Trojan TR/TDss.yux

[HughMcB]

Hey,

I`ve recently managed to pick up some form of trojan or something that`s dicking up my machine and causing lots of problems (sometimes I cant get it to start, skips to different websites etc.)

I ran the 8-steps outlined on this forum, attached are the logfiles.

Avira keeps detecting these same two files:

TR/TDss.yux
TR/Crypt.ZPACK.Gen

Thanks in advance.

View attachment 50507

View attachment 50508

View attachment 50509

Thank you in advance.

Edit:
By the way I can`t seem to attach my hijackthis logfile, even when I change the name the attachment manager keeps saying that I`ve already got this in another thread, I will just paste the text here instead, sorry.

xLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:17 PM, on 04/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\9491cfe0-14a2-4dae-b2a6-cf3b87e0b8d6.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: acaptuser32.dll,C:\Windows\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.ee

--
End of file - 7782 bytes

 

[Bobbye]

I don't see any Trojans in Avira. All the logs are clean. Let's run the following and check further:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

Please attach the report on your next reply. It will be located at C:\ComboFix(.txt)

Do not click on the ComboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE:

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

There should be a paper click on the bar across the message box. That can be use for the attachment.

 

[HughMcB]

Hey, when I click the link to combofix you gave me I don't get an automatic download prompt, instead I just googled "bleepingcomputer" and "combofix" and I downloaded their version. Even then I was unable to change the file name until after downloaded it i.e. it just automatically saved to the downloads folder and I had no option to change that.

When I run combofix it just reads the error:

Incompatible with Windows 9X or Windows NT.

I am using Vista.

Note: Everytime I log into the internet Avira is still coming with the same pop-up displaying that trojan.

Thanks again in advance.

 

[Bobbye]

Everytime I log into the internet Avira is still coming with the same pop-up displaying that trojan.

Send me the scan log from Avira showing this.

Did you run the online Eset Nod32 AV scan? Log?

Uninstall Combofix:

• Click START> RUN
• Type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
• When shown the disclaimer, Select "2"
  
  Now install Combofix from here:
  [1]. Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  [2]. Scroll down to Using ComboFix
  [3]. Click on the BleepingComputer.com to download.
  [4]. When you get the " Download Security Warning" prompt click on the Save button
  
  
  
  [5].When it asks you where to save it, make sure you save it directly to your Windows Desktop.
  
  
  
  [6]. The file name should be Combofix.exe. The file location should be desktop
  
  Once that is done, follow with:
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
  [o] Double click on the saved setup on the desktop.
  [o] Security prompt: This time you click on Run. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)

Screen shots credit to BleepingComputer.

Please attach Report to next reply.
Please attach Eset Nod32 log to next reply.

 

[HughMcB]

Ya all that worked, thanks , I've attached the logs for you...

View attachment 50629
View attachment 50630

Cheers! :wave:

 

[Bobbye]

1. Please delete this entry that was quarantined by the Eset online scan:
Win32/Kryptik.YL trojan

2.The run a full system scan with Avira- save log, attach to next reply.

3.Please try the Combofix scan again- with the original install removed as instructed and a new install. NOTE naming instruction. Attach report to next reply.

4.Rescan with HijackThis and attach new log with next reply.

Unfortunately, the Win32/Kryptik.YL Trojan is said to be polymorphic, meaning it will change into a variant every time removal is attempted. This is what the Virut malware does, making it nearly impossible to remove it.

 

[HughMcB]

Ok, I followed your steps, here are the logs....
View attachment 50741
View attachment 50742
Thanks.

 

[Bobbye]

Check what I asked again please:

1. Please delete this entry that was quarantined by the Eset online scan: Win32/Kryptik.YL Trojan

2.The run a full system scan with Avira- save log, attach to next reply.

4.Rescan with HijackThis and attach new log with next reply.

Eset shows the same Trojan. Did you delete it? Did you then run Eset again? Is this a new find or the same find?

I need a full system scan with Avira and the log please/. You have a Trojan that has characteristics like Virut in that it is polymorphic> it changes whenever you try to remove it. The 'best fix' for Virut is a reformat and reinstall.

Please download SmitfraudFix (by S!Ri)

• 
  [1]Extract the content (a folder named SmitfraudFix) to your Desktop.
  
  
  
  [2]Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  [3]Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
  [4]Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm[/url

Run Temp File Cleaner:
TFC (Temp File Cleaner)

Download [url=http://oldtimer.geekstogo.com/TFC.exe]TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


Summary:
1. Delete Trojan from Eset
2. Full system scan with Avira. Save and Attach log in next reply
3 Run Smitfraud. Save log and attach to next reply
4. Run TFC
5. Scan with HijackThis and attach new log.