Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan removal


  • Please log in to reply
6 replies to this topic

#1 Topper54

Topper54

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 July 2012 - 09:18 PM

Virus infected my pc. Rogue trojan started with File Recovery popped up to say it detected hard drive errors. I clicked to close it it but that launched virus which ran bogys scan and similated hard drive problem. Then told me I had a trial version of their software and prompted me to purchase the software to fix hard drive.

Ran a scan with security Essentials showed no virus but detected an unknown file that I reported to MS.
Download malwarebytes and it is now blocking a potentially malicious website 94.102.51.237 type outgoing Port 49755 , Process: efcl9uzijdvqkw.exe
Multiple systems errors messages pop up. Cannot launch task manager to shut down program. Rebooting does not help. All files are now hidden and unaccessable.

Any help appreciated.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:33 PM

Posted 13 July 2012 - 09:51 PM

Boot into safemode with networking

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Topper54

Topper54
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 July 2012 - 12:11 AM

New information Security Essentials and Malwarebytes missed it, Then ran TDSSKiller scan and it came back clean then ran Avast and it picked up the Win32:FakeSysdef-NT [Trj file in 3 different program locations. Now how do I safely remove and restore all my desktop and file access. I ran an Unhide program that got me half the way there but still a lot of functionality is still hidden. I can find the programs and files through the Search function.

22:00:07.193 OS Version: Windows x64 6.1.7601 Service Pack 1
22:00:07.193 Number of processors: 2 586 0x603
22:00:07.193 ComputerName: TOPPERHOMEOFFIC UserName:
22:00:08.566 Initialize success
22:02:28.286 AVAST engine defs: 12071301
22:02:43.574 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
22:02:43.574 Disk 0 Vendor: Hitachi_ JP2O Size: 476940MB BusType: 3
22:02:43.605 Disk 0 MBR read successfully
22:02:43.605 Disk 0 MBR scan
22:02:43.621 Disk 0 Windows 7 default MBR code
22:02:43.637 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
22:02:43.683 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
22:02:43.746 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464550 MB offset 25372672
22:02:43.824 Disk 0 scanning C:\Windows\system32\drivers
22:03:00.736 Service scanning
22:03:50.080 Modules scanning
22:03:50.096 Disk 0 trace - called modules:
22:03:50.127 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
22:03:50.142 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e7660]
22:03:50.470 3 CLASSPNP.SYS[fffff88001bca43f] -> nt!IofCallDriver -> [0xfffffa800426cb50]
22:03:50.486 5 ACPI.sys[fffff88000f3b7a1] -> nt!IofCallDriver -> \Device\00000058[0xfffffa8004266510]
22:03:51.812 AVAST engine scan C:\Windows
22:03:57.474 AVAST engine scan C:\Windows\system32
22:09:36.527 AVAST engine scan C:\Windows\system32\drivers
22:09:56.408 AVAST engine scan C:\Users\Topper Home Office
22:15:10.873 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:15:10.951 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-13 22:00:07
-----------------------------
22:00:07.193 OS Version: Windows x64 6.1.7601 Service Pack 1
22:00:07.193 Number of processors: 2 586 0x603
22:00:07.193 ComputerName: TOPPERHOMEOFFIC UserName:
22:00:08.566 Initialize success
22:02:28.286 AVAST engine defs: 12071301
22:02:43.574 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
22:02:43.574 Disk 0 Vendor: Hitachi_ JP2O Size: 476940MB BusType: 3
22:02:43.605 Disk 0 MBR read successfully
22:02:43.605 Disk 0 MBR scan
22:02:43.621 Disk 0 Windows 7 default MBR code
22:02:43.637 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
22:02:43.683 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
22:02:43.746 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464550 MB offset 25372672
22:02:43.824 Disk 0 scanning C:\Windows\system32\drivers
22:03:00.736 Service scanning
22:03:50.080 Modules scanning
22:03:50.096 Disk 0 trace - called modules:
22:03:50.127 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
22:03:50.142 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e7660]
22:03:50.470 3 CLASSPNP.SYS[fffff88001bca43f] -> nt!IofCallDriver -> [0xfffffa800426cb50]
22:03:50.486 5 ACPI.sys[fffff88000f3b7a1] -> nt!IofCallDriver -> \Device\00000058[0xfffffa8004266510]
22:03:51.812 AVAST engine scan C:\Windows
22:03:57.474 AVAST engine scan C:\Windows\system32
22:09:36.527 AVAST engine scan C:\Windows\system32\drivers
22:09:56.408 AVAST engine scan C:\Users\Topper Home Office
22:15:10.873 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:15:10.951 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"
22:16:08.332 File: C:\Users\Topper Home Office\AppData\Local\Temp\c2YGg4OY0PEFNd.exe.tmp **INFECTED** Win32:FakeSysdef-NT [Trj]
22:28:47.282 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:28:47.360 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-13 22:00:07
-----------------------------
22:00:07.193 OS Version: Windows x64 6.1.7601 Service Pack 1
22:00:07.193 Number of processors: 2 586 0x603
22:00:07.193 ComputerName: TOPPERHOMEOFFIC UserName:
22:00:08.566 Initialize success
22:02:28.286 AVAST engine defs: 12071301
22:02:43.574 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
22:02:43.574 Disk 0 Vendor: Hitachi_ JP2O Size: 476940MB BusType: 3
22:02:43.605 Disk 0 MBR read successfully
22:02:43.605 Disk 0 MBR scan
22:02:43.621 Disk 0 Windows 7 default MBR code
22:02:43.637 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
22:02:43.683 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
22:02:43.746 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464550 MB offset 25372672
22:02:43.824 Disk 0 scanning C:\Windows\system32\drivers
22:03:00.736 Service scanning
22:03:50.080 Modules scanning
22:03:50.096 Disk 0 trace - called modules:
22:03:50.127 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
22:03:50.142 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e7660]
22:03:50.470 3 CLASSPNP.SYS[fffff88001bca43f] -> nt!IofCallDriver -> [0xfffffa800426cb50]
22:03:50.486 5 ACPI.sys[fffff88000f3b7a1] -> nt!IofCallDriver -> \Device\00000058[0xfffffa8004266510]
22:03:51.812 AVAST engine scan C:\Windows
22:03:57.474 AVAST engine scan C:\Windows\system32
22:09:36.527 AVAST engine scan C:\Windows\system32\drivers
22:09:56.408 AVAST engine scan C:\Users\Topper Home Office
22:15:10.873 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:15:10.951 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"
22:16:08.332 File: C:\Users\Topper Home Office\AppData\Local\Temp\c2YGg4OY0PEFNd.exe.tmp **INFECTED** Win32:FakeSysdef-NT [Trj]
22:28:47.282 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:28:47.360 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"
22:45:28.573 AVAST engine scan C:\ProgramData
22:45:33.508 File: C:\ProgramData\EFCl9UZIjdvQkw.exe **INFECTED** Win32:FakeSysdef-NT [Trj]
22:48:19.293 File: C:\ProgramData\rblHWXUPUUNqIJn.exe **INFECTED** Win32:FakeSysdef-NT [Trj]
22:53:34.311 Scan finished successfully
22:57:40.549 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\MBR.dat"
22:57:40.627 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:33 PM

Posted 14 July 2012 - 04:57 AM

ESET log?

I ran an Unhide program that got me half the way there but still a lot of functionality is still hidden. I can find the programs and files through the Search function.


Please explain

#5 Topper54

Topper54
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 July 2012 - 06:30 AM

I was able to run a system restore to an earlier point to get most programs back on my desktop and some files visible. Still unable to find or view all movies, pictures and most of my document files. and I am now going to rerun all the system scans you recommended. aswMBR is what found the Win32:FakeSysdef-NT trojan. The other scans (security essentials, Malwarebytes, TDSSKiller, ESET) did not.

After after running aswMBR it has two boxes - FIXMBR (ACTIVE) and FIX (GREYED OUT NOt ACTIVE) when I clicked on FIX MBR it gave a warning. Is it safe to run the FIXMBR?

ESET was the last scan I ran and it picked up 4 versions of Win32/Toolbar.Zugo application that the other scans missed and it deleted the files. Since I did a system restore I will rerun ESET.


System Restore - seems to have gotten rid of the Win32:FakeSysdef-NT trojan as it no longer appears in the aswMBR scan and no more incidents but now I have lost access to all my media files Pictures, and Videos as well as most of my document files.

I could go back and undo the system restore and start over. Suggestions?


I LOVE BLEEPING COMPUTERS - I found the undie program on bleeping computers and it restored access to all my files (at least that I can tell for now) - Thanks for all your help!!!!

Last aswMBR scan report

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-14 08:04:57
-----------------------------
08:04:57.898 OS Version: Windows x64 6.1.7601 Service Pack 1
08:04:57.898 Number of processors: 2 586 0x603
08:04:57.898 ComputerName: TOPPERHOMEOFFIC UserName:
08:04:59.708 Initialize success
08:05:07.321 AVAST engine defs: 12071301
08:10:13.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000059
08:10:13.702 Disk 0 Vendor: Hitachi_ JP2O Size: 476940MB BusType: 3
08:10:13.718 Disk 0 MBR read successfully
08:10:13.718 Disk 0 MBR scan
08:10:13.827 Disk 0 Windows 7 default MBR code
08:10:13.827 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
08:10:13.858 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
08:10:13.889 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464550 MB offset 25372672
08:10:13.952 Disk 0 scanning C:\Windows\system32\drivers
08:10:27.900 Service scanning
08:11:09.587 Modules scanning
08:11:09.587 Disk 0 trace - called modules:
08:11:09.603 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
08:11:09.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e8060]
08:11:09.946 3 CLASSPNP.SYS[fffff88001bb643f] -> nt!IofCallDriver -> [0xfffffa8004265500]
08:11:09.946 5 ACPI.sys[fffff88000f2f7a1] -> nt!IofCallDriver -> \Device\00000059[0xfffffa8004269060]
08:11:11.022 AVAST engine scan C:\Windows
08:11:15.312 AVAST engine scan C:\Windows\system32
08:16:09.042 AVAST engine scan C:\Windows\system32\drivers
08:16:37.296 AVAST engine scan C:\Users\Topper Home Office
08:46:31.015 AVAST engine scan C:\ProgramData
08:52:31.445 Scan finished successfully
09:00:46.739 The log file has been saved successfully to "C:\Users\Topper Home Office\Documents\Computer Virus Scan Logs\aswMBR.txt"
09:02:23.959 Disk 0 MBR has been saved successfully to "C:\Users\Topper Home Office\Desktop\MBR.dat"
09:02:23.990 The log file has been saved successfully to "C:\Users\Topper Home Office\Desktop\aswMBR.txt"

Edited by Topper54, 14 July 2012 - 10:23 AM.


#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:33 PM

Posted 14 July 2012 - 01:15 PM

You didnot explain me any of your issues.

I ran an Unhide program that got me half the way there but still a lot of functionality is still hidden. I can find the programs and files through the Search function.


This is your first one

I LOVE BLEEPING COMPUTERS - I found the undie program on bleeping computers and it restored access to all my files (at least that I can tell for now) - Thanks for all your help!!!!


You said you ran UNHIDE already??

What are your current issues? Do you still need my help?

Edited by narenxp, 14 July 2012 - 01:30 PM.


#7 Topper54

Topper54
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 July 2012 - 03:09 PM

No. with your suggestions i.was able to findo the trojans and deleted them. Then after a system restore and running the unhide program everything is now working.

Thank you for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users