Trojan present on system

Status
Not open for further replies.

Manjit

Posts: 82   +0
Earlier my laptop froze up and appeared to be taken over by someone else, I.e was doing strange things to Explorer. I've followed the steps and run the various scans and it found a 'Trogan.FakeAlert' in the Registry Key.

Any help would be appreciated. I've attached the various logs.

Also I'm running Avast, should I running an addittional Firewall with this? Or would the Windows Firewall and Avast be sufficent? Because a few times a message has popped up saying I'm not running a Firewall.

Thanks
 

Attachments

  • hijackthis.log
    8.5 KB · Views: 7
I followed all those instructions before I posted my original thread.

I just wanted someone to check my HJT log and Mbam log.

Thanks.
 
Are you clean? I just do not know.

Zone Alarm firewall - is it installed? The o23 service is not running. There is a O4 entry for startup.

Svchost - 3 copies running? I am a little suspicious.

O4 starting ctfmon.exe. Ordinarily it is not done. However, I have responded to others expressing the same concern. No conclusion just now.

Perhaps running Panda AntiRoot Kit obtained here will look a little deeper. Post log if it detects a problem.

If that comes back clean, use HJT Fix Checked for the following
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Note: using a help link, Motive SmartBridge is not associated with blueyonder-istnotifier.exe

Then run MBAM & SAS again. Post the 3 logs again.

All this extra work may just prove you're clean afterall.
 
I do'nt have Zone Alarm running, as I said in 1st post I just have Avast and the standards Windows firewall. I was asking was it worth downloading an additional firewall even thou I had Avast?

I'll do the rootkit scan with Panda and the other scans and post the results shortly.
 
I did a scan with Panda AntiRootKit and it said I was all clear. I have attached the three logs I did with Malwarebytes, SuperAntiSpyware and HJT. Malwarebytes found a 'Trogan.FakeAlert' again.
 
Call for an expert

Thanks for you patience & persistence.

I recommend running Combofix. Caution - expert is needed for the final steps for clearing the Qoobox.

combofix – posted by momok

Finding:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvVPfeE.dll.vir Infected: Trojan.Win32.Monder.gen 1


The finding above lead me to conclude that these are suspect
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

MBAM recurring infection has strong linkages to video codecs.
Objects\{f742e03d-8892-42ae-8049-cb5a51be5b14} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Object Name = GNX Bingo ; Filename = svpekgonqba.dll ;
GNX - Bingo

Additionally, unless you can personally vouch for these - fix/check these
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
 
@Manjit: To add on, after you are done with rf6647's advice, I will help you to check your Combofix log and provide you some instructions thereafter.
 
I'm not really sure what I should have been doing from rf6647 advice. I've removed:
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
As they do'nt really make sense to me at all, so I assume they not be there.

I've run ComboFix and attached the log.

Should I be delating more file such as :
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Thanks for your help.

Sorry forgot to attach the log to my last reply.
 

Attachments

  • log.txt
    7.7 KB · Views: 7
For future reference = You really should disable real time protection before suggesting a user run combofix. Most antivirus programs can be disabled by right clicking them in the system tray then checking or unchecking the real time protection.

For other real time protection programs - here is a decent list from castlecops
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

Manjit can you also attach a fresh hijackthis log
 
Please boot into safe mode and unhide your files and folders. Navigate to the following folder and delete it manually.
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Also, use hijackthis to fix the following:
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F742E03D-8892-42AE-8049-CB5A51BE5B14} - (no file)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Rehide your files and boot into normal mode and post a fresh HJT log, thanks.
 
Hang on. Now that you're good to go, just do the following:
  1. Please download and run CCleaner via step 3 of the instructions HERE.

  2. Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

  3. After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

  4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.
 
I'm afraid I still seem to be having some problems. I ran a scan with Malwarebytes this morning and it found a 'Trogan. Fake Alert in the Registry Key'. Also when I ran HJT is showed some of the files I thought I had previously removed such as:

O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F742E03D-8892-42AE-8049-CB5A51BE5B14} - (no file)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

I've attached the logs. Any advice would be greatly appreicated.
Thanks
 

Attachments

  • hijackthis.log
    7.5 KB · Views: 5
Hi sorry for the delay! Been swamped with school projects..

Regarding the detection, your log shows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f742e03d-8892-42ae-8049-cb5a51be5b14} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I believe it is left over from the previous cleaning.

Could you run Combofix again? Please switch off your 'SpyBot tea-timer' before running combofix.

After that, fix these entries in HijackThis:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Post your combofix and fresh hijackthis log after you have fixed those. Thanks.
 
Attached our the logs you requested. Thanks for all your help.
 

Attachments

  • log.txt
    8.6 KB · Views: 5
  • hijackthis.log
    6.7 KB · Views: 5
These are the following Combofix/CFScript instructions.

  1. Open notepad and copy/paste the text in the quote box below into it:

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]
  2. Save this as "CFScript.txt" on the desktop.
  3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
    CFScript.gif

  4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.
 
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

These are valid file for the ATI sound/video card i have them on my computer.
 
@ Auguss: Um.. yea.. but no worries; my instructions did not include those as they are legit files.
 
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

These are valid file for the ATI sound/video card i have them on my computer.

Its just the control panel for ATI, fixing the entries should be optional as they are not required to run at startup. Fixing the 04 entries only deletes the registry key that tells them to auto start with windows boot. Not a big deal to stop the control panel from running every time you boot up, you can still launch the control panel through the start menu. ;)
 
Status
Not open for further replies.
Back