Help please, trojan issue

Hi guys, first post

I'd like some help with a malware problem I'm having.

A couple of days ago my NOD32 reported that I'd packed up a trojan which it deleted. Since then I've had the ESET send suspicious file request. NOD finds nothing on a full scan now.

When I do a Google search or visit certain sites (like this one) I get an "address has been blocked" flag from NOD32 IP 213.163.89.106:80 or 78.47.248.117:80. I've only been using NOD V4 for a week or so so (used to use NOD 2.7) I'm not too sure what normal behaviour is, apparently it does some ad blocking.

I completed the Malware removal instructions.

Malware bytes found and deleted a rogue installer, log attached,

GMER reports Suspicious modification to a couple of sys files

C:\WINDOWS\system32\drivers\atapi.sys

C:\WINDOWS\system32 \DRIVERS\epfwtdir.sys

I'm not using the PC for critical internet stuff now for obvious reasons.

Thanks in advance.

MOG

I've run Superantispyware, removed 3 trojans....

NOD still isn't happy :suspiciou flagging blocked IP's when I use Google.

SAS log file attached

I see multiple antivirus programs:
AV: Norton AntiVirus
AV: ESET NOD32 Antivirus 4.2
FW: Norton Internet Worm Protection *enabled

Please remove one of these. Multiple AV programs can makes the system more vulnerable as well as slow it down.
Reboot the computer after you have removed a program.
=================================================
The Attach.txt part of DDS is missing information:
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
==== Event Viewer Messages From Past Week ========
==== End Of File ===========================
No restore points, no installed programs, no Error Events?

Part of the DDS log is missing:
============= SERVICES / DRIVERS ===============
??????
=============== Created Last 30 ================
?????
No Services or drivers? No files, folders, update etc. created in last 30 days?
I need the full logs please.


IP 213.163.89.106 is a site in the Netherlands. And IP 78.47.248.117 is a site in Germany. Something is in your system trying to access it and hijacking your searches. Nod32 is doing it's job. We just have to find what it is.
======================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=====================================
Run Eset NOD32 Online AntiVirus scan HERE

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

GMER indicates a Rootkit.
When you run the Eset scan, please note the line instructing you not to check the entries for removal.

Edit: Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Thanks for the reply Bobbye. I'll try and work through your post

I thought I'd got rid of Norton a while ago, obviously not....

In trying to sort this myself I have run CC cleaner, could that be causing the lack of DDS data? Sorry if I've caused more problems by doing this.

Edit

I have the CC registry backup to go back to, I could install it if it would help. Its from before I started the 8 step though .

OK, so I could move on I've run the Norton deleter, I didn't realise there were any bits of it left running.

Combofix ran OK after that, it reported rootkit. Log attached

ESET's online scanner didn't detect anything, it didn't seem to produce an obvious log.

Edit

New repeat more complete DDS files attached. I think Norton's entrails were blocking DDS.

Edit

Found the ESET log, attached

Edit

Just found that my system restore isn't working, I don't think its connected but you never know. It wont open from My Computer.

Regards

MOG

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  
  :filefind
   epfwtdir.*
  
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

I have a question: Combofix remove dozens of files for Application Data\Storm followed by '\update appended by QuickTime, Real plugins, codecs, storm.zip2.07.08.27, StormII. I found only one other incidence of this on a French site, which also had the same deletions in Combofix.

What is this app?

I noticed Combofix removing the storm entries, I've no idea what it is..... :suspiciou

Edit........................

I remember now, its some sort of sound codec pack. I think I downloaded it as a fix for sound issues on some game or other. From the link it appears to be legit.

http://www.softpedia.com/get/Multimedia/Video/Codec-Packs-Video-Codecs/Storm-Codec.shtml

I'll follow your instructions and get back.

Systemlook finds nothing.

NOD 32 still flags attempted re-directs, 213.163.89.166:80. 78.47.248.117:80. are blocked etc.

What's next?

The file I had you looking for is ESET filter driver system driver file. The GMER log indicates is is 'suspicious.' But I note it in the current log and it's fine. As for the Storm program, since no script was written to remove those entries, it appears that Combofix found the entire program infected so did a complete deletion. Keep in mind that you not only have to consider the program itself, but also the download site. For instance, you run Azureus and LimeWire. Maybe you got the program using file sharing. That's a good way to get malware.

Please do not use CCleaner at this time and do not attempt a System Restore. You can undo all the work we're doing.

Custom Script

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

Code:

File::
c:\windows\cnerolf.bin
c:\windows\system32\eed4_g.dll

DDS::
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
Folder::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

RegNull::
[HKEY_USERS\S-1-5-21-57989841-790525478-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-57989841-790525478-725345543-1003\Software\SecuROM\License information*]

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I recommend that you uninstall the Iobit Advanced SystemCare 3 Neither the program nor the site itself are good for the system.

Are you currently using the Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter? Have you checked recently for a firmware upate? If not, please do so.

I've run Combofix with the script, log attached.

I've unloaded ASC3, I never use it, but anyway, now its gone.

I don't use the Realtek wireless connection, its on my board, this system is wired internet only.

I don't file share much, because of the virus issue. I haven't opened Azerus for months but did attempt to download something around the time the hijacks started so mabe that's where I picked this up.

I'm still getting the attempted re-directs btw.

It looks like you included one line too many in the code box, so I'm going to have you run it again: That is a major move so doing it correctly might solve the problem. I also want you to temporarily disable the 2 Real Time scanners you have going:

• Right click on the Ad-Aware icon in the system tray.
• Click on Disable Ad-Watch Live!
• (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)

• Right click the TeaTimer icon in the system Tray
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

===============================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

Code:

File::
c:\windows\system32\drivers\atapi.sysSave this as CFScript.txt, in the same location as ComboFix.exe
c:\windows\system32\perfc009.dat
c:\windows\system32\perfh009.dat
.
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys

Don't include the lines below in the code box but leave the entry I have setup to remove the file that you did include the line previously..
Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

If you have any question about the code box, please ask me before running it. I have to remove the wrong entry, then set it up again.

"Don't include the lines below in the code box but leave the entry I have setup to remove the file that you did include the line previously"

I'm not sure what you mean by this? Did I fail to highlight everything last time?

You mean just copy the text that's in the text box, carefully without adding an extra line from the page below?

Just to be clear.

I didn't realise that Adaware and SB were running, these programs wont lie down and die will they.

Edit..........

I see I highlighted a line from the page below, sorry that was clumsy.

No problem- maybe I should add a space. Problem is that the code won't work unless it's exactly right. The rerun should handle it fine. I though it might be confusing to you because I had to put the bad entry in the code box to remove it, then rewrite the move. But I wanted to be sure you didn't copy down too far this time.

We use to have everyone disable the RealTime scanners at the beginning of cleaning. But we later thought it might be a waste of time. But when we need to be absolutely sure the scans are 100% accurate and a pesky problem isn't resolving, we have them disabled.

Gah, still getting the attempted re-directs.

I hope I haven't messed this up again, I thought I had it right. Sorry if this is my fault.

I've started the PC and NOD started deleting files, I've included the Log. Maybe a NOD update?

Please help if you can, otherwise its looking like a clean install, unfortunately, I'd rather not do that.

Edit........

Interestingly since running the script yesterday I no longer get attempted re-directs when I come here to techspot. Maybe some of the garbage has been taken out?

Edit........

Yes definitely better, I only get attempted re-directs to 213.163.89.106:80 now, the same each time and only on Google searches.

I can't make much out of this Nod32 log. IT is for the full AV program, not the online scanner. I don't need all that 'extra' information> it will confuse you also.

The NOD32v4.txt (1.5 KB) log in your first post is for the antivirus which runs all the time on the system. It will include documentation that is not useful to us. (By the way, if you open this log in Notepad and go to Format> uncheck 'Word Wrap', it will be easier for you to read the log. You will need to navigate across the screen to see a full line, but you should be able to learn what's is there much easier)

The 240710_1 ESET log.txt (781 Bytes) in Post #5 is for the online Eset scanner. That's all I want. Let's not get sidetracked.

Back to this:

I said this before, but I don't think you grasped it: If this is a scan from the site on the internet attempting to access your computer and Nod32 is blocking it, this is normal traffic. It's how a firewall blocks an attempt to access. On the other hand, if these is spyware or adware on your computer and it is attempting to 'call home' and Nod32 is blocking it, it means there is an undesirable process on your system that we need to find and remove.

You are getting malware from the following:
hxxp://www.asiawholesalers.net/my_facebook.exe
hxxp://flowload.in/070700Setup.exe
hxxp://www1.realysafe14.co.c

I don't see any notations in the Nod32 log of blocking particular IPs. This makes me thing that it's normal internet traffic looking for an unprotected system. You should be able to disable the alert popping up. Please open the Nod32 program and familiarize yourself with the configuration and options you have.

IF you are accessing these site, you need to stop.

You have both Azureus and LimeWire running on the system. You will need to consider the working of file sharing in your security.

So far as I can see, your Nod 32 is doing it's job.

You can check this again and see if there is anything new:
Run Eset NOD32 Online AntiVirus scan HERE

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please note the line instructing to not to check for removal. Post that log and I'll move whatever is necessary.

But I would like you to better description the 'redirect' you're getting.

I only have NOD32 AV installed not the firewall, I don't have a software firewall running just the harware firewall with my router. The hardware firewall should deal with unwanted incomings, but doesn't stop outgoings as I understand it, no?

I used to have software firewalls but found them a pain in the ****, when I got my router it was suggested to me that the hardware firewall was enough plus decent AV software. I'm not sure if you agree with this.

Does the NOD32v4 AV package have similar activity to a software firewall? If so with my hardware firewall how am I getting "hits" from searches recorded in NOD32? Is there a problem with my router firewall setup maybe?.

I've attached an image of the alert, as you say its not logged by NOD32.

I'll get back with the scan in a while.

It looks like it is a bug: http://www.wilderssecurity.com/showpost.php?p=1147062&postcount=7

But that's an old thread- are you using the most current version?

I've uploaded the ESET scan result, it found nothing.

If you believe that my system's clean I'm quite happy to accept that and move on. I can start a new thread f i see further dodgy behavior.

I think evidence points to NOD V4 being a bit over verbose and me having some undetected root kit on my system that you have removed. I've changed my NOD settings very slightly to warnings only popups from advisory, so the pop ups are gone, as you say the pop up's aren't recorded as threats or blocks by NOD, so are most likely a response to outside scans. How NOD is detecting these through my hardware firewall I'm unsure though

I haven't got a clue what this site is that uploaded some crap yesterday. I can only think that its somehow attached to advertising on a local news paper site I visit, I'll have to investigate.

Ihxxp://www.asiawholesalers.net/my_facebook_exe

The online scan is clean. These 'blocked site' warnings are confusing a lot of people. Several security programs are doing it but don't give enough information for the user to determine whether it's incoming or outgoing. My Firefox will give me an alert if I select a site that is questionable and doesn't load the page. This is adequate without the confusion! If they are going to display a specific IP, then it should be clear which way it's going- in or out. Normally it would be the job of a software firewall to give:

1. The originating IP and the port the scan was sent from
2. The destination IP and the port it was sent to.
So you could tell if it was an attempt from withing your system (your IP) to contact a site on the internet and what kind of traffic it was. But enough- I tend to get carried away with this!

You can now remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
Let me know if you have any more questions.