Trojan problems

[Kavaril]

Doing a follow up on a laptop which was suffering similar hacktool.rootkit and trojans problems as with https://www.techspot.com/vb/topic143504.html

Which was resolved, hopefully can sove the problems on this as well.

8 step fix guide has been followed as before

Combofix has been run on the laptop but only Norton Internet security is running, logs are enclosed! Have not had any problems recently on the laptop but I want to confirm if it is secure and virus free!

Thanks,
Nick

 

[Bobbye]

Nick, these logs look okay. There is one entry in the HJT logs that needs to be handled:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/CATHER~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

To do this: Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.

I'd like to see the Combofix log if you still have it. If not, please run Combofix again:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.

Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then one rescan with HJT. Attach Combofix report, Eset log and new HJT log.
Hopefully they will all be clean!

 

[Kavaril]

Fixed the first HJT problem, original combofix log enclosed. Installed Firefox today and since have not been able to get NOD32 scan working in either browser due to 'proxy' issue....? (tried disabling norton firewall) - Will try again tommorow incase it is a site issue...

New HJT log enclosed also anyway.

 

[Bobbye]

To handle this from the Combofix report:
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

NOTE: The Recycle Bin must be empty in order to delete files in the Recycler

Using Windows Explorer: Windows key + E to open:

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck (untick) Hide extensions of known file types.
  [*] Uncheck (untick) Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.
  [*] Close My Computer.

Look for the Recycler Folder and double click to open> Highlight all of the files on the right screen> Delete

Checking the HJT log: It looks like Internet Explorer has been launched 3 times. It is common to see multiple iexplore.exe processes running with IE8, but the entries indicate that the browser actually had been launched 3 times: C:\Program Files\internet explorer\iexplore.exe

You might check her out on using tabs instead of multiple launches.

I don't see any proxy settings or overrides in the HijackThis log. What version of Firefox did you get and what is the specific message?

I note the following in the Combofix report: This is from the Registry:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]

Filename: CFSServ.exe
Command: CFSServ.exe -NoClient
Description: CFSServ.exe is a Toshiba Laptop utility that allows you to easily change computer settings in a quick manner.
File Location: C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

Try using Windows explorer to find this file and Disable it. That could be what's between FF and Nod32. And if you still can't run Nod, use this scan:

Open
Kaspersky Online Scanner in Internet Explorer

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

The Combofix is 2 weeks old. I wouldn't mind seeing a more current scan. You can delete this report on the desktop first,

 

[Kavaril]

Emptied the NProtect recycler thingy and ESET worked after disabling the Toshiba quick launch software. Ran a scan with that while I was there. New Combofix log, HJT and ESET attached

 

[Bobbye]

You might want to disable NPROTECT: Norton Protected Recycle Bin from Norton Utilities. Adds an extra layer of safety before you remove deleted files from the Recycled Bin. If you look at the Combofix logs-both-you will see that Combofix deletes the files, but they are back in force the next time.
FYI:
About NPROTECT: If Nprotect is enabled on Norton Protect tab of Recycle Bin properties and the internet connection is established, the directory c:\recycler\nprotect will fill with files until all available free space is used. Approximately every 60 minutes a large batch of files (over 100) get written to that directory. It's an annoyance, uses system resources and doesn't need to run: It builds up a huge number of files in the Recycler Folder. There is a service that starts this and I recommend that you disable it:

You can use a Command Prompt to do it all- disable and remove:
Click on Start> Run> type in cmd> copy the following command and paste it into the prompt:

del /f/s/q/a:rsha c:\recycled\nprotect\*.*

(Note: space after 'del', colon between a and rsha, forward slashes. Then space before 'c' and slashes are reverse. Dot between the two asterisks.)
Press Enter.

After that is done:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KILLALL::

File::
c:\windows\system32\drivers\woxkrsui.sys
c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
Folder::

Registry::

Driver::
woxkrsui
NProtectService
CFSvcs

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Run one more scasn with HJT and include new log.
Are you having any malware related problems at this point?

 

[Kavaril]

Couldn't seem to get the cmd line to work (tried copy/paste and manual entry), ended up disabling Nprotect options in the norton recycle bin window instead.

Still followed the combofix routine, seemed to work!!

Enclosing the log for that and a new HJT. Had no virus/malware issues for days now...

Nick

 

[Bobbye]

That sure looks better- you should be noticing an improvement in the system.

I would encourage you to go through the entries on the Startup menu. All of those that are checked will start on boot and run in the background. Most of them do not need to start on boot and can be accessed whenever you need them. You can use the msconfig utility for this:

Click on Start> Run> type in mscomfig> enter> Selective Startup> Startup tab> Uncheck anything you don't need to start on boot. This does not remove the process if you uncheck something and later decide you need it, it can be rechecked.-

When you have finished> click on Apply> OK> Reboot> NOTE: the first time you reboot after making changes, you get a nag message- this can be ignored and closed after checking 'don't show this message again. Stay in Selective Startup!

Since the malware issues have been resolved, you can remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know if I can be of further help