Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Trojan.downloader and other stuff


  • This topic is locked This topic is locked
6 replies to this topic

#1 pfeathers

pfeathers

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 04 June 2010 - 10:24 PM

I got infected with the typical webpage that says, you are infected with a virus, run this to disinfect. I disabled my NIC so I would not keep getting infected and tried to shut things down. After a reboot, I ran malware and it found 50 some items. Open NIC up and I would get infected all over again. I spent quite a bit of time trying to get rid of the stuff. I ran Kaspersky and it found a couple items (deleted: Trojan program Trojan.Win32.Clicker.hd File: f:\documents and settings\all users\application data\update\seupd.exe//data0004
.) & deleted: Trojan program Exploit.Java.ByteVerify File: C:\Documents and Settings\Owen Huffaker\Application Data\Sun\Java\Deployment\cache\6.0\54\46a4d9b6-268c9c4a
)

Now when I run the malware program it runs clean. I have run a complete Kaspersky scan it finds nothing.

I am still having some problems. 1) I get a phishing page identified by Kaspersky loading "http://cdn.mfdclk001.org/QAg4Flfe7s6j4TC688b767f6bcd96fd31d7f554888f0847315A". Kaspersky says that it has something to do with credit card number theft. 2) In 0utlook, a message pops up saying the my email address cannot be found, and when I send a message it bounces with - No transport provider was available for delivery to this recipient. 3) Can't seem to boot in safe mode. I don't remember how long I have tested this so I am not sure it is connected to all this but I get the BSOD with stop: 0x0000007B (0xF8B4E528, 0xc0000034, 0x00000000, 0x00000000).


I need some help on where to go from here, I think I still have some lingering issues/files on my system.

I have included the proper logs files below.

This is what the malware program intially found after the infection:

The following is the malware log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2010 3:29:12 PM
mbam-log-2010-06-03 (15-29-12).txt

Scan type: Quick scan
Objects scanned: 156709
Time elapsed: 17 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 18
Registry Values Infected: 11
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35af0447-15c8-4edd-8fb1-0f50f44cdab8} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{35af0447-15c8-4edd-8fb1-0f50f44cdab8} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6db55326-6f4a-426c-a598-8a8384910bee} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6db55326-6f4a-426c-a598-8a8384910bee} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yidxpslq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yidxpslq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwzxfqwazmshrx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.164,93.188.166.195 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{960ec3a0-dc7b-4693-b096-e5a52b3f648d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.164,93.188.166.195 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\konqjafw.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\gjzoyrl.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\ocnwxsmera.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temporary Internet Files\Content.IE5\191ALG4M\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temporary Internet Files\Content.IE5\9WP2BDZP\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\m053cuor.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Application Data\xiayfemax\ivhqnjotssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ltuwoffkuktk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owen Huffaker\Local Settings\Temp\iexplarer.exe (Trojan.Agent) -> Delete on reboot.


***********************************DDS.TXT*********************************************
Attached File  DDS.txt   8KB   12 downloads

***********************************ATTACH.TXT*******************************************

Attached File  Attach.txt   10.87KB   8 downloads

***********************************ARK.TXT**********************************************

Attached File  ark.txt   32.6KB   13 downloads






BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 PM

Posted 04 June 2010 - 11:32 PM

Hello pfeathers,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 pfeathers

pfeathers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 06 June 2010 - 12:27 AM

I ran the rkill, it did not find anything.

Ran combofix, it created a restore point, and then installed recovery console. Then continued to run. Message popped up saying that is found rootkit activitiy and needed to reboot.

During the reboot, I did not see any recovery console as it combofix said. Don't know what that means.

Also, after the boot, the blue screen came up to resume the combofix. Just a FYI, the desktop never got completed during the startup, so I don't have a task bar, icons etc.

It has been running for several hours and I don't hear any disk activity so I suspect it has hung.

I am going to bed and will check in the morning.

Need to know how to proceed?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 PM

Posted 06 June 2010 - 09:42 AM

Hello,

If It don't reboot then go ahead and reboot it manually if you have to. There should be a log at the following location:
C:\Combofix.txt. Please post that log along with any remaining problems.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 pfeathers

pfeathers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 06 June 2010 - 11:10 AM

Got up this morning and the combofix blue screen had three entires. Had indicated that it had completed 3 passes. I waited for an hour or so then tried to cancel combofix. The blue cmd box did not respond. Remember there is no task bar or icons. I tried alt-ctrl-delete and then shutdown and nothing happened. Waited 30 minutes, then pushed the power button.

Searched for combofix.txt and did not find anything on system.

Here is the rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owen Huffaker on 06/05/2010 at 20:50:03.


Processes terminated by Rkill or while it was running:




Rkill completed on 06/05/2010 at 20:50:12.

Here is Kaspersky entires that popped up after reboot. When it tried to neutrilize the rootkit, it could not find it.
detected: Trojan program Rootkit.Win32.TDSS.ap File: C:\QooBox\32788R22FWJFW\disk.sys
detected: virus EICAR-Test-File File: C:\DOCUME~1\OWENHU~1\LOCALS~1\Temp\Av-test.txt

How's computer running:
Kaspersky has not detected any phishing issues.
Email still goofed up, no transport carrier.
Can't boot safe mode.

On Reboot, box pops up, error loading flctphoe.dll, access denied.

Then Kaspersky goes crazy with: deleted: adware not-a-virus:AdWare.Win32.BHO.mgs File: C:\WINDOWS\system32\flctphoe.dll

Edited by pfeathers, 06 June 2010 - 11:19 AM.


#6 pfeathers

pfeathers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 06 June 2010 - 03:00 PM

I have come to the conclusion that I am going to format and reinstall.

Thanks for the help, I am sure we could have fixed it but I do use the computer for financial stuff and I want to be sure I am clean.



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:59 PM

Posted 06 June 2010 - 03:57 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users