Resolved: Trojans and Malware infestation

[Hedgers]

Hi,

AVG picked up:

Trojan Horse PSW Agent
Trojan Horse Backdoor Generic

I followed your 8 steps to malware removal. Also found:

Trojans Downloader, FakeAlert, Hiloti, Vundo
Rogue Errorkiller
Rogue Multiple
Adware minibug
Malware Trace
Malware Gen
Rootkit Gen

(Yikes)

I have replaced AVG with Avast, which together with Malwarebytes & Super Anti-spyware, is now not coming up with anything. However, I am still very anxious as I understand some of this stuff is very difficult to get rid of. I would appreciate a check of the various logs. The PC was running very slowly and there were fake error messages, but these (so far) appear to be remedied.

Many thanks your help.

 

[Bobbye]

Good job! But we have a bit of work to do:

You are running the Symantec Internet Security. Maybe it was preloaded and you didn't use it or maybe you changed. But it needs to be removed. Please use the Norton Removal Tool

When you have finished, please reboot the computer.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• If prompted to download and install the Microsoft Windows Recovery Console; please allow.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please do so
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.,
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then rescan with HijackThis.

Include the following with your next reply:
Combofix report
Eset log
New HJT log.

 

[Hedgers]

Thank you for your help Bobbye.

Attached are the logs you requested.

ESET found one threat which it identified as a probable variant of Win32/Generik Trojan

Thanks again.

 

[Bobbye]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Code box below into it:

File::
C:\Program Files\Ubisoft\SCRABBLE® 2005 EDITION\Scrabble2005.exe
c:\windows\Qnotiru.bin
c:\windows\Wruqurayapeva.dat
c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

Folder::

Registry::

Driver::
yqsqgav

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please include with next reply.

Please reopen HijackThis to 'do system scan only.' Check the following entries if present:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)>> McAfee VirusScan
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab>> McAfee Security Installer
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab>> McAfee Security Download Control

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Open Internet Explorer> Tools> Manage Add-ons. You need to clean up the following Active X Objects by disabling it. Look for each process in both settings of the dialog box: add-ons currently on the system & add-ons previously on the system. Click on each> then click on Disable:

sscv6 (Symantec Virus scanner)
mcinsctl.dll (McAfee Security Installer)
/mcgdmgr (Mcafee Security Download)

When finished> click on Apply> OK> Exit

Reboot into Normal Mode.
Rescan with HJT thi- attach new log

 

[Hedgers]

I couldn't find the add-ons you listed in IE:

sscv6 (Symantec Virus scanner)
mcinsctl.dll (McAfee Security Installer)
/mcgdmgr (Mcafee Security Download)

The settings available were:

All add-ons
Currently loaded add-ons
Run without permission
Downloaded controls

There was no setting for add-ons previously on the system. Apologies if I'm being dense.

I've attached the Combo-Fix and HJT logs.

Thanks!

 

[Bobbye]

Are you experiencing any of the previous malware problems? I notice you have some very old files on the system: They are legitimate, but unusual to see files that are 30 years old (1979). It looks like you may have used a German version of the OS for a reinstall about a year ago. Does that make any sense to you?

ProductName: Betriebssystem Microsoft® Windows® For German version of OS on >>2009-11-27 16:07 . 2002-08-29 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll[/b]

One of these files is for Toshiba Video Codec:
[/b]2009-11-27 16:07 . 2002-08-29 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll

So you might want to check the system out: Add/Remove Programs, All Programs and Documents & Settings to see what's there and delete or uninstall old programs or files you aren't using.

The 'add-on' files I wanted you to remove were handled when they were checked in HJT. No problem.

If the original problem has been resolved, you can remove all of the tools we used and the files and folders they created

• 
  Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    
    
• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.


You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of further help.

 

[Bobbye]

I'd refine that Trojan Horse definition to something like "non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system."

nvctrl.exe is only one file from the Troj/Zlob-BC downloader Trojan. It will also install additional files. We are very cautious about sending someone into the Registry because of the potential for damage. There are cleaning programs that, when properly used, will remove malware entries from the Registry.

 

[Hedgers]

Hi Bobbye,

There are no fake alerts and the PC is running much better. There appears to be no sign of any problem.

I believe I did reinstall XP a while ago, the installation disk was from Dell made in Germany, although was certainly an English version. I bought the PC in 2006 from a friend, maybe they had strangely old files on there??

Anyway, I have cleaned up and set a system restore point.

The 8 steps were great and I really appreciate you taking time to help me out!

THANK YOU!

 

[Bobbye]

You're welcome! Glad to help. Just wanted to make you aware of those files. No problem with them.

Let us know if you need help in the future. I'll mark this thread Resolved.