Antivirus 2009 Recurring Trojan Horses Problems

Status
Not open for further replies.
ok thanks,
BTW i have been reading up about kaspersky... people complain that its a pain to uninstall and almost behave like a mlware itself??
 
You are about as stubborn as I am.:) Others would have given up and formatted by now.

I will not give up but please don't format until you check with me.

I think when we fix this one it will be of benefit to many.

OK disconnect any USB Flash drive and remove any CD that is in the drive and do not reconnect until fixed.

----------------------------------------------------------------------------------------------------------------------------------
Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, attach contents back to here.
----------------------------------------------------------------------------------------------------------------------------------

Download: http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click and select: Save Target As

To use: right-click and select: Install (no need to restart - there is no on-screen action)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone.
----------------------------------------------------------------------------------------------------------------------------------

Drag mouse with left button down the lines below across then paste to an open CMD prompt and hit enter, ignore any errors for now.
Code: 
@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit
Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.
----------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found if any as it has no log.

----------------------------------------------------------------------------------------------------------------------------------
Get and run http://www.prevx.com/freescan.asp
----------------------------------------------------------------------------------------------------------------------------------
These next are preventatives that will both prevent it from entering from the outside and help us catch it in action.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Get http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot Scan and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

Mike
 
No that is for running scripts that are pasted in.

If needed later i will post a script for you to paste and run.

For now all i need is the log.

Mike
 
I have done most of the steps except last three, but I am sure they will not remove the trojan in temp files. File assassin kills them but they reappear. I wonder what file I have to delete to stop that.

I will post logs when I get home. I am thinking of finding a way to run kaspersky AVP. Even though there are horror stories of uninstall. Oh well I have already installed it but the AVP doesnot work and I can't change its name to make it work. Why I believe this will work is that this is the only site that doesnot work on my IE, Chrome or Firefox. And I can't even get to it from different sites or download any of its software from anywhere unless I bring it on usb.

If only I can find what process creates the temp files
 
Hello Faisal

This is an unknown or perhaps new malware. It is not the 2 files that are the problem but the unidentified program that is spawning them.

The last three are the most important now as they all block things from the Internet and some from attempting to get out.

So you did get Threatfire installed, Threatfire learns from your approvals an disapprovals watch closely what it prompts on good thing like IE or OE you want to approve and remember so it will not ask you again.

In settings kick sensitivity level to max. It will increase the prompts as it increases the security level approve the good obvious ones like FF Opera Word Excel and remember and you will not see them again. You can Google from TF's prompt for something you do not recognize.

What we want is for TF to notify us of what is creating these files.

Also TF has a Scan so do that also.

The very fact that the AVP tool wil not run confirms we have something that is set to specifically prevent the AVP tool from running.

AS for uninstalling it later if it does is job better to leave it than the Malware.

Besides I know exactly how to remove it!

Also the OTScanit log may help me identify it.

Mike
 
This is the OTscanit log.
I am seeing in my temp files that there ar about 15-20 trojan files. I am also having a hard time deleting them file assassin doesnt do much anymore
I am not sure what hostsman is are how to use it. Threatfire sometimes detects the temp files, quarantines and deletes them, but even that has stopped doing it now. There is simply no detection.

one of the virus deetction tools found a trojan file in adobe after fx support files by the name adobefx.exe. Which was a dummy file as it should not be in the support folder. I deleted it. The crazy trojans have started appearing after that.

Spyware blaster is not working

The temp/trojan files also appear in the processes when I press ctrl alt del, but ending these processes has no effect, and they keep running.

Sorry the OTscan txt file is over 200kb hence I had to zip it
 

Attachments

  • OTScanIt.zip
    23.8 KB · Views: 8
Good morning Faisil

Still going thu log may have found something but in meantime.

Do this..

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, attach the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and attach it also to a separate post.
These logs will contain an updated HighJackThis log also.

Still reading OTScanit logs.

Mike
 
my comp at home has crashed so I cannot remote login to install the above tool, but will do once I go home.

I think i prob have more anti malware tools than virus on my machine now.

BTW will installing any of Norton virus tool or mcafee would help?
 
Ok update MBAM and SAS Combofix and SDFix.

Then do this again I have added to it since you last ran it. But download and extract only, because I want you to run it in Safe Mode

https://www.techspot.com/vb/post684649-3.html

When it reboots, go back to Safe Mode (do not allow back to normal yet).

Use File Assassin copy/paste to remove the below. May report File does not exist on some or all.

c:\WINDOWS\TEMP\winkmpxqg.exe
c:\WINDOWS\TEMP\wintlkdeq.exe
c:\WINDOWS\TEMP\wintuaq.exe
c:\WINDOWS\TEMP\winoihano.exe
c:\WINDOWS\TEMP\xuncdn.exe
c:\\WINDOWS\TEMP\winoihano.exe
c:\\WINDOWS\TEMP\xuncdn.exe
c:\\WINDOWS\TEMP\jsvffq.exe
C:\WINDOWS\Temp\winjjcffe.exe
C:\WINDOWS\Temp\iowx.exe

The below line indicates MBAM needed a reboot to finish cleaning something and the file was missing.

Malwarebytes Anti-Malware (reboot) -> %ProgramFiles%\bam\mbam.exe ["C:\Program Files\bam\mbam.exe" /runcleanupscript] -> File not found

So run MBAM, SAS Combofix and SDFix now in safe mode. If reboots are needed always boot back to Safe mode.

After the above are all run in safe mode finally still in safe mode try the AVP Tool once more.

Then back to normal to test and get me the logs.

Mike

Edit: No, no Norton please.
 
ok now the desktop is really screwed..... here is what happened
MBAM would not work like it would run the scan but would not be reading any files.... My usb stick from which I had been loading new files in to desktop is not accessible... like I cant open it I can see it but thats it
I couldnot log in safe mode. Ran sdfix and tried to press R to enter in to safe mode, that didnt work
so then I used msconfig and used boot.ini to set it up to start in safe mode
I did start in safe mode then ran mbam it found two trojans one in temp other in rootkit... Then I ran SAS it found about 11 things. then it crashed. I ran it again half way and then puased to delete what it found. Sas requested a restart and it is that time and now the comp doesnot boot.

Safe mode doesnot work normal mode doesnot... everytime it just goes up to windows logo and then crashes..... UGHHHH....

I am on my laptop now and guess what my regedit and taskmanager are locked out. I am guessing from the usb stick I had been using to move programs....

I have tried the regtools.vbs to open permissions but that doesnot work anymore... gpedit.msc wont work as this is home edition.

Please help.... I dont know what to do with desktop and now the laptop is going to give up too... BTW I checked the temp folder in laptop those weired files are not there yet.... Am i the first one in this world to be infected with this virus? trojan?

Seems like no one even knows about this one

PS: Juste checked the trojans have appeared on my latop temp as well..... I am done now...
 
Yeah it looks like you may be one of the first.

Lets try to nip this in the bud now!

On Laptop.

Get Flash Drive Disinfector from here http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ run it after cleaning leave it in computer so the below can check it also.

Then do post #17 followed by MBAM reboot SAS reboot Combofix reboot SDFix.

Post all logs.

Now on the other computer see if in the Boot menu you can select "Last known good configuration".

If it does then boot to safe mode only on the way back up.

Let me know the results.

Mike
 
I am calling it quits, well not entirely... The desktop is not starting up in any form and the laptop is infected too. SAS and MBAM are useless at this point. Th rescans are getting me nowhere.

I am thinking of getting a new comp this evening, installing VMware on it so next time I don't have to deal with this. Access hardrives of my Desktop from the new comp to recover data and then formatting them.

I am thinking of setting up one VMware seesion just for internet browsing, as the viruses nowadays are infecting video codecs and what not. And the main system is where I will store my files.
 
Sorry to hear that Faisal. You sure tried your heart out.

I wish I could get my hands on your computer with my many special tools I know I could fix them for you.

But it is hard to do remotely. Especially if you get hit by a new one that nothing knows about yet or get a combo/mix of some really bad ones.

I know what you said about throwing in the towel but I will leave you with this.

Do a Repair/Overlay install. Keeps all programs and data just repairs Windows.

The repair may overwrite some malware but once up system needs checking again.

Boot from your Windows CD and proceed to install. You will get a prompt to Hit R to use Recovery console. Do not chose that one, continue until Windows finds an Existing Installation and offers R to Repair the existing installation. Chose this R. and from there it will look like a normal install.

The Repair of existing installation will fix only the Windows Folder and keep all your data. Everything should be normal when you get back up.

A link to follow: https://www.techspot.com/vb/topic8356.html

Another one for insight: http://pcsupport.about.com/od/operat...txprepair1.htm

The only issue is your HJT log shows you have SP2. You should use the same SP level you have on the HD or higher.

You can make an SP3 CD by slipstreaming or install SP3 from downloading the full SP3 or from Windows update.

I am going to assume you only have the SP1 or 2 disk.

So here is steps to slipstream, from a working computer with CD burner, this can be done from Vista
Download Autostreamer http://majorgeeks.com/download4444.html
then
Download the full SP3 package: http://www.microsoft.com/downloads/d...displaylang=en

Once you have both of the above it is simple.

With your older XP CD in the CD drive run AutoStreamer and it will ask for the location of the original Windows install CD any version SP1 Sp2

It will ask for the location of the SP3 file and offer to burn to CD.

Doing the Repair install while upgrading to SP3 may make Malware easier to handle.

Thank you for allowing me to help you.

Mike
 
Yeah that may be it, as I saw you were a youtube user and had many videos.

My question is, were you accessing youtube and or playing youtube videos during the times we were fighting this battle?

If so and you do the repair install on the one not working get it back up, update all the tools then unplug the network cable and do our cleaning then we may can do it now.

Likely since it is getting some attention MalwareBytes and SAS are rushing to be the first to detect and clean. As well all AntiVirus vendors.

Mike
 
Well the desktop pc is mainly used for streaming videos to my big screen tv. The computer has been used to access a lot of video sites including youtube. I am thinking that even during this battle the site was visited along with others.

I have recently changed homes, and part of the problem is that I can't find windows cds or for that matter most of my software cds. I wonder if I can make a boot cd online for xp sp2
 
There should be another disclosure here, I just didnt change homes I have moved toa different city from east coast all the way to west coast, hence couldn't carry cds along with me and do not know many people in this new city. But I will find something for it
 
OK if you can get your hands on a XP CD then look at http://ubcd4win.com.

Do you think you can build this PE Boot disk?

If so it will boot Windows PE directly from the CD and run from a RAM drive.

Once booted if you have a good restore point then we can do a system restore.

This disk is an invaluable resource that could come in handy also in the future,

Mike
 
Status
Not open for further replies.

Latest posts

Back