Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

having trouble removing Trojan.Zefarch


  • Please log in to reply
8 replies to this topic

#1 alittlehelp

alittlehelp

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 January 2011 - 11:14 AM

We recently encountered a virus on our Dell machine, WindowsXP Pro, SP3.
Symantec AV scan encountered a virus:Trojan.Zerfarch, and made several attempt to clean. Symantecs' attempts to eliminate the threat appear a bit erratic according to it's logs. Symantec's Threat History indicates that the last scan the virus was deleted.
Going one step further; we ran (multiple)scans (in full scan mode) using SAS and Malwarebytes in both safe and normal startup mode. The initial scan results from both SAS & Mbam resulted in capture and removal of residual/additional threats.
Which eventually yielded subsequent scan logs indicating clean results = no virus found.
However, at start up; The machine continuously receives a RUNDLL error: "Error Loading C:\windows\odejoyex.dll The Specific module cannot be found".
I'm not sure if the threat has been removed entirely.
Google searches indicate that; the RUNDLL errors are a result of residual effects of the Zerach virus and elements of the infection may still be hiding somewhere on the PC.

I am not currently on the PC in question since I'm not sure what kind of threat we are dealing with (password stealer etc...)

Any help from established members would be greatly appreciated.

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:48 PM

Posted 23 January 2011 - 11:18 AM

Can you post the scan logs from MBAM and SAS?

#3 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 January 2011 - 11:53 AM

Thanks crypto.
I have only the initial scans from normal start up mode.
the other scans were performed under administrator in safe mode. Unfortunately I don't see them in the logs.

SAS log 1
----------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2011 at 11:50 PM

Application Version : 4.27.1002

Core Rules Database Version : 6255
Trace Rules Database Version: 4067

Scan type : Complete Scan
Total Scan Time : 02:12:50

Memory items scanned : 552
Memory threats detected : 0
Registry items scanned : 6441
Registry threats detected : 7
File items scanned : 145312
File threats detected : 7

Adware.MyWebSearch/FunWebProducts
HKLM\SOFTWARE\FunWebProducts
HKLM\SOFTWARE\FunWebProducts\Installer
HKLM\SOFTWARE\FunWebProducts\Installer#Dir
HKLM\SOFTWARE\FunWebProducts\Installer#PluginPath
HKLM\SOFTWARE\FunWebProducts\Installer#CurInstall
HKLM\SOFTWARE\FunWebProducts\Installer#sr
HKLM\SOFTWARE\FunWebProducts\Installer#pl
C:\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL
C:\Program Files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL
C:\Program Files\FunWebProducts\Installr\2.bin
C:\Program Files\FunWebProducts\Installr
C:\Program Files\FunWebProducts
C:\DOCUMENTS AND SETTINGS\user\MY DOCUMENTS\DOWNLOADS\IWON.EXE


SAS log 2
---------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2011 at 01:50 PM

Application Version : 4.27.1002

Core Rules Database Version : 6255
Trace Rules Database Version: 4067

Scan type : Quick Scan
Total Scan Time : 01:18:36

Memory items scanned : 560
Memory threats detected : 0
Registry items scanned : 526
Registry threats detected : 0
File items scanned : 82338
File threats detected : 0

-----
MBAM
-----
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5570

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/22/2011 9:15:25 AM
mbam-log-2011-01-22 (09-15-25).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 280097
Time elapsed: 1 hour(s), 40 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp1930\a0158205.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1931\A0158280.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

#4 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 January 2011 - 05:10 PM

new scan logs this afternoon - SAS & MBAM - normal start mode:
before removal; Malwarebytes caught this: Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

----(see removal log below)

-------------
SAS-full scan:
-------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/23/2011 at 01:57 AM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 03:34:05

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 5982
Registry threats detected : 0
File items scanned : 135678
File threats detected : 0

-----------------
MBAM - full scan
-----------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/23/2011 4:52:07 PM
mbam-log-2011-01-23 (16-52-07).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 271329
Time elapsed: 1 hour(s), 29 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------

Anyone know what PUM.Bad.Proxy is?
According to google searches - this is pretty new. Not much info available as of yet

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:48 PM

Posted 24 January 2011 - 01:58 PM

at start up; The machine continuously receives a RUNDLL error: "Error Loading C:\windows\odejoyex.dll The Specific module cannot be found".

It's not unusual to receive such an error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there.
    Vista/Windows 7 users refer to these instructions.
  • Open the folder and double-click on autoruns.exe to launch it.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:

before removal; Malwarebytes caught this: Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken...Anyone know what PUM.Bad.Proxy is?


See MalwareNET: PUM.Bad.Proxy. Your scan indicates no action was taken. Rerun and let MBAM fix it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2011 - 02:43 PM

Hello, and thanks Quietman!
Thank you for the clarification on the subject. It has help tremendously in explaining what is causing the occurrence(s).
I will jump on the other pc and follow your instructions with Autoruns.

If I get stuck or have further questions - may I continue to post them on this thread?

Thanks again.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:48 PM

Posted 24 January 2011 - 02:58 PM

Yes, you certainly may.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 January 2011 - 06:31 PM

Thanks for everything folks!
AutoRuns did the trick. I was also able to clean up a few missing processes as well as stop many unnecessary programs from loading at start up.
There were as many as 57 at one time. (Now down to 43)

So far the Pc seems to be running better already.

Hello boopme :thumbsup: nice of you to pop in!
I'll never for get the great help you provided me, dealing with a similar problem back in 09....
Hope all is well.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:48 PM

Posted 24 January 2011 - 06:53 PM

You're welcome on behalf of the Bleeping Computer community.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users