also @ TechSpot: iTunes 11.0.3 delivers revamped MiniPlayer, security fixes

Malware help needed (Trojan.bho detected)

Discussion in 'Virus and Malware Removal' started by sativen, Dec 16, 2012.

Post New Reply
Page 2 of 2

  1. Broni Malware Annihilator Posts: 39,288   +175

    Keep it going.
    Broni, Dec 18, 2012
    #21

  2. sativen Newcomer, in training Posts: 21

    You're the boss :)

    I am going to pass the hell out though, as it's been going for 2.5 hours. I'll let it run overnight.
    Thanks for the help tonight. Hopefully this crap gets solved soon......I hate my wife's computer.
    sativen, Dec 18, 2012
    #22

  3. sativen Newcomer, in training Posts: 21

    It froze up somewhere in the middle of the night (I forgot to check the ESET running time before I had to hard reboot).

    I am starting the ESET scan again. In the meantime, here are the logs from Security Check and FSS.


    Security Check:


    Results of screen317's Security Check version 0.99.56
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 30
    Java version out of Date!
    Adobe Flash Player 11.5.502.135
    Mozilla Firefox (17.0.1)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    Google Chrome 23.0.1271.64
    Google Chrome 23.0.1271.91
    Google Chrome 23.0.1271.95
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
    sativen, Dec 18, 2012
    #23

  4. sativen Newcomer, in training Posts: 21

    FSS log:


    Farbar Service Scanner Version: 10-12-2012
    Ran by King Kong (administrator) on 17-12-2012 at 21:36:05
    Running from "D:\Users\King Kong\Desktop"
    Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
    sativen, Dec 18, 2012
    #24

  5. sativen Newcomer, in training Posts: 21

    3.5 hours later, here are the ESET scan results:

    C:\Users\King Kong\AppData\Local\VirtualStore\Mozilla\papptw.dll a variant of Win32/Kryptik.AQRU trojan cleaned by deleting - quarantined
    D:\Carputer\RoadRunner v12-06-07.zip probably unknown NewHeur_PE virus deleted - quarantined

    RoadRunner is the application for my carputer. I remember reading when I messed around with it years ago that it would produce a false positive.... but, I'm not for sure.
    sativen, Dec 18, 2012
    #25

  6. Broni Malware Annihilator Posts: 39,288   +175

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =================================

    Your computer is clean [IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
    Broni, Dec 18, 2012
    #26
     

  7. sativen Newcomer, in training Posts: 21

    I'm late to respond, I've been traveling today.
    OTL log from step 1:


    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: King Kong
    ->Temp folder emptied: 110746 bytes
    ->Temporary Internet Files folder emptied: 14871836 bytes
    ->Java cache emptied: 3755 bytes
    ->FireFox cache emptied: 1746354 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 957 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 13830 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 16.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: King Kong
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: King Kong
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 12192012_001149
    Files\Folders moved on Reboot...
    C:\Users\King Kong\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\King Kong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UBLOQ3DF\ads[2].htm moved successfully.
    C:\Users\King Kong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UBLOQ3DF\zrt_lookup[1].htm moved successfully.
    C:\Users\King Kong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7T34MMY0\page-2[1].htm moved successfully.
    C:\Users\King Kong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
    sativen, Dec 19, 2012
    #27

  8. sativen Newcomer, in training Posts: 21

    Thanks for all the help so far, but I have potentially bad news...

    I was working on step 5, and went to look for an update to Adobe Acrobat Pro, and started getting browser redirects in Firefox. It doesn't appear to be happening in IE though.
    sativen, Dec 19, 2012
    #28

  9. Broni Malware Annihilator Posts: 39,288   +175

    Broni, Dec 19, 2012
    #29

  10. sativen Newcomer, in training Posts: 21

    Firefox reinstalled.

    Should I re-run some scans? After this re-happened I am nervous to start popping in my password and checking my email again.

    Thanks for all the help.
    sativen, Dec 19, 2012
    #30

  11. Broni Malware Annihilator Posts: 39,288   +175

    You definitely have to change sensitive passwords because trojans were present.
    You can do this from this computer since it's clean.
    Is Firefox OK now?
    Any other issues?
    Broni, Dec 19, 2012
    #31

  12. sativen Newcomer, in training Posts: 21

    Everything appears to be ok. I'll keep an eye on it over the next few days.
    I changed a bunch of passwords the other day from my wife's clean computer, and haven't used this computer until I knew it was good to go.

    What, in you opinion, is the best program to use to rescan my external hard drive when I plug it back it to make sure my backed up files are clean too?

    Thanks a ton for your help. I just shot you some love on PayPal.
    sativen, Dec 19, 2012
    #32

  13. Broni Malware Annihilator Posts: 39,288   +175

    Thank you :)

    Install Panda USB Vaccine, or BitDefenderā€™s USB Immunizer on your computer to protect it from any infected USB device.
    Then plug any external device in and scan it with your updated AV program.

    Good luck and stay safe :)
    Broni, Dec 19, 2012
    #33
Page 2 of 2

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.