TechSpot

Trojan Downloader Problems

By kittiwake30
Nov 25, 2008
  1. Hi all, I found this site when searching for issues with regard to a Trojan Horse Downloader.

    I have not seen many symptoms of a virus on my computer. My email does seem to retrieve the same messages over and over in my inbox.

    This is a work computer, I am trying at all costs to avoid a fresh reformat.

    I did my best to follow the steps and include the log files.
     
  2. rf6647

    rf6647 TS Maniac Posts: 931

    Welcome to TS. Please visit these forums frequently and participate in the knowledge exhange that takes place.

    We will procede along a typical path. Update MBAB & SAS scanning tools. Most often the next scans with each tool will report no infections and no threats. Remember that SAS should be optioned to delete cookies. Inspect logs for wording ‘delete on reboot’. When found, restart the computer.

    After completing scans with MBAM & SAS (achieving 0 results or no further reduction noted), restart the computer.

    Scan with HJT, tick & fix the following, if present. This is an UNKNOWN. It can be restored if this is a corporate policy or ignored if decided by the user.
    Restart the computer. Posts logs. Report progress & what changes are observed.

    Please make a specific remark about the pathname for the O4 entry cited above. I am trying to use 'dk xux mtg' pattern to guess at an application. Other specialists here may advise using another scan tool to obtain more diagnostic information.

    Your observation that retrieving email repeats messages is not familiar to me. My experiences with malware come mostly from this forum. The Grisoft mail scanner is installed on the computer. Some mail programs can be optioned to leave messages on the server. Once the infections are cleared, more details will be helpful.

    A couple of remarks for consideration after resolving this problem:
    Update your Internet Security. AVG 7 is no longer supported.
    Update Adobe to newest version. Your copy was cleared of a ‘keygen’ infection.
     
  3. kittiwake30

    kittiwake30 TS Rookie Topic Starter

    Thank you for taking the time to explore my problem. I did as instructed (I hope) and have included log files.

    The email issue is unlikely to be related and ceased a few days ago ... however, I do occassionally receive a pop-up window, supposedly from Windows Explorer, wanting to install VirusScan 2009 for a sweep. When I try and close that window, it takes me to Anti Virus 2009 website .. can I assume this is not credible, i.e. a real Microsoft issue?

    AVG is also detecting a threat: Virus Found Fake Alert that accompanies the pop-up. AVG cannot heal the file.

    When I restart the computer, I also get a notice from Spybot Search and Destroy indicating a key has been added to the system startup global registry, entry name is senugedada, new data: Runll32.exe "C://Windows/system32/jemal .. and it wants to know whether to allow or deny change.
     
  4. rf6647

    rf6647 TS Maniac Posts: 931

    This is a most unexpected result. Other specialists are invited to assist, especially with reviewing a ComboFix log to be requested.

    MAJOR CHANGE – HJT
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kiyejebe.dll c:\windows\system32\podidede.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\podidede.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\podidede.dll

    Kittiwake30, if this computer is used in your home network, then we can exercise more control. It appears that no firewall application was added to the computer. It is likely that the infection has altered firewall policies, so adding one now will not be effective. This computer should be isolated from other computers on the local network (typically attached to a router).

    Protect from contamination of unknown origin - if isolation is not practical, then proceed with Combofix.
    Disconnect all computers from the router (local network). Power cycle the router (remove power, restore power). Connect only the infected computer to the router.

    Combofix will be used to gain additional diagostic data. Some cleaning does occur.
    Link to instructions developed by Blind Dragon

    Remember to conclude scanning with HJT. As expected, posts logs. Report progress & what changes are observed.
     
  5. kittiwake30

    kittiwake30 TS Rookie Topic Starter

    I did as instructed, and have attached the relevant logs.

    I do not want to count the proverbial chickens before they've hatched, but in the brief amount of time I've spent on the computer since undertaking these latest instructions, I have noticed a marked improvement in processing speed, no pop-ups or redirects. Fingers crossed.
     
  6. rf6647

    rf6647 TS Maniac Posts: 931

    I repeat the call for a “Combo-Talkers”. Other specialists are invited to assist, especially with reviewing a log from ComboFix.

    Kittiwake30, it is encouraging that you observe an improvement, and note the elimination of popups & redirects.

    ComboFix is quiet, but effective. I find a descrepancy in that one (1) suspect file: C:\WINDOWS\system32\kiyejebe.dll was not reported in the log. Perhaps it is whitelisted or was one of the orphans (file rename used to cloak trojan.agent). A trained specialist would have the correct understanding.

    If you agree, let’s give some time for other specialists to contribute.

    If you prefer to wrap this up, then update the scanning tools. Scan with MBAM and SAS. Clean scans indicate ComboFix uncovered no new infection or threat.

    Then proceed to follow cleanup instructions developed by Blind Dragon, beginning with the section titled “Uninstall ComboFix”
     
  7. kittiwake30

    kittiwake30 TS Rookie Topic Starter

    It's been a couple of days now and my system is operating like a charm, knock on wood. I undertook the same steps with my home computer and it yielded similar excellent results in performance.

    Anyway, this whole ordeal was really an eye opener and has profoundly changed the way I use the computer.

    I really wanted to extend my gratitude for the assistance. Thanks is a bit too small a word for this occassion. I'm frankly impressed that such a resource exists online, where techno*****s like myself can access personalized expertise. You've been unbelievably accommodating and patient.

    I don't want to close the door on needing help down the road, but I did want to express my thanks.
     
  8. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Would you unhide your system files and hidden files/folders, and then check this folder?

    C:\d907ef29a3f174dab7c6

    Let us know the contents.
     
  9. kittiwake30

    kittiwake30 TS Rookie Topic Starter

    Sorry, how to I go about unhiding contents?
     
  10. kittiwake30

    kittiwake30 TS Rookie Topic Starter

    Okay, figured it out. The folder contains two files:

    update.exe (Windows Service Pack Set Up Microsoft Corporation)
    updspapi.dll (6.3.3.0 Windows Servicing Setup API)

    The attached jpeg shows the screenshot.
     
  11. momok

    momok TS Rookie Posts: 2,272

    Then I guess you're clean. You may continue with the final cleaning instructions from rf's post.
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.