the machine’s clean… and that even malware which was, before running ComboFix, seemingly capable of surviving reboots, will finally be gone. Verifying by running a manual scan using CIS, SuperAntiSpyware and/or Malware Bytes couldn’t hurt.

Hope that helps!

  • HarpGuy


The malware that keeps reappearing is probably getting regenerated by another process altogether (the “master file” that the previous poster alluded to). If this is the case, until this other process is eliminated, it will keep happening.

Providing you are proficient, you could use something like Process Hacker or Comodo’s Cleaning Essentials Killswitch to detect the processes running on youyr system and terminate them.

Please be aware that these utilities can, when used by inexperienced people or used inappropriately, cause your system to malfunction. When used correctly, they are an invaluable tool in clearing systems.

Ewen :slight_smile: