Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started getting warnings showing Boaxxe trojan.


  • Please log in to reply
9 replies to this topic

#1 magnetchief

magnetchief

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 06 May 2009 - 02:24 PM

Hi.
Looking for some advice.
I have a Windows xp on a dell workstation.
I have McAfee virus protection and have started to get this warning ref Boaxxe.
Carried out a manula scan of system but nothing showed up.
My virus protection cannot seem to remove this. I assume because it's tied to a system file.

Could anyone assist me in removal? I would be most grateful.

I have attached a short few lines from the McAfee event log.




5/3/2009 7:01:15 PM Move failed (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\fwydivf.dll Boaxxe
5/3/2009 7:01:24 PM No Action Taken (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\fwydivf.dll Boaxxe
5/3/2009 7:01:32 PM No Action Taken (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\fwydivf.dll

Thanks
Steve

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 06 May 2009 - 03:45 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here or here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please include the following in your reply:
MBAM log

#3 magnetchief

magnetchief
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 May 2009 - 07:36 AM

Hi
Thanks for the offer of help.
I did as instructed, found more than i expected.

Here is the copy of the log report.

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 4:23:50 PM
mbam-log-2009-05-06 (16-23-50).txt

Scan type: Quick Scan
Objects scanned: 112387
Time elapsed: 19 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\fwydivf.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eb4e636f-ddfb-4cfb-933b-d54155ce3e24} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsyygqdz (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eb4e636f-ddfb-4cfb-933b-d54155ce3e24} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ekrfpsjs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ekrfpsjs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekrfpsjs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekrfpsjs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{eb4e636f-ddfb-4cfb-933b-d54155ce3e24} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\fwydivf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\glbqunk.bak (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ktggyn.bak (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACsbchohgw.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACusakmnaw.dat (Trojan.Agent) -> Quarantined and deleted successfully.


Thanks again for the help.

On a good note, no trojan warnings this morning.

Steve

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 07 May 2009 - 07:18 PM

Lets see what may be left :thumbsup:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#5 magnetchief

magnetchief
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 11 May 2009 - 08:05 AM

Hi
Things look pretty good.
Just the one tracking cookie.
Thanks for your help :thumbsup:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2009 at 08:45 AM

Application Version : 4.26.1002

Core Rules Database Version : 3883
Trace Rules Database Version: 1831

Scan type : Quick Scan
Total Scan Time : 00:31:01

Memory items scanned : 761
Memory threats detected : 0
Registry items scanned : 563
Registry threats detected : 0
File items scanned : 29943
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\ranner\Cookies\ranner@doubleclick[2].txt

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 11 May 2009 - 03:16 PM

Lets try one last thing.

Update MBAM, and do a full scan and post the log report in your reply.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 11 May 2009 - 03:31 PM

Hello.

You have/had two major infections that you need to be warned right now.

One of them was a backdoor/rootkit. Doesn't appear active but... your computer was/may have been compromised.

The next infection is a nasty infection that steals information/data from the computer.

"This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the userís account information, which may then lead to the unauthorized use of the stolen data." Quote from Trend Micro.

This spyware then connects to an HTTP server where it can drop other things and the stolen information is connected to an URL HTTP post where the stolen information is collected.

I strongly suggest you act accordingly:

Posted ImageBackdoor/Stolen Information Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor/Stealth trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 11 May 2009 - 05:22 PM

extremeboy, if in the MBAM log, the rootkit is listed as "rootkit.trace", does that mean that it is only a piece of the rootkit and part of it has already been removed?

#9 magnetchief

magnetchief
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 13 May 2009 - 08:14 AM

Looks clean at the moment.
Thanks guys for the advice. Will take it into consideration ref backdoor Trojans ect.
Don't use the pc for banking, mostly web surfing and 3d modeling





Malwarebytes' Anti-Malware 1.36
Database version: 2118
Windows 5.1.2600 Service Pack 3

5/13/2009 9:06:33 AM
mbam-log-2009-05-13 (09-06-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 225625
Time elapsed: 1 hour(s), 31 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by magnetchief, 13 May 2009 - 10:43 AM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 13 May 2009 - 07:17 PM

Hello.

extremeboy, if in the MBAM log, the rootkit is listed as "rootkit.trace", does that mean that it is only a piece of the rootkit and part of it has already been removed?

Yes. Those usually mean that whatever tool that was used to remove this infection did not really do a very good job of cleaning "everything" however, those files can't do anything without the loader of the infection if it is active.

...and that was why in my response I said may or was compromised.

One of them was a backdoor/rootkit. Doesn't appear active but... your computer was/may have been compromised.


However, the "Stolen.Data" one you should act accordingly.

If you want to make sure your computer is okay and wish to have a second opinion I suggest you run an online scan such as ESET online scan.

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users