koos.exe

Status
Not open for further replies.

xphy

Posts: 6   +0
Hi, i've managed to get myself some trojan or bot that i'm having difficulty getting rid of.

i've attached logs from HJT, my sygate traffic log and a filemon log.

sygate recently started informing me that explorer was trying to access a remote address so i blocked it and started hunting down the source, neither AntiVir or AVG could find anything on a full system scan. Spybot couldnt either and neither did hijack this show up anything unusual but my sygate and router traffic logs(when sygate was disabled) showed something port cycling and sending packets to halligan.mediafire.org.

i ran filemon for a bit and noticed sygate inspecting koos.exe in the system32 folder yet its not visible if i browse to it, but the poof driver file is. i installed security task manager which showed koos.exe as a hidden process.

Sygate successfully blocked the outbound traffic to start with while i tried to track down the problem but now sygate is still blocking the original outbound tcp but my router's showing new activity that i'm unable to trace the source of at all.

Any help at all would be a godsend.

EDIT: avg anti-rootkit produced no results at all btw.
 
Hello and welcome to Techspot.

Your system has been hijacked.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above. Also, please attach the C:\fixwareout\report.txt.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Heres the new logs from fixwareout and HJT, still got outbound traffic from explorer to gl.secdep.info though.
 
You haven`t posted all the logfiles I requested. Please do so in your next reply and let me know the results of the AVG Antirootkit scan.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

Fix all 017 entries.

Click on the fix checked button.

Close HJT and reboot your system.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here's the new logfiles for HJT, avg AS and combofix.

AVG Antirootkit found nothing.

Combofix appears to have found koos.exe but my other problem still remains with heavy outbound traffic from explorer.exe to besotrix.net, gl.secdep.info and checkip.dyndns.org
 
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply and let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Still have the outbound traffic but not long after booting back into windows avg anti spyware detected cp1041.nls again and now my antivir has found totour.exe (TR/Agent.8798.A) located in c:\windows\system32\totour.exe
 
Oh no, not the totour.exe infection. I`ve only come across this infection once before and couldn`t find a way to get rid of it. The instructions below were something I came across, but unfortunately, I never received any feeback as to whether they worked or not.

Go and follow the instructions in this post HERE and let me know how you get on.

Regards Howard :)

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
i followed the instructions from the link you gave me and so far everything seems normal apart from one thing during the process

killbox wouldnt work, after asking it to delete on reboot and it verifying registry entries it gave this error:
"PendingFileRenameOperations registry data has been removed by an external process"

But havent had any alerts about totours presence from antivir yet and the rogue traffic has disappeared from sygates logs.
 
That`s excellent news. Don`t worry about the Killbox message, that just means the file has gone.

Please post a fresh HJT log.

Regards Howard :)

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here's the new HJT log.

Thx for the help btw, i was tearing my hair out before registering here :D
 
Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of xphy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back