Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple trojan infection preventing log tools from running


  • This topic is locked This topic is locked
2 replies to this topic

#1 zaneandre

zaneandre

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 19 August 2009 - 05:29 PM

Hello,
I am writing for help on solving an issue on my friends computer. He must have downloaded a single bug which hijacked his internet and began downloading multiple viruses/malware. I was able to remove a good number of them with the a squared free scanner, but my problem is that when I read all the suggestion guides and forums people were asking for HJT logs and HJF logs. I have had minor success with this and many 'cleaner' programs listed, because I am pretty sure the bug is preventing these tools from scanning and identifying all the appropriate files. I have downloaded almost every single tool onto the laptop I am typing from, renamed, copied to a flash drive and then copied to the infected system, yet the infection still continues to identify these programs and kill them before I am able to see the GUI load up, or the scan to complete (or even get close, the bugs seem to squash these programs in their tracks as soon as an infected file is identified and attempted to be deep scanned. I am trying normal scans right now as was suggested in the 'read first' post.

I have tried deleting the offending reg keys and files with no real success. the programs tell me that the files and keys have been removed yet the infected files are still hiding and are definitely still doing their dirty work.

Since I was unable to produce an HJT or HJF log, and your guide said not t until asked for one I am just going to post the names and locations of identified files discovered by a squared.

Trace.Directory.Protection System!A2
c:\prog files\protection system\
Trace.File.Protection System!A2
C:\prog files\protection system\coreext.dll
Trojan.TDss!IK
C:\WINDOWS\system32\UACoqhpafmdgs.dll
C:\WINDOWS\Temp\UAC3fbb.tmp
C:\WINDOWS\Temp\UACe320.tmp
Trojan.Win32.FakeCog!IK
C:\WINDOWS\system32\UACtwyhibutld.dll
C:\WINDOWS\Temp\uac94a9.tmp
C:\WINDOWS\Temp\uac98ef.tmp
Trojan.Win32.FakeSpyguard!IK
C:\WINDOWS\Temp\uac8e12.tmp


My friend uses the computer for business and needs it back asap, I came to you guys asking for help since you seemed to have such great success helping other individuals with similar/same situations.

Note: the programs that aren't killed outright upon launching are usually blocked by privaleges "you are not admin" etc etc. I have had success unlocking the registry with the gpedit.msc tool but can never seem to find where the keys are hiding. It appears that I can get around this with regASSASSIN

When the system starts up it gives a Disc I/O error.. when I first saw this I thought oh.. fantastic, but it appears that the system still boots and leads me to believe that the virus is causing this message and upon fixing the bug the message will disappear too.

Thanks a ton,
-Zane


EDIT: here is the gmer log result, hopefully this helps.. also I was able to rename and install/run Remove It Pro and it also listed
Win32.Unknown.Random.X
Sys32.hidec
Sys32.pev
Sys32.avgtdix
Sys32.hpz3l0154
Sys32.test

===below is gmer's log file

GMER 1.0.15.15077 [xw1fngfk.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-19 16:35:34
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ABTDI.sys (ABTDI/ArcaBit)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACntsppfhxfj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by zaneandre, 19 August 2009 - 06:55 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:22 PM

Posted 31 August 2009 - 01:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:22 AM

Posted 05 September 2009 - 05:25 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please send me a Private message to reopen this topic within the next 5 days. Beyond that point, please start a new topic.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users