Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zero-access, back door trojan


  • This topic is locked This topic is locked
6 replies to this topic

#1 PSUEDOPARIAH

PSUEDOPARIAH

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GEORGIA
  • Local time:10:41 AM

Posted 15 May 2014 - 03:15 PM

HERE ARE THE REQUESTED DDS LOGS.

 

I ran uvk repair program the same day as I first  posted. This system is seemingly running OK but i still getting infections such as the Q-one hijacker showing up in my registry even after deleting it the day before.every time i get one infection out the way,  within A couple days symptoms return, or i end up with of another infection. 

Is my computer being left vulnerable because of the previous "BACK DOOR" Trojan?

 

 

 

 

 

 

 

Attached File  AttachDDS.zip   3.61KB   0 downloads

Attached File  dds (2).zip   5.53KB   0 downloads

Attached Files


Edited by PSUEDOPARIAH, 15 May 2014 - 03:22 PM.


BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 16 May 2014 - 04:45 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 PSUEDOPARIAH

PSUEDOPARIAH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GEORGIA
  • Local time:10:41 AM

Posted 19 May 2014 - 07:28 AM

I would like to thank you in advance for reviewing this issue I'm having. I had a little trouble running the FRST program, As it did not allow me the option to run from desktop, and, I was somewhat confused about the instruction to NOT, check any boxes, however the addition text box was not checked, therefore the first scan did not include that text. I ran a second with addition text box checked, and in the confusion, I again failed to run it from desktop. 

Is this gonna be o.k.? Or will I need to run it another time correctly. sorry for the confusion. hopefully no damage was done and you will still be willing and able to continue the process. Here are the logs for the programs you requested. THANKS AGAIN.

 

Attached File  FRST_19-05-2014_07-05-33.txt   92.67KB   2 downloads

Attached File  Addition.txt   40KB   2 downloads

Attached File  TDSSKiller.3.0.0.34_19.05.2014_07.47.48_log.txt   193.03KB   1 downloads

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 20 May 2014 - 02:35 AM

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.3.1.2183.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 PSUEDOPARIAH

PSUEDOPARIAH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GEORGIA
  • Local time:10:41 AM

Posted 25 May 2014 - 08:29 PM

Here are the logs for the FIXLIST AND MBAM... NOTE HOW FAR APART THE DATES FROM ONE TO THE OTHER
Sorry that it has took me so long to post this reply, Every time I log on this computer its all out war to run any program or even just navigate from one place to another!  I think I should post this while I can and i will come back on another reply to try and give more details. thankyou...BRB
 
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-05-2014
Ran by GUNNER at 2014-05-21 14:16:30 Run:1
Running from C:\Users\GUNNER\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll (Microsoft Corporation)
SSODL-x32: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-1454728421-1440554680-1665500888-1004\User: Group Policy restriction detected <======= ATTENTION
URLSearchHook: HKLM-x32 - (No Name) - {7e8a1050-cf67-4575-92df-dcc60e7d952d} - No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {41BC63D8-E830-4D82-AB6A-4B32E983C996} URL = ${SEARCH_URL}{searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -  No File
BHO: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
BHO: No Name - {B4F3A835-0E21-4959-BA22-42B3008E02FF} -  No File
BHO: No Name - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -  No File
BHO: No Name - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -  No File
Toolbar: HKLM - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Toolbar: HKLM - No Name - {8dcb7100-df86-4384-8842-8fa844297b3f} -  No File
Toolbar: HKLM-x32 - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Toolbar: HKLM-x32 - No Name - {7e8a1050-cf67-4575-92df-dcc60e7d952d} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
 
U2 TMAgent;
 
C:\Users\GUNNER\boot.1f727e29c1ebab324e2c57a9871f946c000c7da5.js
C:\Users\GUNNER\ga.js
C:\Users\GUNNER\init.3f4b47814ed98ff8034481c15ee07df165dc1c08.js
C:\Users\GUNNER\timeline.d82a4e1cba6bfcde8b82daef286f1a12ccf6fc1d.js
 
%SystemRoot%\system32\wpdshserviceobj.dll
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WPDShServiceObj => Unable to delete value
 
"HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
 
Listing permissions failed. Access Denied.
HKLM\Software\Classes\CLSID\{AAA288BA-9A4C-45B0-95D7-94D524869DB5} => Error deleting key
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WPDShServiceObj => Unable to delete value
 
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
 
Listing permissions failed. Access Denied.
HKLM\Software\Wow6432Node\Classes\CLSID\{AAA288BA-9A4C-45B0-95D7-94D524869DB5} => Error deleting key
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1454728421-1440554680-1665500888-1004\User => Moved successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{7e8a1050-cf67-4575-92df-dcc60e7d952d} => Unable to delete value
 
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks"
 
Listing permissions failed. Access Denied.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Error setting value.
 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
 
Listing permissions failed. Access Denied.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{41BC63D8-E830-4D82-AB6A-4B32E983C996} => Unable to delete key
HKCR\Wow6432Node\CLSID\{41BC63D8-E830-4D82-AB6A-4B32E983C996} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} => Unable to delete key
HKCR\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} => Unable to delete key
HKCR\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => Unable to delete key
HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} => Unable to delete key
HKCR\CLSID\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f} => Unable to delete key
HKCR\CLSID\{d2ce3e00-f94a-4740-988e-03dc2f38c34f} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Unable to delete value
 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar"
 
Listing permissions failed. Access Denied.
HKCR\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8dcb7100-df86-4384-8842-8fa844297b3f} => Unable to delete value
 
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar"
 
Listing permissions failed. Access Denied.
HKCR\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Unable to delete value
 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar"
 
Listing permissions failed. Access Denied.
HKCR\Wow6432Node\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{7e8a1050-cf67-4575-92df-dcc60e7d952d} => Unable to delete value
 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar"
 
Listing permissions failed. Access Denied.
HKCR\Wow6432Node\CLSID\{7e8a1050-cf67-4575-92df-dcc60e7d952d} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
TMAgent => Error deleting Service
C:\Users\GUNNER\boot.1f727e29c1ebab324e2c57a9871f946c000c7da5.js => Moved successfully.
C:\Users\GUNNER\ga.js => Moved successfully.
C:\Users\GUNNER\init.3f4b47814ed98ff8034481c15ee07df165dc1c08.js => Moved successfully.
C:\Users\GUNNER\timeline.d82a4e1cba6bfcde8b82daef286f1a12ccf6fc1d.js => Moved successfully.
 
 
The system needed a reboot. 
 

==== End of Fixlog ====  Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 5/24/2014
Scan Time: 7:27:57 PM
Logfile: 
Administrator: No
 
Version: 2.00.2.1012
Malware Database: v2014.05.24.05
Rootkit Database: v2014.05.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: GUNNER
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316928
Time Elapsed: 20 min, 54 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 4
PUP.Optional.SweetPacks.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{7e8a1050-cf67-4575-92df-dcc60e7d952d}, , [36ff01544d2e7eb837bbef3b6f93837d], 
PUP.Optional.SweetPacks.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR|{7E8A1050-CF67-4575-92DF-DCC60E7D952D}, SweetPacks Toolbar, , [36ff01544d2e7eb837bbef3b6f93837d]
PUP.Optional.SweetPacks.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS|{7E8A1050-CF67-4575-92DF-DCC60E7D952D}, , [36ff01544d2e7eb837bbef3b6f93837d], 
PUP.Optional.SweetPacks.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{7e8a1050-cf67-4575-92df-dcc60e7d952d}, , [7abbff56700b013514de6fbb07fbd030], 
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 10
Trojan.Agent, c:\csrss.exe, Quarantined, [b77e78dd483335019fa72fb614ee46ba], 
Trojan.Agent, c:\ctfmon.exe, Quarantined, [f83ddd780e6d11254ff86085d9292cd4], 
Trojan.Agent, c:\lsass.exe, Quarantined, [1223fa5b95e6bb7bc2a16a7df012a759], 
Trojan.Agent, c:\msconfig.exe, Quarantined, [9e97d283314a5bdba01fdb0ce02251af], 
Trojan.Agent, c:\services.exe, Quarantined, [e055e96cff7c0e28f2fef1f74fb39b65], 
Trojan.Agent, c:\smss.exe, Quarantined, [21148ec7cead3105aa59c6233cc605fb], 
Trojan.Agent, c:\systeminfo.exe, Quarantined, [95a01a3b9cdf6ec896a37f6a47bb718f], 
Trojan.Agent, c:\usp10.dll, Quarantined, [cb6a58fd4239fd3991166287e71b14ec], 
Trojan.Agent, c:\winlogon.exe, Quarantined, [6dc8d3828bf061d558a1ce1b39c937c9], 
Trojan.Agent, c:\winrs.exe, Quarantined, [85b01441730857dfdb9819a2a65c9769], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
 

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 26 May 2014 - 08:05 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 10 June 2014 - 06:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users