Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse


  • This topic is locked This topic is locked
17 replies to this topic

#1 Varmint

Varmint

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 20 October 2012 - 11:00 PM

Well I have got something here that I can't seem to get rid of. Note that the I have seen it under some different names trojan horse.genaricXX.aaym


the xx are numerical and sem the change and also the suffix seems to change some at times. AVG free seem to catch it but later on it resurfaces. I have used malwarebytes, AVG, superanti spywarem tdsskiller.

This is a drive from a laptop that's infected and had killed the internet connection. When you boot the machine in safe mode it goes to the problem connection screen like for an internet connection it is looking to make. of coarse I pulled the rj45 cord out and turns off wifi to not allow it to connect. Also when you allow it to boot normally it goes to an FBI screen looking for cash to fix, ya! I lii let it do that, not! I also noticed it seem to have done something to not allow restoring of previous volumes, restore is not listed in the recovery counsel.


so I am using this universal hard drive controller that that connects to machines via usb to look at drive and try clean it. I have gotten many things off of it but it seems to resurface. So I was going to start looking at the regedit files and see if there are strange things in there.

Oh one other thing it gives a location of the file e:\system volume information\_restore{8A37A6DC-F617-4F3E-B9EF-5F92F891F47F}\rp121\A0028253.exe

I am guessing that the restore thing means that it's residing in one of the restore point images of the computer and also that long # I am guessing is the serial # of the copy of Windows xp Pro that I have, and lastly the A00282253.exe that is the main culprit.

So that is about it. I'm giving some thought to blasting the drive and starting all over if this cannot be fixed. Sure wish there as was a program that would address this. I don't run any virus software on my machine activly maybe I should use this avg on mine when planning on venturing out into untrusted sites.

my machine gigibye MB, windows XP Pro sp2, .....

Thanks for any pointers fellas

Paul aka varmint

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 20 October 2012 - 11:34 PM

Hello Paul :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 21 October 2012 - 02:27 PM

hmmm I thought you guys were ignoring me. Glad you're not.

I'll get the program as you requested and try run it. Just a reminder, the laptop boots only to the error screen so I am using a hard drive controller with a usb hookup to run thing on the latop's hd. I don't know if that effects how the program runs, I guess I'll find out in a minute.

ps is there something I should check in my settings for mbc/forms that will notify me that someone has replied to my post (s) ??

oh an the most important thing thanks! It's awesome to have a place to turn when things go awry.

#4 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 21 October 2012 - 03:29 PM

just to clarify this

"Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. "

I am using a clean computer to connect to the hard drive that has an issue. I get unplugging from internet. I worry about infecting this machine if I turn off AVG on her system. remember I am using another computer to run infected drive via usb hookup. Or I guess another question is have I already infected her machine? AVG does seem to catch things from time to time that is how I got the name of the trojan.

#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 21 October 2012 - 03:40 PM

hmmm I thought you guys were ignoring me. Glad you're not.

I responded to your previous thread some time ago so we were not ignoring you ;) : http://www.bleepingcomputer.com/forums/topic470470.html/page__pid__2874438#entry2874438

I'll get the program as you requested and try run it. Just a reminder, the laptop boots only to the error screen so I am using a hard drive controller with a usb hookup to run thing on the latop's hd. I don't know if that effects how the program runs, I guess I'll find out in a minute.

Acknowledged.

Before we continue, what is the current state of the hard drive in question? Can you reinsert it back into its original computer casing and attempt to boot. Let mek now what error messages / screens appear.

#6 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 22 October 2012 - 12:52 AM

ok

in the meantime I believe I have located the culprit's main file and associated folder of gifs and png files. not that the png and gifs are pics of the fbi warning message, moneypak, all the different parts of the moneypak warning message, etc

the files are located in c:\doc and set\all users\app data and also in the same for \paul etc

the main file is beviypclqozmcfo and the associated folder located just above this file with the gifs and png files is ymrlryegudaftug - maybe this with mean something to you maybe not.


just for kicks i tried to shred beviypclqozmcfo with data nuker's zilla shred and it would not allow me access. it stated that windows is currently using this file.

there are also several other files that were created at the same time or within a minute that reside in different sections of xx:\doc & set\ (either all users or paul \ app data - That are part of this problem as well:


asl.033908_17Oct12
asl.033655_17Oct12
com.jeroenwijering.sol
avgwd.log.3

I was looking into the beviypclqozmcfo file's properties. I noticed an area that seems to allow for changing what not only users can do but also files. I did see that there was a selection to check it not allow the files to execute, write to, etc. Maybe that is what these different virus tools do then wipe them out. I'm thinking I might be able to disrupt the trojans file or program enough to allow me to boot the machine and load virus attacking software. I suppose that is what these different anti virus programs do just automatically.

I guess the other thing is that this seems to be a windows 7 feature as I don't ever remember seeing it in xp so I'm not so sure that XP Pro would recognize that function. Here again I think you'd know more about that as well.

Ok well enough of that. I'll place the HD into laptop in the morning and let you know what I get. Since cut and paste or email will not be an option I was thinking of taking a pic with my galaxy sii so you can see for yourself what I am seeing.

thanks again

Edited by Varmint, 22 October 2012 - 12:57 AM.


#7 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 23 October 2012 - 05:10 PM

ok well this is new. inserted drive and booted


it went to main screen then just hung there with my background pic but no icons. After several minuted I powered down.

in safe mode it did the same thing.

logon screen then loaded drivers then went to black screen with large type top and bottom and just hung there, no icons.

so I powered down and typed this out.

V

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 23 October 2012 - 05:27 PM

There are probably some registry hijacks that we need to correct first.

Follow these instructions for creating and using a bootable CD with Kaspersky WindowsUnlocker : http://support.kaspersky.com/faq/?qid=208285998

#9 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 23 October 2012 - 05:45 PM

ok i'm on it right now - post when I'm ready

#10 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 23 October 2012 - 07:49 PM

ok downloaded program and burned to cd using windows

I reinstalled hd to laptop
bios was already set to load cdrom 1st

turned on machine it looked to cd and starting running then switched to hd .

so in effect will not run.

it loads to windows recovery counsel xp and the other option

i thought i messed up the recording of the cd so i did it in windows and power2go cd burning software no difference

I also made a bootable cd which loaded but then could not execute program.

update by turning off hd it forced it to look at cd. still cannot get program to load

Edited by Varmint, 23 October 2012 - 08:13 PM.


#11 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 24 October 2012 - 02:21 AM

It is hard to understand your posts but I think I got the gist of it. Please try to go into more detail next time :)

update by turning off hd it forced it to look at cd. still cannot get program to load


Trying to understand this correct.. You were able to boot from CD? But then couldn't get the WindowsUnlocker part to work? Is that correct? Please rephrase.

Do you know which speed you burned the CD at? examples: 4x, 8x, 16x
I recommend burning at the slowest speed available.

#12 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 25 October 2012 - 07:39 PM

the cd was burned quickly, I thought I saw 48x - whatever the program defaulted to


1. i just burned the cd then put it into laptop and turned on laptop. my cmos is already set to load from CD 1st. The CD drive light came on and you could hear head moving like it was reading. Meantime the screen was black except for 1 underline character in top left flashing. it just continued this for several minutes. so after 3-4 minutes i thought it was not going to load. I stopped machine and tried again , same issue.

2> I then thought that maybe I need to make a bootable cd and then try to manually run program. That as not successful. the machine booted to the prompt, allowed me to change drives to cd but I could not get kaspry program to execute by typing in the file name.

so that is where I am. I don't know how long it takes for the program to load. Should it take over 3 mins before you'd see the green screen like at their web site. Should I have waited longer? The drive head of the CD drive was moving . I just figured I'd have seen something before 3\4 minutes.


3 I will try again to boot directly from CD and just let it go for 5 10 minutes if it want to and see what happens.

4 I will re burn CD at slowest speed available and repeat my actions above.

5. I did have virus software running when I downloaded and burned cd should I have turned it off 1st? I will burn a cd like that as well, slowest speed, no active virus software then see if it works in laptop.


thanks,

#13 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 26 October 2012 - 07:42 PM

ok I took your advise and re downloaded Kaspry and burned it at the slowest speed 4x. I loaded it into the laptop and it works. I ran it through and it found 6 items so when it finished I decided to run it again. It's still in the process of running the second go around.

I will advise when done.

#14 Varmint

Varmint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago IL
  • Local time:12:28 PM

Posted 26 October 2012 - 10:12 PM

the k program found several instances of the HEUR virus exploit script G which it was able to quarantine.

I loaded program and rebooted the laptop. it loads to users screen , I signed in. it then continues to load and then gets to the point where the icons should be showing up on the screen and it just sits there with the background pic on screen. Essentially the same thing that was there before running the k program.

#15 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 PM

Posted 26 October 2012 - 10:15 PM

Let me know what happens when you try the below:

Press and hold CTRL, then press and hold SHIFT, and then press Esc. Now let go of CTRL and SHIFT.
This should launch Task Manager (let me know if it did not, otherwise, continue below)
From the top menu, select File => New Task (Run...)
In the Create New Task window, type in explorer and press OK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users