Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan after running several tools/ Moved


  • This topic is locked This topic is locked
10 replies to this topic

#1 linseed

linseed

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mexico
  • Local time:03:40 PM

Posted 04 March 2009 - 10:47 PM

I started having a lot of messages on startup of (name) is not a valid windows image. So I ran Ccleaner, Superantispyware, spybot, malawarebytes, combofix and MGtools. They found a lot of problems, but after this, I started having a "just-in-time debugger" appearing every 10 seconds. Also a message appeared on my desktop with a red WARNING and the message "many viruses found in your computer such as trojan horse PassCapture, etc..." Also it seems NOD32 reactivated itself and now it constantly shows a message "http://lastcountb.com/cgi-bin/promo.pl?code=0000523" i click on abort, but it comes back again after a while. I ran Ccleaner, Superantispyware and spybot again and they found more stuff than they did the first time. I am not able to run malawarebytes, combofix nor MGtools again (I click on them and nothing happens) Please help!! I have been trying to get rid of these problems for two whole days now but it seems I am only doing more harm each time. Thanks!!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:40 PM

Posted 04 March 2009 - 11:20 PM

Hello linseed and welcome to BC :thumbsup:

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum. PLEASE DO NOT NOW POST LOGS unless someone requests one, and then post only the logs requested.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

That said, please tell us what your operating system is: Windows XP, Vista, etc.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 linseed

linseed
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mexico
  • Local time:03:40 PM

Posted 05 March 2009 - 01:42 PM

Thanks!! After rebooting with "desactivate system restore" I finally was able tu run for the second tipe all the tools mentiones on previous post. Every time I ran a tool I would desactivate system restore and reactivated again. It was slow but I think it helped. A lot of infections were found. It seems all problems are gone now except for NOD32's message "http://lastcountb.com/cgi-bin/promo.pl?code=0000523" What should I do now? I am running Windows XP Pro SP3.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:40 PM

Posted 06 March 2009 - 05:53 PM

Please update mbam and select FULL Scan
Run the scan, Remove selected and reboot
Post the log for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 linseed

linseed
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mexico
  • Local time:03:40 PM

Posted 12 March 2009 - 09:00 AM

Thanks. Since I am new here I couldn't find my post. Here I am again. Still infected. Ran mbam as told. And here is what I have done since last post: ran NOD32, SUPER and ATF cleaner all in safe mode. NOD32 found a lot of trojans and were removed. After I boot again I get a lot of messages from NOD32 informing I have a trojan "TrojanClicker.Delf.AKM" It informs it is an event created when c:\WINDOWS\System32\ftp.exe was trying to create a file. In this report NOD32 informs the file has been moved to quarentine. If I go to my root folder I can see all these files NOD32 is reporting but with an extra "2", example ykr2.exe. The icon for all these files is a 7 with an apple, like a 7 from a slot machine (maybe it is not an apple but a cherry... not so lucky after all ha?) :thumbsup: Please help I cant remove this trojan. Here is my log
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

12/03/2009 12:30:32 a.m.
mbam-log-2009-03-12 (00-30-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138093
Time elapsed: 43 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:40 PM

Posted 12 March 2009 - 01:54 PM

Try this scan:
---------------------------------ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 linseed

linseed
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mexico
  • Local time:03:40 PM

Posted 13 March 2009 - 08:18 AM

Thank you for your help. Did as told. Super did not find any harmful software. At the end of this post is super log. I am sure I am still infected even though super did not find anything. This is the fourth time I have ran super, the other times it would always find something. I know I am still infected because I have several exe files in c:\ and here are some of these files' names:
Dkd2.exe
g222.exe
KCPh2.exe
and a lot more. They all have the same strange icon (which is a seven and a world with a thunder striking the world). Eventually NOD32 will detect them and delete them, but a new one with a different number in the end will appear, example Dkd2.exe will become Dkd22.exe
Thanks!!
SUPER log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2009 at 02:24 AM

Application Version : 4.25.1014

Core Rules Database Version : 3792
Trace Rules Database Version: 1748

Scan type : Complete Scan
Total Scan Time : 01:37:28

Memory items scanned : 212
Memory threats detected : 0
Registry items scanned : 5884
Registry threats detected : 0
File items scanned : 69181
File threats detected : 0

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:40 PM

Posted 13 March 2009 - 04:31 PM

Full tutorial:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/


Please print out and follow these instructions: "How to use SDFix".
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 linseed

linseed
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mexico
  • Local time:03:40 PM

Posted 16 March 2009 - 01:40 AM

Ran SDFix, here is my log: I still see suspicious files in my root folder. These files are the same as mentiones on my last post. They have strange names and their icon is the same as I mentiones (a seven with a world besides it and a lightning striking the world). These files have names like:
dCg1f2.exe
Dhd2.exe
DRY2.exe
and a lot more. I just noticed they all have the same size: 233KB. I also have a lot of other suspicious files like:
d5nWM".exe
DH25ECU2.exe
a lot more... all these are 150KB. I could upload a snapshot of my explorer window.

As I was writing this post a message from NOD32 appeared again. I will try to translate it because it is in spanish:
File:
c:\y1Dkvmw.exe
Malicious code:
Modified variant of Win32/TrojanClicker.Delf.AKM (Trojan)
Description: Success happened when a file tryed to be created by the application c:\WINDOWS\system32\ftp.exe. The file has been moved to quarintine.

I have a new file with the same name, but with an added "2" in the end: y1Dkvmw2.exe.

LOG:
Malicious code detected


SDFix: Version 1.240
Run by Administrator on 16/03/2009 at 12:15 a.m.

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\CKAPKWCY.EXE - Deleted
C:\CKAPKW~1.EXE - Deleted
C:\RTYAN2.EXE - Deleted
C:\SF9A.EXE - Deleted
C:\SF9A2.EXE - Deleted
C:\WAOY.EXE - Deleted
C:\WAOY2.EXE - Deleted
C:\WAOY21.EXE - Deleted
C:\WAOY22.EXE - Deleted
C:\YAJG.EXE - Deleted
C:\YAJG2.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 00:21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 17 May 2004 8,007,680 ...H. --- "C:\Program Files\XSite Pro\Microsoft.mshtml.dll"
Mon 9 Jun 2008 35,328 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1321.tmp"
Mon 9 Jun 2008 34,816 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2579.tmp"

Finished!

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:40 PM

Posted 16 March 2009 - 03:52 PM

I have a new file with the same name, but with an added "2" in the end: y1Dkvmw2.exe.


If the files are replicating themselves I believe it is time to prepare a HJT log
-----------------------------------------

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:40 PM

Posted 16 March 2009 - 08:49 PM

Hello linseed,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/211664/trojanclickerdelfakm/, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users