TechSpot

Trojan present on system

By Manjit
Oct 18, 2008
  1. Earlier my laptop froze up and appeared to be taken over by someone else, i.e was doing strange things to Explorer. I've followed the steps and run the various scans and it found a 'Trogan.FakeAlert' in the Registry Key.

    Any help would be appreciated. I've attached the various logs.

    Also I'm running Avast, should I running an addittional Firewall with this? Or would the Windows Firewall and Avast be sufficent? Because a few times a message has popped up saying i'm not running a Firewall.

    Thanks
     

    Attached Files:

  2. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

  3. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I followed all those instructions before I posted my original thread.

    I just wanted someone to check my HJT log and Mbam log.

    Thanks.
     
  4. rf6647

    rf6647 TS Maniac Posts: 829

    Are you clean? I just do not know.

    Zone Alarm firewall - is it installed? The o23 service is not running. There is a O4 entry for startup.

    Svchost - 3 copies running? I am a little suspicious.

    O4 starting ctfmon.exe. Ordinarily it is not done. However, I have responded to others expressing the same concern. No conclusion just now.

    Perhaps running Panda AntiRoot Kit obtained here will look a little deeper. Post log if it detects a problem.

    If that comes back clean, use HJT Fix Checked for the following
    Note: using a help link, Motive SmartBridge is not associated with blueyonder-istnotifier.exe

    Then run MBAM & SAS again. Post the 3 logs again.

    All this extra work may just prove you're clean afterall.
     
  5. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I do'nt have Zone Alarm running, as I said in 1st post I just have Avast and the standards Windows firewall. I was asking was it worth downloading an additional firewall even thou I had Avast?

    I'll do the rootkit scan with Panda and the other scans and post the results shortly.
     
  6. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I did a scan with Panda AntiRootKit and it said I was all clear. I have attached the three logs I did with Malwarebytes, SuperAntiSpyware and HJT. Malwarebytes found a 'Trogan.FakeAlert' again.
     
  7. rf6647

    rf6647 TS Maniac Posts: 829

    Call for an expert

    Thanks for you patience & persistence.

    I recommend running Combofix. Caution - expert is needed for the final steps for clearing the Qoobox.

    combofix – posted by momok

    Finding:
    C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvVPfeE.dll.vir Infected: Trojan.Win32.Monder.gen 1


    The finding above lead me to conclude that these are suspect
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    MBAM recurring infection has strong linkages to video codecs.
    Object Name = GNX Bingo ; Filename = svpekgonqba.dll ;
    GNX - Bingo

    Additionally, unless you can personally vouch for these - fix/check these
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
     
  8. momok

    momok TS Rookie Posts: 2,265

    @Manjit: To add on, after you are done with rf6647's advice, I will help you to check your Combofix log and provide you some instructions thereafter.
     
  9. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I'm not really sure what I should have been doing from rf6647 advice. I've removed:
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    As they do'nt really make sense to me at all, so I assume they not be there.

    I've run ComboFix and attached the log.

    Should I be delating more file such as :
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    Thanks for your help.

    Sorry forgot to attach the log to my last reply.
     

    Attached Files:

    • log.txt
      File size:
      7.7 KB
      Views:
      7
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    For future reference = You really should disable real time protection before suggesting a user run combofix. Most antivirus programs can be disabled by right clicking them in the system tray then checking or unchecking the real time protection.

    For other real time protection programs - here is a decent list from castlecops
    http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

    Manjit can you also attach a fresh hijackthis log
     
  11. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here's the fresh HJT log.
     

    Attached Files:

  12. momok

    momok TS Rookie Posts: 2,265

    Please boot into safe mode and unhide your files and folders. Navigate to the following folder and delete it manually.
    C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

    Also, use hijackthis to fix the following:
    O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F742E03D-8892-42AE-8049-CB5A51BE5B14} - (no file)
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    Rehide your files and boot into normal mode and post a fresh HJT log, thanks.
     
  13. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Fresh HJT Log after following the above instuctions.
     
  14. momok

    momok TS Rookie Posts: 2,265

    Well... looks alot better now. Are you facing any problems?
     
  15. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    No problems as far as I can tell. Thanks very much for all your help.
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hang on. Now that you're good to go, just do the following:
    1. Please download and run CCleaner via step 3 of the instructions HERE.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.
     
  17. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I'm afraid i still seem to be having some problems. I ran a scan with Malwarebytes this morning and it found a 'Trogan. Fake Alert in the Registry Key'. Also when I ran HJT is showed some of the files I thought I had previously removed such as:

    O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F742E03D-8892-42AE-8049-CB5A51BE5B14} - (no file)
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    I've attached the logs. Any advice would be greatly appreicated.
    Thanks
     

    Attached Files:

  18. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Any advice?
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi sorry for the delay! Been swamped with school projects..

    Regarding the detection, your log shows:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f742e03d-8892-42ae-8049-cb5a51be5b14} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    I believe it is left over from the previous cleaning.

    Could you run Combofix again? Please switch off your 'SpyBot tea-timer' before running combofix.

    After that, fix these entries in HijackThis:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    Post your combofix and fresh hijackthis log after you have fixed those. Thanks.
     
  20. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Attached our the logs you requested. Thanks for all your help.
     

    Attached Files:

  21. momok

    momok TS Rookie Posts: 2,265

    These are the following Combofix/CFScript instructions.

    1. Open notepad and copy/paste the text in the quote box below into it:

    2. Save this as "CFScript.txt" on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.
     
  22. Auguss

    Auguss TS Rookie

    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

    These are valid file for the ATI sound/video card i have them on my computer.
     
  23. momok

    momok TS Rookie Posts: 2,265

    @ Auguss: Um.. yea.. but no worries; my instructions did not include those as they are legit files.
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Its just the control panel for ATI, fixing the entries should be optional as they are not required to run at startup. Fixing the 04 entries only deletes the registry key that tells them to auto start with windows boot. Not a big deal to stop the control panel from running every time you boot up, you can still launch the control panel through the start menu. ;)
     
  25. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Attached our the logs that were requested.
     

    Attached Files:

    • log.txt
      File size:
      8.2 KB
      Views:
      6
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...