Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone up for the challenge? Dropper hiding very well!


  • Please log in to reply
1 reply to this topic

#1 d-One

d-One

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 24 February 2013 - 07:58 AM

Hi guys! I need help please!

 

XP SP3, running Avast (free) and MS Security Essentials


I have been working on a friend's computer for about two weeks now. Mostly on weekends and some evenings by remote.

 

I have thrown every scanner I can think of at this problem and this bugger is still hiding in the system.

The reason I know something is in there still is because MS Security Essentials is catching Medfos being saved to disk. When I first got involved, it was Sirefef. The user cleaned out the quarantine so I am just going by memory.

 

This all started with an email supposedly from "Fed Ex" with PostalReceipt.zip attachment with an EXE inside. The user runs a business and fell for it.

 

When I first started working on it, Malwarebytes  running in Safe Mode, found and removed a bunch of stuff. Yet the source of infection remained. I then ran the Avast Boot Time Scan and it found something too. Once removed, the system would no longer boot up. 

I did a repair on Windows XP and reinstalled SP3 and updates.

 

Other tools I have used:

Bitdefender

ESET 

Ad-Aware

Spybot S&D

OTL

Kaspersky 

RootkitReveal

SuperAntiSpyware

SOPHOS

F-Secure

GMER

And many others ....

 

 

Malware that has been removed : (incomplete list from various logs)

- PriceGong and other toolbars were present

- c:\windows\temp\tmp00003c7f\tmp000747a1    Gen:Variant.Dropper.71

- Firefox - extensions\{d2778c92-4cf3-4be4-9766-af709012a2a5}.xpi

- Removed older version of Java and RealPlayer because of questionable files that were flagged.

- Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|orkwer (Trojan.Agent) -> Data: rundll32.exe "C:\Documents and Settings\USER\Application Data\orkwer.dll",GetDatabaseInfo -> Quarantined and deleted successfully.
- C:\Documents and Settings\All Users\Application Data\0054436FCA56E1D4000000544321E835\0054436FCA56E1D4000000544321E835.exe (Malware.Packer.SGX1) -> Quarantined and deleted successfully.
- C:\Documents and Settings\USER\Local Settings\Application Data\eusisrrx.exe (Trojan.Downloader.FW) -> Quarantined and deleted successfully.
- C:\System Volume Information\_restore{6A3A159F-3F76-4D10-B7CF-03634DE44509}\RP933\A1140939.exe (Malware.Packer.SGX1) -> Quarantined and deleted successfully.
- C:\Documents and Settings\USER\desktop\Disk Antivirus Professional.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
- Keep finding trojans in Temp folder and System Restore.

 

 

 

Did some research and found this article that seemed similar to what I was finding:

http://blog.mxlab.eu/2012/12/04/url-in-image-based-fedex-emails-downloads-postal-receipt-zip-trojan/

 

 

Appears to be a variant of Kuluoz Trojan. Avast reports it as Win32:Dropper-Gen

I can't find the article but one anti-virus website mentioned that this trojan was hiding using a method I never heard of before, and it was not a rootkit.

 

 

Any takers?
Where would you like me to start?

(I request patience because I may not have access to the computer for some days).

 

 

Peace and Blessings
d-One



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:40 PM

Posted 24 February 2013 - 01:21 PM

Please follow the instructions in ==>This Guide<== starting at Step 6.  If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==  Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users