Malware and Trojan Infection

[HeyMoe]

Recently I was infected by the w32.myzor.fc@yf virus which hijacks your browser, and redirects you to an anti-virus software site, as well as several trojans (including bgates(1).exe and other .exe files in various locations in most instances with a subscript of (1) in the filename). After much research,
I managed to find generic instructions listed in several forums to fix these problems. At first all seemed clean but soon after the trojans reappeared, for the most part they are being detected, but can not always be cleaned with the tools I have installed (SAV9, Ewido, Prevx1). But just today, I started getting popups again and fake windows popups with redirects to scanner.sysprotect.com.
Without getting into details I will say that I followed the instructions to the letter but must have not gotten everything. I currently am running SAV9 (which caught nothing on the scan). The products that I used for the cleaning based upon instructions were SmitFraudFix and Ewido for cleaning and Prevx1 for additional scanning after I was done.

Attached are my HJT log and SmitFraudFix .txt file.
I appreciate any help you could provide.
Thanks.

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a full system scan with your antivirus programme and delete whatever it finds.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\ping.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\ping.dll

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log and let me know hoe your system is running.

Regards Howard :wave: :wave:

 

[HeyMoe]

Thanks Howard for your quick Reply.
I followed all your steps and threw in deleting all tempory internet files/cookies and emptied my recycle bin while in safe mode.

After rebooting in normal mode Ewido quarantined what it identified as a Trojan.Dialer.qy . The same this morning. The files were:
C:\Windows\Temp\idd342.tmp.exe
C:\Windows\Temp\idd347.tmp.exe

Symantec AV9 is also continuing to identify Trojans. Some it can quarantine (c:\windows\temp\win388.tmp or some variation), and others that it can not (C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4XYBCD27\srvexo[1].exe). These seem to continue throughout the session with file names slightly modified.

I am also still getting popups.
The latest are:
count.exitexchange.com
count2.exitexchange.com
pacificpoker.com
try.starware.com

The original fake Windows Warning to protect your machine which when OK is pressed redirects you to winantivirus.com is also back.

This thing seems to be getting worse.
I have posted my latest HJT log.
Thanks for the help.

 

[howard_hopkinso]

Download the poscket KIllbox programme from HERE. Extract it but don`t run it yet.

Download and run these four tools. Follow the instructions for using each tool.

Tool1 Tool2 Tool3 Tool4

Once you`ve finished with the tools above, follow the instructions below.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\Windows\Temp\idd342.tmp.exe
C:\Windows\Temp\idd347.tmp.exe
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4XYBCD27\srvexo[1].exe

Once your system has rebooted, turn system restore back on and let me know how your system is running.

Attach the logs from the four tools please, plus a fresh HJT log.

Regards Howard

This thread is for the use of HeyMoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HeyMoe]

I followed all the steps you described above.
In Killbox, I deleted the files mentioned plus a good number of other files that were very similar that I had been keeping tracking of since this began.
When I logged back on last night, everything seemed to be back to normal. I received no popups or redirects and for the first time in a while the trojan dialer was not identified by my antivirus/spyware programs.

After about 10 minutes Symantec displayed a warning that it had identified 2 files.
C:\WINDOWS\TEMP\win32.tmp
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\DMZH9Y0M\srvweh[1].exe
The first file mesage was quarantined, the second gives a message "clean failed : quarantine failed"

This morning, I followed the last step you described (Killbox), again and deleted the 2 files mentioned.

As I type this note this morning symantec just identified the folllowing files
C:\WINDOWS\TEMP\win36D.tmp
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\DMZH9Y0M\srvgrq[1].exe
C:\WINDOWS\TEMP\win36F.tmp
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\4XYBCD27\bgates[1].exe
and
Ewido just informed me that it identified and quarantined another trojan dialer in C:\Windows\Temp\idd371.tmp.exe

So I guess that the problem still exists.
I will go back into Killbox and delete the files that I just mentioned.
I have attached all the logs and a fresh HJT log.

Thanks for your help.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O20 - Winlogon Notify: winmky32 - C:\WINDOWS\SYSTEM32\winmky32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winmky32.dll

Once your system has rebooted, turn system restore back on.

Post a fresh HJT log.

Regards Howard

This thread is for the use of HeyMoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HeyMoe]

Hi Howard,
So far so good.
First I used Killbox to delete all the additional files identified by my anti-virus/spyware programs that I described in my last post. I then followed all your directions from your last post.
Normally I begin getting alerts about 10-15 minutes after booting up so I waited 30 minutes before generating the HJT log. No alerts so far.

I have attached my latest HJT log. I am hopeful but this was one (or more) nasty infection and has proven extremely resilient in the past. Please let me know my next steps (if any).

Thanks again,
Steve

 

[howard_hopkinso]

Have HJT fix this inactive entry.

O20 - Winlogon Notify: winmky32 - winmky32.dll (file missing)

Other than that, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of HeyMoe only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[HeyMoe]

Howard,
Thanks much for your assistance in cleaning up this nasty virus.
I got rid of the last bad entry in the HJT log (as you requested).
I am now running AdAware, SpyBotSE, and SpySweeper in addition to my normal antivirus program (SAV 9.0). I have also switched to the Opera Browser.
The system is really humming now and there has not been any warnings or virus detection by any of the products since Friday.
Thanks again.
Steve