Inactive Need help with removing trojan horse

[Timberstone]

Hello,
I suspect (quite sure) that I have a trojan horse in my system. It is currently residing in my system restore folder... I can only find it (but not remove it) with SUPERAntiSpyware but avast! and Malwarebytes' Anti-Malware fail to find it, but I am quite sure it is not a false positive. It keeps returning... Because of this trojan I got a problem that my system randomly freezes, mostly while playing games/watching videos. I did the 8 steps listed in that forum thread, if you want, I'll post the logs. My malwarebytes log is probably useless though, because it doesn't find any anything harmless and it is written in dutch :s .
If there is no way that it can be removed or it is too hard or anything like that, I'll do a complete back-up of my hard drive with a ghost, before there were any viruses on it. I'd prefer not to do that except if I really have to.

Thanks in advance!

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Timberstone]

I already had completed the steps, I just asked if you really needed them and I couldn't click the attachment button in IE but it works in Firefox . The trojan is called: trojan.agent/gen-PennyStockChaser. Can you help me now please?
Thanks

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Timberstone]

Here is the log (btw, after doing this, all my favourites in IE are broken and I can't seem to access them anymore, if I click them nothing happens and their icon has changed to unknown, weird lol but Mozilla Firefox seems to be working fine, oh and sorry but I couldn't help it but the log is in dutch :s .Thanks

NOTE: I resetted my web settings and my favorites are working again.

 

[Broni]

If you look at Combofix log, it actually didn't perform a single action, so your IE issue must be caused by something else. Let's see, how it'll work, when we're done with cleaning.

==================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  qmgr.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Timberstone]

Here is the log.

 

[Broni]

OK. Combofix reports C:\WINDOWS\system32\qmgr.dll file being infected.
SystemLook found another copy of qmgr.dll in C:\WINDOWS\ERDNT\cache folder.

We'll try replace one file with another and we'll see if it'll work. If not, we'll find another way to do it.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\WINDOWS\ERDNT\cache\qmgr.dll | C:\WINDOWS\system32\qmgr.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Timberstone]

Ok, I made the CFScript and dragged it on combofix. It booted up and the first time after 15 seconds my system froze (random freeze, just bad luck). The second time I did the same and it booted up, then it performed another complete scan. While it was scanning, several error messages popped up saying that C:\Windows\(Some file name, like sed.exe and like 5 others) was not a valid win32 application. Also Windows popped up from the task bar like ALOT of files were damaged and unreadable and said I needed to run chkdsk... Then after quite some time the program told that qmgr.dll was infected and it was trying to restore it. At the same time, error messages popped up again this time invalid win32 files from combofix map itself :s . System rebooted. Then... Windows ran... Combofix started up and... Shutted down after 2 seconds. No log!. CFScript dissappeared too (but I think that's normal). Do I need to run it again? Do I need to run chkdsk too? Thanks.

 

[Broni]

Let's try something else first.

Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[Timberstone]

Okay, first it didn't work, I had to translate desktop to dutch for it to work :s . Well here is the log but it didn't find anything I think...

 

[Broni]

OK, nothing there.

Restart in safe mode and try Combofix script again.

 

[Timberstone]

I can't start in safe mode atm because my socket for my keyboard is half broken atm and it's really hard to fit the wire (or however it's called) from my keyboard in to press f8 to access the BIOS and then select safe mode (that's how u reach it right?). So I use some kind of usb mouse and keyboard in one device where I put the wires from both my keyboard and mouse in it and then the usb in the computer, but my computer will only read usb ports when booted up. Tomorrow when there's light (because it's night now) I will try to fit the wires from the keyboard in the socket (which will take a lot of effort and time) and boot windows up in safe mode. If I can't get it to work I will post it and await your orders. If all fails, I will use a ghost as a last effort. Thank you really much for your help so far!

 

[Broni]

You can try normal mode first.
If it gives you same problem as before, then try to reach safe mode.
You don't have to access BIOS.
When your computer starts, keep tapping F8 key until menu appears.

 

[Timberstone]

It's not the same problem as before, now in normal mode ComboFix won't run anymore. Tried reinstalling it but it still doesn't work. Maybe it will in safe mode, but i'm not sure. I'll try.

 

[Broni]

Delete your Combofix file, download fresh copy, but rename combofix.exe to broni.com BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

• 
  * Double-click on the Rkill desktop icon to run the tool.
  * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  * If not, delete the file, then download and use the one provided in Link 2.
  * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  * Do not reboot until instructed.
  * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run broni.com

 

[Timberstone]

I ran a ghost over my C drive. My C drive is completely clean now, I'm 99% sure of that. So far I had 1 freeze (this time after 30-40 mins instead of 20). This computer used to freeze every now and then (every 4-5 months), but almost every computer does that at least once (is what I think...). So there is a chance that my computer is now desinfected but I think it's still not fixed. I will report back when I get another freeze, and then I will do all your steps. If after running my pc succesfully without any freezes for atleast 3-4 hours, I will notify you. I really hope this is over now. Thank you really much for your help (Btw, safe mode is really hard to reach with that broken socket.)

 

[Broni]

Sounds like a plan

 

[Timberstone]

It keeps freezing! I'll do what u say. The trojan is in the D drive, in the system restore map thing like I found out a week ago using SuperAntiSpyware. (btw, because of the ghost I don't have any virus scanners/realtime shields anymore). I'll try to run combofix now...

 

[Broni]

OK.........

 

[Timberstone]

Weird... Everytime I run combofix, (this time and the 2/3 previous times) windows always shows up that some temp internet files are damaged and unreadable, I don't really remember any names but it has extentions like .cfxxe and .exe . Anyway, nothing really new here I suppose. Here are the logs.

 

[Broni]

Those errors are, most likely caused by an infection.

Re-run SystemLook script from my reply #6

 

[Timberstone]

Ok. It's exactly the same as the first time. Anyway, here is the log.

 

[Broni]

OK. Re-run Combofix script from my reply #8.

 

[Timberstone]

Ok. I read the log too and I see that FCopy has replaced one file with the other. I'm going to watch tv now and then go to bed. Post any further instructions please (if there are any left...) Thanks for your help