TechSpot

Trojan problem.

By jmjsquared
Oct 7, 2007
  1. I thought I was a pretty savvy computer user but I managed to really foul my system with a "friends" copy of ChessMaster 10th Edition. It's installer was loaded with trojans, the like of which I've never encountered before.

    Thank goodness for TechSpot and, especially, Howard Hopkinso, TS Special Forces!

    May avoid a complete rebuild of a terabyte system.

    Will keep you posted!

    --Humbled JMJ
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of jmjsquared only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. jmjsquared

    jmjsquared TS Booster Topic Starter Posts: 144

    Thanks for un-retiring, Howard!

    Am in the "Preliminary removal instructions" phase of your thorough protocol.

    Will post logs, exactly as instructed, a.s.a.p.

    Thanks again!

    ---JMJ
     
  4. jmjsquared

    jmjsquared TS Booster Topic Starter Posts: 144

    Howard's "Preliminary Removal Instructions" work!

    In Brief: Followed all applicable instructions PRECISELY; except,that is, since ZoneAlarm Security Suite (firewall/anti-virus/spyware), eTrust PestPatrol, RegProtect were already running on my system at time of infection, I downloaded all the Apps and skipped to Step 4: HijackThis. It found nothing.

    Being familiar with the Apps in Steps 6 through 9 and deciding that it was unlikely that they would detect what similar tools had not, I chose to re-order Howard's excellent protocol and skipped to Step 10: Tool 1, Tool 2 and Tool 3 -- which was not available as of this writing.

    Also, being fearful of giving internet access to whatever hijacked my system, I engaged ZoneAlarm's "internet lock" and physically disconnected my five networked machines from the net. I did reconnect long enough to try MicroTrend's "housecall", but its kernels (java and browser-based) would not load. So, I had to skip that Step, also.

    The good news: HijackThis (a.k.a. 'Crusty') found a hidden BHO that pointed me in the right direction. See attached log.

    Then, Step 10: Tool-1 (SmitFraudFix) did the trick! It found and removed all the offenders. But, I may have made a mistake because I do not have a log of its actions to share. Tool-2 generated a zero-length file, VBG.TXT which I, of course, will not post.

    I then ran all other Apps prescribed by Howard and each did some additional good. However, it was SmitFraudFix that did the "heavy lifting".

    Final note before expressing sincerest thanks to H_H & Company: Use ComboFix with caution. Although I followed its instructions EXACTLY, just before it re-booted my system to finish its work, it 'disappeared' my Desktop, which did NOT reappear upon reboot. It continued to run endlessly on a blank, bitmapped 'desktop' until I did a hard re-start and things have been okay since. (I believe ZoneAlarm's 'true vector' service interfered with it upon shutdown and re-start.)

    That's it for me.

    Thanks again!

    -- JMJsquared
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is still infected with malware.

    I really need to see Combofix and AVG Antispyware logs. I also need the results of the Panda antirootkit scan.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Debug Diagnostic Service (DbgSvc)

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

    O2 - BHO: MSVPS System - {3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A} - F:\WINDOWS\bndsrdkq.dll

    O3 - Toolbar: The netadv - {ABF529BE-6245-465A-BBD4-238C4EAB0F0A} - F:\WINDOWS\netadv.dll

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

    O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public2.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cab

    O21 - SSODL: msvb - {8EC78D12-4251-4DD4-B8B2-BE253BA1E61C} - F:\WINDOWS\msvb.dll

    O21 - SSODL: sysdx - {F45012D9-3EF6-48A3-9245-88519E2BF7E9} - F:\WINDOWS\sysdx.dll

    O23 - Service: Debug Diagnostic Service (DbgSvc) - Creative Technology Ltd. - (no file)

    Click on the fix checked button.

    Close HJT and reboot your system.

    Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, Combofix and AVG Antispyware log. Let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of jmjsquared only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  6. jmjsquared

    jmjsquared TS Booster Topic Starter Posts: 144

    H_H you really are dedicated... and right!

    There were two lingering registry entries found by HijackThis running in safe mode.

    Panda found no rootkits.

    Requested logs attached.

    I guess I was a bit too smug in editing your "Preliminary" Protocol. But, in my defense : ComboFix twice caused runtime errors, would not generate logs and scared me when my desktop disappered.

    NOTE: My boot volume is "F:" ; malware found on "G:" resided on a backup volume I maintain for friends whose computers died. Also, please explain why HijackThis deletes values in safe mode but does not delete the keys ((O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -)) and ((O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - )), specifically.

    Thanks again, especially for ignoring my complacency! :eek:

    -- JMJsquared
     
  7. jmjsquared

    jmjsquared TS Booster Topic Starter Posts: 144

    P.S.: Howard, should I re-enable Debug Diagnostic Service?

    ---JMJsquared
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That all looks fine now.

    Have HJT fix these two entries from normal mode, unless you know what they are.

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

    O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} -

    You can now get rid of all the tools we used.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jmjsquared only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. jmjsquared

    jmjsquared TS Booster Topic Starter Posts: 144

    Great!

    Best regards.

    -- JMJsquared
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...