Antivirus 2009 Recurring Trojan Horses Problems

[faisalmajeed]

Problem: Got Attacked with Antvirus 2009

Attempts: Have followed the 8 steps

Accomplished: Reocvered taskmanager and reg edit and deleted (I believe) brastek, antivirus 2009

Issues Pending:[/B] Everytime I rescan from malware I see trojan horses and sorts, cant get mbam to run with its current name, still have to chaneg it mwam or something. Computer restarts after scna and all Trojans are there. Some software are not working. INterent only works for website names that are typed and if I click on google searched website it takes me to some other links. PLease HELP!!!! LOG Files are attached

 

[mflynn]

OK faisalmajeed

Good start.

So I understand you have run mbam more than once and this is the last log?

If so switch to SAS and rename it and run post logs.

Mike

 

[mflynn]

faisalmajeed

Did you get the Attachment to download unzip and run?

Mike

 

[faisalmajeed]

No its still not working. i have used my laptop and other computer as well but its still not unzipping. it says its corrupted. and yes, i did save it on desktop..
Iam running SAS right now . will post the log soon
can you tell me what to remove from the hijackthis log

Hello Mike,

Attached is SAS Log file

I am not certain if it detected all the things, as I ran it after I ran mwam.

Do u guys see ne thing suspicisious in HiJack This Log?

Thank you for all your help.

 

[mflynn]

OK faisalmajeed

I was waiting to see what SAS cleared for us but.....

Run HJT Scan only Select and remove the below. Some of these are harmless and will return when needed but for clarity remove all.

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdliy.exe] C:\WINDOWS\system32\kdliy.exeO4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Friends\LOCALS~1\Temp\winlogin.exe
O15 - Trusted Zone: http://www.facebook.com
O15 - Trusted Zone: *.facebook.com
O15 - Trusted Zone: http://www.freewebs.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: efcBsRih - efcBsRih.dll (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: SIMUL8 Parallel Processor (SIMUL8Parallel) - Unknown owner - C:\Program Files\SIMUL8\SIMUL8_ParallelSVC.exe (file missing)
O23 - Service: sugo3 Status Monitor Service (SM_sugo3_FUService) - Unknown owner - C:\Program.exe (file missing)

Mike

 

[faisalmajeed]

I have deleted the Hijact this entries you pointed out, still no luck same issues, did a quick mwam scan. Rteurned 4 Trojan agent viruses from memory and file
I am also attaching the HIjackthis log.
On another noter I have run CCleaner multiple times and have fixed isses with it as well...
Another thing I dont think my java is working, but I have followed the eight steps and downloaded new java, but java websites just dont seem to work
If I dont type website address and click on a link it takes me to weired websites

This is a tough one, please help

While cleaning up this stuff I had also seen SurfLite Toolbar related stuff, is there some of that virus left in here? I am not even sure if I have the original AV 2009 left in my system ne more.... Please Help

Please can anyone tell me what I am dealing with and how to go about fixing it. These trojans keep on re appearing in temp files and windows system 32 drivers??

 

[mflynn]

HI faisalmajeed

Been out to Dinner.

OK you need to reboot for mbam to finish its cleanup it should have prompted to to do so.

I can tell you did not as the cleanup script is still in your HJT file. You must reboot then you will see those gone. When you run again it may find different one or be clean.

I suggest that you reboot one and rerun again.

Mike

 

[faisalmajeed]

Hi Mike..
I have rebooted multiple times but the problem persists..

Dont know what else i can do..

 

[mflynn]

Ok I see!

so.......

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here:https://www.techspot.com/downloads/5587-combofix.html

Or here: http://download.bleepingcomputer.com...a/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

 

[faisalmajeed]

OK I have run ComboFix, which I have to say was really tricky but I think it was really worth it. It rebooted my comp and rans its test. I don't have any problems like visiting ramdom websites or anything like that and MBAM and SAS works with their original names. Curious thing is that MBAM is still detecting malware, but I don't think its affecting the system, everytime I reboot I detect these malwares but they seems to have lost their potency of doing harm. I would still like to get rid of them though. Attahced are the log files, I am really very appreciative of the help I have gotten so far. Mike you are great.

N e suggestions? what else can I delete using HJT or do. I have updated to latest virus malware definitions both on mbam and sas still nothing (BTW I was only 2 days behind on them). These things reappear on startup, they are nt causing any known harm, but if I leave them be the number increases.
Faisal

 

[mflynn]

Ok the Combofix needs to b ran again. Post log

No HJT yet!

The entries in SAS are only tracking cookies not really a danger but we will get them after we are clean of the really bad stuff.

After combo fix is finished do below.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.

Mike

 

[faisalmajeed]

I ran SDfix, with great difficult, as my comp had stopped rebooting in safe mode. This was resolved by using SDFix in normal mode and entering "R" to initialize safe mode again.

I think SD fix found somethings and cleared them, restarted and rpinted a report which is attached. I ran Hijackthis after that the report for which is also attached. And then I ran MBAM full scan which detected 23 malware items, it could not ermove all of them and requested a restart, The MBAM report is also attached. I don't understand what kind of malware/virus it is. Thankfully it is not affecting my system in an obvious manner any more but still have to get rid of it. Thanks again Mike for all ur help

Faisal

 

[mflynn]

Hi Faisal

What is happening is you were so badly infested with multiple issues that single scans can not eradicate what it can not even see because a more powerful bad boy was in charge.

Once he is cleaned that exposes the next bad boy who is now in charge. So we get him and finally this program MBAM in this case "looks" clean.

But we ran other programs SAS ComboFix etc and they work differently, look at things differently and find even more that have been hiding. Now we have exposed more.

So run each again and post logs.

In this order post logs for each.
1. SDFix
2..ComboFix
3. MBAM
4. SAS

If any one of these find any thing run again till clean or finds something it can not clean.

I know this takes time but is better that the alternative! Possibly reinstalling Windows!

Once we get you clean I will advise you on how best to stay clean.

Mike

 

[rf6647]

Mike, here is a wild theory. The trojan renames the infecting files after lauching itself as a process. I'd think that ComboFix would detect the renamed file (they leave it in same directory (window\temp)

I would look at the list following this key (captured in <<initial>> combofix log)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\TEMP\\winoihano.exe"=
"c:\\WINDOWS\\TEMP\\xuncdn.exe"=
"c:\\WINDOWS\\TEMP\\jsvffq.exe"=

My therory is based on excerpts from MBAM logs

Memory Processes Infected: <<second run>>
C:\WINDOWS\Temp\winjjcffe.exe (Trojan.Agent) -> Failed to unload process.
C:\WINDOWS\Temp\iowx.exe (Trojan.Agent) -> Failed to unload process.
^^^^^^^^^^^^^^^^^^^^^
Memory Processes Infected: <<initial run>>
C:\WINDOWS\Temp\winoihano.exe (Trojan.Agent) -> Failed to unload process.
C:\WINDOWS\Temp\xuncdn.exe (Trojan.Agent) -> Failed to unload process.

FileAssassin can't hit a target that's moved. That's my theory.

Perhaps using FileAssassin to delete all files in windows\temp will work.

Next find a tool to zap the 'other named process'. It is unkown if shutdown is another opportunity to rename itself.

[extra]
Instructions for FileAssassin
Start MBAM - don't scan
> Select tab > More Tools > click >Run Tool
> “File Name” > Type or paste “ c:\windows\temp “ into the box > click open.
> select file from the list > click open > confirm choice
Repeat for other files (ignore *.TMP)

 

[mflynn]

Hello faisal

Since it has been a day or so, there has been important updates to MBAM and SAS.

Please update these before running them.

Also do not get complacent and let this get old because every thing looks and feels OK.

You do have remaining issues that will turn around an bite you if not handled!

And the steps in my last post #17 will very likely finish them off.

Mike

 

[faisalmajeed]

Sorry for the late reply, I did the scans as recommended I still see files re appearing in my temp folder. I am attaching the log reports. This appears to be doing nothing.

I tried File assassin as suggested. It does kill those files in the temp folder but only temporarily, they reappear after like 15-20 mins. The same file names also exist in the memory process as you can see in the mbam log.

How do I find what creates these files in temp and how do I kill that. Thanks for all your help

 

[mflynn]

Hello faisal

Go here and do this
https://www.techspot.com/vb/post684649-3.html

But in your case after you download and extract do not run Fixt.cmd until you reboot to safe mode then run Fixit.cmd.

When it reboots to normal mode open the folder and attache bfu.log.

Then just run the fixit.cmd once from normal mode and send this new bfu.log.

And Fasil you are likely getting these infections fromP2P like Kaaza don't run them or have them started while we are cleaning until clean.

Then if you must have them I will advise on more protection for you.

Mike

 

[faisalmajeed]

Hi Mike and Everyone,
Thanks for your continued support. I will perform these steps once I get home. I donot have kazaa, I do have azureus but only have it running when I use it. I also have Graboid. This may sound like a silly question but can viruses hide themselves in Video files?

Faisal

 

[mflynn]

From SDFix found on your HD!
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"

I can also see remnants of cleaned items in Combofix.

You also need to uninstall the old HJT and go back to the

TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

and ccleaner and get the new HJT and post log.

But most important is now is post #17.

Mike

 

[faisalmajeed]

I have tried the suggested steps.
Uninstalled and Reinstallaed HJT and CCleaner
Installed fixit.exe
Ran it in safe mode and then again in normal mode. The log from normal is attached it could not do a log in safe mode.

HJT log is there too.

I have gone in my temp fodler and the trojan exe files are still there under different names. The only thing that kills them momentarily is the fileassassin, but they keep coming back after 15-20 mins

If you can see anything in the logs please suggest a course of action. This virus has exhausted me

 

[mflynn]

Yeah I see them now (new HJT)

Are these the ones you see

C:\WINDOWS\TEMP\kcstb.exe
C:\WINDOWS\TEMP\xdnu.exe

I am composing more.

Answer above and wait 5 to 7 minutes.
------------------------------------------------------------ OK here you are!

Get Kaspersky_AVP_Tool http://www.majorgeeks.com/Kaspersky_AVP_Tool_d4515.html
IMHO the absolute best deepest most thorough virus cleaner on earth

The price you pay is a long time running. You may want to do it when you go to bed or work!

To make it even slower boot to safe mode and run it there.

Mike

 

[faisalmajeed]

the download link is not working... I have tried from my laptop which is nt infected and still the link doesnot work... I will try from my work comp 2morrow,

Please let me know if there is a different link that I can use

 

[momok]

Your Combofix log shows alot of bad files.. Allow me to provide some advice with respect to combofix...

1. Open notepad and copy/paste the text in the code box below into it:
   
   

   File::
   C:\editreg.exe
   C:\rtsdnif.exe
   C:\attrib.exe
   C:\dnif.exe
   c:\documents and settings\Friends\editreg.exe
   c:\documents and settings\Friends\rtsdnif.exe
   c:\documents and settings\Friends\attrib.exe
   c:\documents and settings\Friends\dnif.exe
   c:\documents and settings\editreg.exe
   c:\documents and settings\rtsdnif.exe
   c:\documents and settings\attrib.exe
   c:\documents and settings\dnif.exe
   c:\windows\system32\rrt_is.wav
   c:\windows\system32\rrt_vf.wav
   c:\windows\system32\rrt_tv.wav
   c:\windows\system32\rrt_tn.wav
   C:\windows32.exe
   c:\documents and settings\All Users\Application Data\uhuvadisy.com
   c:\documents and settings\Friends\Application Data\abon.reg
   c:\documents and settings\Friends\Application Data\epybotabo.exe
   c:\documents and settings\Friends\Application Data\tiroquhij.dll
   c:\documents and settings\All Users\Application Data\seke.vbs
   c:\documents and settings\Friends\Application Data\olifolozi.bat
   c:\windows\mipa.exe
   c:\documents and settings\Friends\Application Data\mukiji.vbs
   c:\documents and settings\Friends\Application Data\yqubo.bat
   c:\documents and settings\All Users\Application Data\topyfyqyc.vbs
   c:\windows\Twunk001.MTX
   c:\windows\Twain001.Mtx
   c:\windows\Twunk002.MTX
   c:\program files\bhboiu.txt
   c:\program files\edjebfsi.txt
   c:\program files\ijrzc.txt
   c:\program files\acqpzkiu.txt
   c:\program files\empcglju.txt
   c:\program files\ifvf.txt
   c:\windows\Internet Logs\xDB26.tmp
   c:\windows\Internet Logs\xDB25.tmp
   c:\windows\Internet Logs\xDB24.tmp
   c:\windows\Internet Logs\xDB23.tmp
   c:\windows\Internet Logs\xDB22.tmp
   c:\windows\Internet Logs\xDB21.tmp
   c:\windows\Internet Logs\xDB20.tmp
   c:\windows\Internet Logs\xDB1F.tmp
   c:\windows\Internet Logs\xDB1E.tmp
   c:\windows\Internet Logs\xDB1D.tmp
   Folder::
   C:\backups
   C:\backupreg
   c:\documents and settings\Friends\backups
   c:\documents and settings\Friends\backupreg
   c:\documents and settings\backups
   c:\documents and settings\backupreg
   c:\documents and settings\Friends\.blurb
   Registry::
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{485d6226-86fb-11da-be8b-000c4165416e}]

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.

 

[faisalmajeed]

I have tried the CFSCRIPT method, I am attaching both logs from combofix and HJT. I still see the trojan files in my Temp folder

And for Kaspersky, this is the weirdest thing. I cannot access any websit on google that has Kaspersky download on it. The homepage of it doesnot even load, and thelink from download.com doesnot work either and the lnk posted here is the same situation. This is also happenning from my laptop.

I checked this from my work computer this faternoon and all the links worked fine. I remotely logged on to my latop and then desktop and both still were having same problem of not loading the webiste.

Anycase I have downloaded Kaspersky from work will install and run it tonite. I think IHave got the worst trojans here

I have installed the kaspersky tool. But its not running. I double click on it and nothing happens just mbam and sas were. I have tried renaming it but it doesn't let me... what do I do

 

[mflynn]

Hi faisal

Just arrived back and saw your post.

Will have more in 6 - 8 minutes.

Mike