Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing lingering effects of manual trojan removal


  • This topic is locked This topic is locked
3 replies to this topic

#1 edinspace

edinspace

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 28 December 2009 - 09:36 PM

Hi,

I have a HP1100tc TabletPC with Windows XP Tablet Edition SP3 running on it (this means you may see some odd processes in the logs for ink input, etc.) About a month ago, when my cable internet connection was down, I plugged in my wireless sprint card to surf the web. I wasn't thinking clearly, and forgot that this put me directly connected to the net, and no longer behind the NAT in my router. I was using the Opera browser and unfortunately had Java enabled, an old Java. Well, I got some weird flashing popup with "Danger Computer Infected" etc and Windows Installer started up and tried to install something. I quickly killed the msi process and spent some time searching for the newly created files, and moved them to a different directory and renamed them. I ran SpybotSD and MalwareBytes and found that the Trojan.FakeAlert.N and Rootkit.TDSS had been partially installed (and corrupted a couple of registry enties), but I seemed to have killed the process before the executables could be decompressed.

Yesterday, I took my tablet to Starbucks (remind me to never leave the house again), and when I connected to the wifi there, I got a bunch of popup boxes trying to start a session of VS7jit.exe. I killed all the boxes and considered this weirdness. I believe that a remote debug session is trying to be started with a malicious debugger that was supposed to be part of the trojan payload, but because I interrupted the install, the malicious debugger is not getting pointed to by some registry entry. I have since had occasional javascript debugger session request popups randomly, not just when browsing the net. Most disturbingly, I've had this debug session request popup over the login screen. I believe that I have crippled the trojan and the remote sessions are not getting initiated, but these popups are disturbing, and I'd like to route out the offending source.

I have completed the preparation guide's steps and stand (sit) ready for your merciful help.

Logs requested.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 28 December 2009 - 10:17 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:13 AM

Posted 07 January 2010 - 06:43 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 edinspace

edinspace
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 07 January 2010 - 09:10 PM

Thanks for your response,

I believe I have fixed this pc. After much reading of other posts, I ran combofix on it (even though there are warnings about not doing this w/o adult supervision.) I realize you guys are volunteers, and I would be happy to put some time in myself, but there don't seem to be any training spots available. I do some low-level programming (e.g. data acquisition, and control stuff) professionally, and have an MS in EE (Intelligent Systems, Robotics and Control), but no security specialization per se. I might be a quick study for the Anti-Malware training, and could contribute in tool development too. So, if you guys open up a new slot, let me know.

I you want the results of the cobofix scan for reference, let me know. You can go ahead and delete my post.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:13 AM

Posted 07 January 2010 - 09:27 PM

Thanks for letting us know :(

Unfortunately the only way to get a illusive slot is to keep checking back as regularly as possible, their are other schools out there but as
far as im aware it is the same situation with them.

http://www.uniteagainstmalware.com/schools.php

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users