Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCMaximixer?


  • This topic is locked This topic is locked
10 replies to this topic

#1 flyguy958

flyguy958

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 02 January 2011 - 09:47 PM

I have a Trojan horse! I tried to go through the steps to make this first post. The DDS program would run until the computer locked up. I did get the GMER to run and attached the log(ark.txt) Below is the information from an AVG scan. It will not get rid of the problem. Thanks for any help you can supply.





AVG Scan Results
"";"C:\WINDOWS\explorer.exe (1964)";"Trojan horse Agent_r.XJ";""
"";"C:\WINDOWS\explorer.exe (1964):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"";"C:\WINDOWS\system32\svchost.exe (3500)";"Trojan horse Agent_r.XJ";""
"";"C:\WINDOWS\system32\svchost.exe (3500):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."

Attached Files

  • Attached File  ark.txt   8.81KB   3 downloads


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:40 AM

Posted 08 January 2011 - 01:20 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.




Regards,
Georgi :hello:

cXfZ4wS.png


#3 flyguy958

flyguy958
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 09 January 2011 - 10:17 PM

Thanks for you help. I hope I can provide enough information to solve this.

POP ups:
Threat Detected
Filename:c:\windows\temp\oufj\setup.exe
Threat Nane: Trojan Horse downloader.genericlo.bpcj.dropper
Detechted on open
......
......

DDS log not available, this program runs a while then locks computer.

GMER Log


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009A000C
.text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B1000A
.text C:\WINDOWS\Explorer.EXE[2328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[2328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[2328] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89B7339B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89B7339B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 89B7339B

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHT2060AT_______________________0022____#5&1c50b25f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

This is the scan results from AVG

"";"C:\WINDOWS\Temp\tihw\setup.exe";"Trojan horse Downloader.Generic10.BPCJ.dropper";"Moved to Virus Vault"
"";"C:\WINDOWS\Temp\oufj\setup.exe";"Trojan horse Downloader.Generic10.BPCJ.dropper";"Moved to Virus Vault"
"";"C:\WINDOWS\system32\svchost.exe (1240):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"";"C:\WINDOWS\system32\svchost.exe (1240)";"Trojan horse Agent_r.XJ";""
"";"C:\WINDOWS\system32\csrss.exe (656):\memory_00270000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"";"C:\WINDOWS\system32\csrss.exe (656)";"Trojan horse Agent_r.XJ";""
"";"C:\WINDOWS\explorer.exe (2328):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"";"C:\WINDOWS\explorer.exe (2328)";"Trojan horse Agent_r.XJ";""

Attached Files

  • Attached File  ark.txt   7.06KB   4 downloads


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:40 AM

Posted 12 January 2011 - 07:43 PM

Hello flyguy958 ,

I have merged your 2nd topic to your original topic where it belongs. I am also going to delete the third topic you created on this issue. I realize that you were instructed to create that topic in a response to the second topic. Please keep all posts to this topic by using the Add Reply button found near the bottom of the topic. Starting new topics confuses things for everyone and delays the assistance you receive.

Back to you B-boy/StyLe/ and coach,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:40 AM

Posted 12 January 2011 - 08:05 PM

Thank you Orange Blossom. :)


Hi flyguy958 and :welcome:

I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.
Here it is 03.02 am so I'll get some sleep. Posted Image
See ya later as I'm very tired and I might just fall asleep during typing..stay tuned. :wink:


Regards,
Georgi :hello:

cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:40 AM

Posted 14 January 2011 - 06:41 PM

Hello flyguy958, ! Welcome to BleepingComputer Forums! :welcome:


Sorry for the delay. I was swamped with work today.


My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4 component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:





STEP 1



You will need to uninstall AVG before continuing with the below.
Due to recent changes in how AVG target the tool's internal files, AVG must be uninstalled before running ComboFix.



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.



IMPORTANT NOTE !!!

Now please do this to clean all leftovers from AVG.

  • Download AppRemover by Opswat and save it to your desktop.
  • Double click on AppRemover.exe to run it.
  • Uncheck "Enable anonymous usage statistics. No personal data will be recorded."
  • Click on the Next button.
  • Click on "Remove Security Application" or "Clean Up a Failed Uninstall" depending on what you want to do. (you want the failed uninstall)
  • Click on the Next button.
  • A scan begins, please wait. Once done, click on the Next button.
  • Now you should have a list of your installed programs, choose the one you want to remove and click on the Next button.
  • Follow the last step and reboot if asked to do so.





STEP 2



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.



C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\explorer.exe




Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/





STEP 3



Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
  • Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply





STEP 4



Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.





STEP 5



Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

:exclame: If you receive a message, saying that your system has been compromised by patching virus "virut" or something like that, please let me know. :exclame:



So in your next reply please include:
  • the RKill log
  • the jotti scan results
  • the Combofix log
  • the TDSSKiller log



Regards,
Georgi

cXfZ4wS.png


#7 flyguy958

flyguy958
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 14 January 2011 - 09:28 PM

Thanks for the reply, I will start the process today. Again thanks and I will post the results.

#8 flyguy958

flyguy958
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 15 January 2011 - 04:40 PM

OK Georgi, here is what I have done. Before your response was posted I had already found and run TDSSKiller. This seems to have solved the problem but I continued and followed all your instructions.

I have attached the logs you requested. Jotti found no issues. Combofix get to the scan and then locks the computer up, I have to turn the power off to reboot. The computer seems to be fine now but please look at the logs and see if I may have more issues.

Thanks Rick

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:40 AM

Posted 15 January 2011 - 08:09 PM

Hi flyguy958, :)



It would be extremely helpful if you could please post the logs instead of attaching them. If I ask for a specific log to be attached then that's fine, but it's a lot easier to work with the logs when they are posted to this thread instead of being attached.


Also I think you posted the wrong log from TDSSKiller regarding the date of scan - Jan 12 2011 09:51:11
The report should be located in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
Could you please copy and paste the content of the most current log in your next reply.
Thank you.



Now please follow the following steps:



STEP 1



We need to repeat this step as I forgot to mention to click on the re-analyze button.
Ok here we go:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\explorer.exe


note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/





STEP 2



We need to run an OTL Custom Scan


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 60
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    /md5start
    svchost.exe
    csrss.exe
    explorer.exe
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Regards,
Georgi

cXfZ4wS.png


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:40 AM

Posted 19 January 2011 - 05:00 AM

Hi flyguy958,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.


Regards,
Georgi

cXfZ4wS.png


#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 23 January 2011 - 11:22 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users