TechSpot - PC Technology News and Analysis

Swanny00 · #1 11-30-2008

When my computer boots up a window labeled Common opens containing the three files in the title. After following the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions I found several trojans on my computer including (but not limited to) Monder, Dropper.Gen, Spy.Agent and Dlkroha.

I followed all of the 8 steps but still have the same problem (along with slowed performance). I've attached the requested logs.

Thanks in advance for any help.

rf6647 · #2 12-01-2008

Welcome to TS. Your description is helpful. Your logs show found and removed items. For your case, we will supplement our guide with a special scan / tool.

Overview -

ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
Uninstall old copy of ComboFix

Supplement to guide. Successive scans used to uncover additional infections.

Update both MBAM & SAS. Rerun them both.
This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
Follow ComboFix instructions referenced below.
Scan with HJT. (part of instructions for ComboFix)
Posts logs. Report progress & what changes are observed. Include logs that found infections.

Quote:

Originally Posted by Blind Dragon

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

*The above procedure will:
* Delete the following: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

Quote:

Originally Posted by Blind Dragon

Disable all realtime protection before running combofix by right clicking it in the system tray and unchecking the real time monitoring

Combofix

Download Combofix to your desktop.
Double click combofix.exe & follow the prompts.
A window will open with a warning.
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
How-to-use instructions

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
Also attach a fresh hijackthis scan ran afterwards

Swanny00 · #3 12-01-2008

Thank you for the response. I'll follow your suggestions when I get home this evening and respond with the requested logs.

Just to be clear, when you suggest:

Quote:

Originally Posted by rf6647

[*]Update both MBAM & SAS. Rerun them both.

[*]This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

Are you implying I should continue to rerun the two in succession until they report all clear or unfixable? If so, should I expect to have to run these programs more than twice?

Thank you again.

rf6647 · #4 12-01-2008

One re-run is the norm. SAS is the "canary" here. It reported a 'trojan.trace'. The scanners after applying fixes, then uncover additional infections. As I said, one run is the norm since MBAB is good at what it finds. ComboFix will be examined for confirmation that the trace referred to by SAS, is residue and not an active infection.

Swanny00 · #5 12-01-2008

Hello again.

I've follwed your instructions and attached the following logs:
*2 MWBM logs (first one found 6 instances of the Vundo trojan and the second all clear)
*2 SASW logs (first one only found tracking cookies...second all clear)
*Combofix log
*HJT log

I am still getting a window titled 'Common' upon restart that contains now 2 files (_helper.dll and _helper.sig). Previously it contained a file titled helper.sig but I believe Combofix deleted that file.

Please advise on next suggestions.

Thank you again.

Swanny00 · #6 12-01-2008

Here is the HJT log (exceeded 5 attachments on previous post).

Swanny00 · #7 12-02-2008

Okay, so I'm a tiny bit impatient so I've tried a few more things.

Based on another thread on this site, I installed and ran BFU to try to get rid of the _helper.dll and helper.sig files and I think it worked as the files no longer show up when I reboot. I also re-ran MBAM, SASW and HJT and have attached logs. WIll someone be so kind as to check and make sure I look all clear.

The only (new) thing I'm noticing now is that the icon next to this website (in the IE address bar and tab) is actually the logo for my bank. I'm not sure if that's an indication of something odd going on but it's got me a tad nervous.

Thanks in advance.

rf6647 · #8 12-03-2008

Swanny00, your findings are surprising. At the end of this reply, I will use a quote box to highlight findings in the logs. I will ask the tool developer to review the results.

The ‘fixit’ tool cleaned the folder ‘Common’. ‘SecTaskMan’ folder is now being discussed in other forums. ComboFix scan did not discriminate against these folders.

As a next step, I suggest updating the tools & repeat scans: MBAM, SAS, ComboFix. HJT. These tools are updated quite frequently.

ComboFix log shows the suspect folder modified after the create date. Will look for similar pattern.

Quote:

C:\Documents and Settings\All Users\Application Data\SecTaskMan\jebazuko.dll.q_804F200_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\rivikela.dll.q_804F200_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\savidise.dll.q_804F200_q (Trojan.Vundo) -> Quarantined and deleted successfully.

(( Other Deletions ))
c:\program files\Common\helper.sig
c:\windows\system32\inoyofay.ini

- - - - ORPHANS REMOVED - - - -
BHO-{555a06d8-e996-46d0-8872-f994d154ddef} - c:\windows\system32\rivikela.dll
MSConfigStartUp-CPM23d7b02f - c:\windows\system32\zupekudo.dll
MSConfigStartUp-velewisayo - c:\windows\system32\savidise.dll

BFU
Success: FileDelete C:\Program Files\Common\_helper.dll
Success: FolderDelete C:\Program Files\Common

HJT >> C:\WINDOWS\Explorer.EXE << legal folder; does spelling count?
Combofix
2008-12-02 03:08 --------- d-----w c:\program files\Common
2008-11-30 11:54 . 2008-12-01 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan

mflynn · #9 12-03-2008

I looked thu all an it looks clean Rich did you a good job.

The spelling is OK!

The Icon was likely off the screen before. Malware would not put it there to draw your attention.

You sound a little paranoid so if you wish run the 2 procedures below and take a look with other eyes.
--------------------------------------------------------------------------------------------------------------------------------------
Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
----------------------------------------------------------------------------------------------------------------------------------
Then....

Download OTScanIt: http://download.bleepingcomputer.com...r/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, copy post as an Attachment.

Mike

Swanny00 · #10 12-04-2008

Thanks for the responses and the help Rich and Mike. I ran mbam and sas again along with OTScanIt and SDFix and have attached the logs/reports. Everything seems to be clean and working smoothly. Thanks again for the help.

Should I do any final cleanup? I now have a ton of anti-malware software (and logs) that I presume I don't need anymore. Should I worry about setting a new restore point? Anything else I may be missing?

rf6647 · #11 12-04-2008

Quote:

Originally Posted by mflynn

Some text deleted - applies to original posted problem. Use

for full text.

you are clean!

The following is some cleanup and tweaking to finish up.
----------------------------------------------------------------------------------------------------------------------------------
The Malware is saved in your System Restore so we need to clean that

Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs. Note: if you minimize now go to My Computer and note the free space and check this again after the run you will be able to see the likely large difference.

This is if you have the Volume Shadow Copy running which is the default.

Next:
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Once the new Restore point is made run the Disk Cleanup again and it will then only leave the clean "After cleanup at TechSpot" point!

----------------------------------------------------------------------------------------------------------------------------------
Run CCleaner again, twice then on left click Registry then Scan for issues backup save and clean. Repeat until no more found.

----------------------------------------------------------------------------------------------------------------------------------
edit ; java & erunt
----------------------------------------------------------------------------------------------------------------------------------

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------

Run OTScanit and chose Cleanup.
This will remove it and some other repair tools (those that we used that need to be updated before running again later) from your HD

To Remove SDFix boot to Safe Mode and delete the SDFix folder.
---------------------------------------------------------------------------------------------------------------------------------
edit ThreatFire 4.0
----------------------------------------------------------------------------------------------------------------------------------
After all this disk cleanup a Defrag is in order.

Glad we could help give us some feed back in a day or so of computer use.

You did a fantasic job.

Thank you

Mike

Edited for content.......Rich

mflynn · #12 12-04-2008

Correction for above cleanup.

Not OTScanit but OTCleanit as below.

Please download OTCleanIt http://download.bleepingcomputer.com.../OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

Mike

Similar Topics
Topic	Category	Replies	Last Post
Trojans/helper.dll/helper.sig	Virus & Malware removal	40	12-12-2008 03:30 PM
Helper.dll virus, not sure if it's completely gone	Virus & Malware removal	6	10-27-2008 02:24 PM
A BHO ( Browser helper object)	Virus & Malware removal	2	10-23-2006 07:48 AM

TechSpot - PC Technology News and Analysis

Help: _helper.dll, _helper.sig and helper.sig