Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sneaky trojan will not allow access to antivirus/security software websites


  • Please log in to reply
20 replies to this topic

#1 lilkel35

lilkel35

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 10:22 AM

I am new to this forum and have read the pinned items, but still apologize if I am posting in the wrong place. I believe my computer is infected with a trojan and am trying to sort out which one and the specific method for removing it. Any help will be much appreciated. The computer is a desktop running Windows XP, SP3 with all of the current updates. The computer has Norton Internet Security 2010, with liveupdates recent as of yesterday around 1pm before I became infected. How I realized I was infected is that suddenly Norton began popping up saying that SONAR or Auto-protect detected (about 5 different items) and removed or quarantined and that my system was protected. It is obviously not as these warnings keep popping up every few minutes. Also, I cannot access any antivirus or security software websites. Norton LiveUpdate cannot run and any security sites, like Malwarebytes, etc. are blocked. I was able to download Malwarebytes Anti-Malware from filehippo.com as apparently this trojan does not suspect filehippo as a security website. I was also able to manually update the program after it was installed by downloading the update file from Malwarebytes' site on my "clean" laptop and installing it on the infected computer via jumpdrive. The scan found 5 infections and I saved the log file and had it remove the infections. Two had to be removed via reboot, so I did that--the pop-up warning from Norton came right back after reboot and I am still unable to connect to LiveUpdate or security software websites (although I can surf the web on other sites.) I disabled System Restore in control panel/services (I cannot turn it off for some reason, even though I am the system administrator on the computer, the system restore tab does not show up under my computer/properties.) I downloaded (from filehippo) and installed Super AntiSpyware (again, installing the definitions file manually via the same method as with Malwarebytes.) I ran a scan with Super AntiSpyware that found 3 trojans and I went through the process to remove them, again with a reboot at the end. The computer boots up more slowly after this one runs and again, the telltale popup warnings from Norton and still unable to download definition updates or access security sites. Here is a list from Norton of the viruses it has detected in certain files:
suspicious.cloud
suspicious.mh690.a
infostealer.wowcraft
trojan.gen
trojan.mebroot
In my running processes in task manager, I have at times had the following: vrt5.tmp, 405163.exe, 8063318.exe, VRTA.tmp, VRT370.tmp and a couple other number ones that I didn't write down. Each time I see them in running processes, I end them, but ending them does not magically allow the security software and spyware programs to download and update their definitions or access their websites. Also, while they stay gone, they come back upon reboot, or as soon as I connect my LAN cable (tried disconnecting it to run scans at one point.) Also, when I reboot my computer I get the following error "rundll--error loading C:\windows\system32\msbyylfy.dll. The specified module could not be found."
Second run of Malwarebytes found 4 items:
memory process-trojan.dropper c:\windows\system32\8063318.exe
file-trojan.dropper c:\windows\system32\8063318.exe
file-trojan.agent c:\windows\system32\ms.bin
registry value-trojan.agent HKLM\system\currentcontrolset\control\session manager\appcertdlls\appcertdll
I had it fix these items and I even went into registry editor and deleted the string in the last one myself manually. When it rebooted, same attacks as above noted via Norton. Ran a Norton full system scan, even though the definitions hadn't been updated since early afternoon yesterday and it found nothing and said the system was secure. Second run of SuperAntiSpyware finds nothing as well, but still unable to update definitions of any of the security software or access antivirus websites. Norton intrusion detection says it's blocked an intrusion by pozeml.com and also an intrusion by 60.190.222.131, but then it says it also blocked an intrusion by my own "desktop" IP addess. Tried rebooting in safe mode--can open IE, but after it opens it locks the computer, can't type in the URL line or search and lose all keyboard and mouse function.

And there's more--after second run of SuperAntiSpyware ran, I rebooted. Now I'm getting a ton of Norton "email error" messages with the "from" section as different names (not mine) and the "to" an address with mega in it (different variations.) Auto-Protect is now saying it's detected Backdoor.IRC.bot and my computer is secure and it has detected Trojan Horse (bn1.tmp) and the computer is secure. The computer is not secure, there is something in it still.

Any help in finding and removing whatever virus or trojan is causing all of this would be greatly appreciated. I apologize for the lengthy post, I wanted to make sure I was specific as possible with all of the solutions I have already tried so as to not waste my time rerunning unnecessary scans (each scan of these software takes approximately 2 hours.)

BC AdBot (Login to Remove)

 


#2 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 12:40 PM

Any ideas? Sorry, I'm trying to be patient, but it just seems to be getting worse. The new "email error" pop-ups are every second or so and I have them stopped for the moment, but...

Also, the 3rd time I ran Malwarebytes---it found 5 infections, but never got to complete and remove them, it froze up before it could finish. When shutting down the computer I got the error AXWIN Frame Window:svchost.exe Application Error--The instruction at "0x0040177c" referenced memory at "0x00000000". The memory could not be "read."
I had to shut the system down manually with the power button. Reboot was VERY slow again and more tmp files and number based exe files on the task manager after reboot. I am currently in the process of copying my files to my external hard drive in the event that if I don't receive help soon I will reformat the hard drive and reinstall windows. I just hope that I am copying mere document files and not copying the virus onto my external hard drive.

#3 Torvald

Torvald

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:09:59 AM

Posted 30 March 2010 - 01:00 PM

lilkel35,

Based on what you've posted so far, it looks like your machine is badly infected, but one of the expert advisors here at bleepingcomputer should be along soon to help you out. Please be patient, as there are lots more folks asking for help than there are expert helpers, but it will definitely be worth the wait.

In the meantime, if you have not already done so, try updating SuperAntiSpyware and then running it under Windows Safe mode.

Then, come back here and post a copy of your MBAM and SAS logs so the experts can take a look at them.

Good Luck.

Edited by Torvald, 30 March 2010 - 01:01 PM.

Google is my friend. Make Google your friend too.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 03:27 PM

Hello and welcome.. If possible
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next let's look for an MBR rootkit.
Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 03:46 PM

Thank you for helping---
I will tell you though that I cannot update Malwarebytes. Whatever sneaky thing this is, it will not allow the software to connect to its site on the internet or download updates. I have tried twice to run Malwarebytes today in normal mode and it hangs now. I ran it twice yesterday and could post those older logs, but not sure how to get it to run again today--it gets about 1 hour and 40 minutes into the scan. I can try running it and aborting the scan early, as the items it finds have typically been early on in the scan--would this help? I am currently running SuperAntiSpyware in safe mode. It has detected 6 items--4 registry and 2 file items--3 Trojan.Agent/Gen-Reader_S, 1 tracking cookie, and 2 Trojan.Agent/Gen. I am not sure I will be able to post the log when this scan finishes because after the scan started I lost all functionality of my mouse and keyboard. (This happened before in safe mode when I tried to come in.) After this scan is done, I will try to download the other program you suggested. Does it have a definition file that needs updated and can it be done manually? I am sure I won't be able to access the link on my infected computer, but I do have a "clean" laptop that I can download the file with and transfer to the infected system via thumb drive. I will report back soon with the rest of the SAS log if possible and the other scans too.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 05:39 PM

Hello. Try to run what you can if you can stop it and produce a log do so. if we can get things off even without the updates it will help. Mbr does not have an update.

perhaps doing thes 3 will stop the blockers.
Try this--from your browser open Tools, Internet Options, Connections tab, Lan settings, uncheck the box next to "use proxy...."

Next Run FixExe.reg

FixExe.reg
....click Run when the box opens


Now RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
If the computer is rebooted or a reboot occurs along the way you will need to run the application again as the malware programs will start again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 06:25 PM

Okay, I ran mbr and here are the details of the mbr.log file it created.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

In IE, the use proxy...box is already unchecked. I will next try to run the two other fixes from that post. I have also uninstalled Malwarebytes and SAS and am going to attempt to reinstall each and see if the new installs of each will run properly.

As an aside, I think I mentioned a running process called reader_s.exe. If I didn't, I noticed on one of my more recent reboots that I now have reader_s.exe as a running process. I kill the process in task manager and for fun went into CCleaner startup items and it was there also with the file path C:\documents and settings\username\reader_s.exe. I went looking for it in documents and settings in my user folder and there is nothing there--I deleted it using CCleaner and it just reappears when I reboot. Anyway...wanted to get you one thing...back to run more scans!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 06:37 PM

Ugggh!! Some bad news. Readers S is possibly a Virut infection. Can you Confirm it?
see ThreatExpert


EDIT:
Lets' upload this file for a second opinion on what it actually is.. C:\documents and settings\username\reader_s.exe <<-- This file

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/





Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Edited by boopme, 30 March 2010 - 06:41 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 06:48 PM

I ran the fixexe.reg and a box popped up that said "are you sure you want to add the information in C:\documents and settings\username\local settings\temporary internet files\content.IE5\GKHUIW68\fixexe[1}.reg to the registry?" I clicked yes and another box popped up that said information successfully added.

I then tried to run the rkill things. The first link didn't look like it did anything, so I clicked it again, but then I went and looked and it is in task manager running processes and can't be ended. I tried to delete it and download each of the others, but the same happened, so at the moment they are all stuck in my running processes. I guess I will have to reboot and try again...but think I will try to reinstall the scan software again and run it first. I would like to get an actual log up here for you guys to look at.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 06:53 PM

Did you see my Edit to upload the file?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 06:56 PM

I should say "YIKES!" but I was pretty much afraid of that. I am not at all opposed to reformatting my hard drive and reinstalling windows from scratch--I've done it for way less viral reasons on this system before.

As I said, I did go to docs and settings in my user folder and cannot see the reader_s.exe file. I have it set to show hidden files and folders already.

So, do you think I should even bother trying to reinstall the two scanners (Malwarebytes and SAS) and try to get another scan or just reformat? Other question, does this infect "normal" files? (word, excel, jpeg, music, etc.) Expecting to reinstall the operating system, I copied all of my documents, outlook.pst, quicken, office, jpeg, etc to my external hard drive that was connected to the computer (have since disconnected it.) Should I be concerned with those files being infected? Is there a program that finds this virus so I can scan my external hard drive with my "clean" laptop to make sure the files are okay?

#12 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 07:00 PM

I did see your edit to upload the file, but I cannot see a file to upload. Is there a way I should be able to see it? As I said, I already have "show hidden files and folders" marked in options.

Also, I cannot get to any of the links you posted in the upper part of your post--they all go to antivirus or security type sites I'm guessing--and I cannot get to any.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 07:06 PM

Maybe we can run DDS. Iwould also think it time to consider backing up important docs.
Is this XP?
please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 AM

Posted 30 March 2010 - 07:07 PM

I missed you other post...

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive,

reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup

any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be

sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard

drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm

files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft

Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the

following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and

every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from

being installed on the root drive and running other malicious files.



Reinstall

Windows Vista


Note: Windows 7 Professional instructions recommend you DO NOT use a third-party software to format the drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 lilkel35

lilkel35
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 March 2010 - 07:32 PM

I have already copied my files onto an external hard drive, before I saw your post about that program to run.

So, I rebooted my computer to try to get the dds.scr file to run. Here's the attempted intrusion that Norton claims to have "blocked" (the same one that pops up each time I reboot.) Risk name HTTP GoldInstall Downloader Activity
attacking computer: pozeml.com (91.206.201.40, 80)
attacker url: pozeml.com/oc/box.txt
destination address: desktop (with my IP address, 3919)
source address: 91.206.201.40
The attack was resulted from \device\harddiskvolume1\windows\system32\winlogon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users