Trojan.Gen.2 will not go away

[TriBeCa99]

Hi there,

My Symantec Endpoint Protection finds Trojan.Gen.2 in a .tmp file (most recently DWHCC2C.tmp) on a more or less daily basis. I'm having this issue on both a Win 7 desktop and a Win 7 laptop, but let's just deal with the desktop for now. The problem started approximately 6 months ago, and I've been ignoring it because it was not causing any noticeable performance degradation and I haven't been able to afford any downtown for serious removal efforts.

The original infection came through a USB drive at some point, and likely was reinfected several times before autorun was disabled on these machines. All USB drives *should* be clean at this point, unless malware can survive a quick format.

At any rate, I ran your READ & RUN ME FIRST on the PC yesterday. Logs are attached--I apologize I did not save the HitmanPro log as it came up with no hits at all. I am happy to run it again, however your instructions also indicated not to repeat any steps unless specifically instructed to do so, so I haven't re-run HitmanPro at this point.

At any rate, after completing the R&RM steps I began a full data backup to an external 1TB drive. Autorun was off on the PC and the only visible file on the TB drive was a hidden System Volume Information folder (it had been quick-formatted by a clean Win XP laptop immediately prior). This morning when I arrived at work SEP auto-protect had logged Trojan.Gen.2 in the .tmp file I mentioned above--something I see basically every morning, as I said.

Many thanks in advance for any help you can provide,
~TBC

[chaslang]

Welcome to Major Geeks!

Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:

[SUSP PATH] HKCU\[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1277685125-4187367947-72843683-1000[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

How are things working now?

[TriBeCa99]

Deleted the indicated registry entries, rescanned and attached log as indicated. It wasn't until after the first couple of tries that I realized which entries you were referring to, as the naming in RogueKiller wasn't obvious to me at first.

I'll keep my eye out for any further AV hits and will post back if they occur. Unless I get one before I leave work today it will most likely not be until Monday--but hopefully it'll be all clean.

[chaslang]

Looks good now.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[TriBeCa99]

Unfortunately the infection is not gone.

When I arrived at work today I had the same Trojan.Gen.2 notification from SAV. I reran RogueKiller just now (redownloaded it via the link on MajorGeeks because it alerted me to a new version). The same Adobe Speed Launcher entries I deleted previously were back, so I marked them for deletion.

I am attaching logs from both before and after deletion of those entries.

[chaslang]

Are the below still showing up on new scans?
C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1277685125-4187367947-72843683-1000[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe)

If yes, please do the below.

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

[TriBeCa99]

Yes, those two entries are still appearing on new scans--see the RK log attached.

Followed your instructions, see attached FRST log.

[chaslang]

Download this >> fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[TriBeCa99]

Requested logs are attached. As always, I will have to wait to see if SEP reports anything over the next couples of days before I know whether I'm clean or not. I will report back on Monday.

[chaslang]

Your logs are clean again. If the infection comes back again, you are going to have figure out what you are running or which website you are accessing that is bringing it back as it has been removed twice now.

[TriBeCa99]

Hi again,


Thanks so much for your help with this so far. I appreciate your concern that my logs have come back clean twice now, and yet the infection keeps returning.

However, the very last thing I did before leaving work on Friday was to run the Farbar fix and MGTools scan and post them here. I then left the computer on over the weekend, and when I returned what I saw is shown in the attached screen shot.

I visited literally no websites at all, and did nothing at all, with the computer between posting those logs and getting the AV result you see in the screen shot. The computer is in a locked office, so unless someone in housekeeping or engineering or one of my colleagues is manually reinfecting it (enormously unlikely), I'm either being reinfected over the network or the infection was not removed in the first place.

Please don't give up on me here....

[chaslang]

Quote:

Originally Posted by TriBeCa99

However, the very last thing I did before leaving work on Friday was to run the Farbar fix and MGTools scan and post them here. I then left the computer on over the weekend, and when I returned what I saw is shown in the attached screen shot.

Okay. Sometimes computers can be infected just by being connected to the internet even with no one using it; however, I don't think that is the case with these infections you had. What about someone plugging in a USB drive? Are any folders shared over a network?

Quote:

Originally Posted by TriBeCa99

with the computer between posting those logs and getting the AV result you see in the screen shot.

Not really helpful as we need to see the details of exactly what and where. Infection names are rarely of much use because AV companies invent there own names and they do not mean anything most of the time. That is just a generic detection name which provides us with zero info and many times these are false detections. So if you can select the items and click the Details buitton to provide more information, I may be able to comment more.

Are you currently having any malware problems?

[TriBeCa99]

The only USB drive was the one used to run FRST, I did leave it in over the weekend and it's still in there now. There are two network drives normally mounted, both from the same server which is an Ubuntu box I maintain. However, I've been replacing the RAID array in that box with larger drives, and the server was off the entire weekend so nothing could have spread over those drives.

See attached for the details screen of the trojan.gen.2 auto-protect result that was waiting for me this morning.

And no, I'm not experiencing any malware problems, but that doesn't mean there's not something here.... This rig is running a quad core CPU at 4.7 GHZ and has 16 GB of RAM, so it's unlikely I would experience a noticeable slowdown.

[chaslang]

Quote:

Originally Posted by TriBeCa99

See attached for the details screen of the trojan.gen.2 auto-protect result that was waiting for me this morning.

Just a temp file and most likely just related to some program being used.

Quote:

Originally Posted by TriBeCa99

And no, I'm not experiencing any malware problems, but that doesn't mean there's not something here

Based on your logs, you are clean.

You should complete the final instructions I gave in message # 4.

[TriBeCa99]

Are you sure I'm clean? The logs may have looked that way immediately after cleaning, but see the attached RK log I ran just now.... This is hardly my specialty but it seems to me I'm being reinfected somehow.

[chaslang]

Well your other logs were coming up clean. Let's try a few things including a few more scans to dig deeper.

Re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:

[SUSP PATH] HKCU\[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1277685125-4187367947-72843683-1000[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND

Then immediately reboot your PC.


Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller later where requested

Now also run another new scan with RogueKiller and save a log as in original instructions and attach the new log.

And we will add one more new scan to help us determine if anything else is hiding.


Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the TDSSKiller log
• the new RogueKiller log
• OTL.txt log
• C:\MGlogs.zip

[TriBeCa99]

All requested logs are attached.

My apologies for the delay, please do not mistake it for disinterest or any lack of appreciation for your help. I had some serious issues with my RAID array after your last post that had to be dealt with, and required multiple (very time consuming) rebuilds and back-up of several terabytes of data, so I was unable to reboot the machine for quite some time. By the time I had all that done there was also a substantial backlog of (also time-consuming) analyses that had to be carried out, again preventing a reboot.

Thanks so much again, hopefully we can nail it this time!

[chaslang]

You're welcome.

Quote:

Originally Posted by TriBeCa99

My apologies for the delay, please do not mistake it for disinterest or any lack of appreciation for your help.

No problem. I have not been able to be here too much either due to real work of late.

Okay this last RogueKiller log was clean. I just see some minor tweaks to finish off.



Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
[2011/05/25 17:54:13 | 000,000,120 | ---- | C] () -- C:\Users\Jared\AppData\Local\Ugiburaranaw.dat
[2011/05/25 17:54:13 | 000,000,000 | ---- | C] () -- C:\Users\Jared\AppData\Local\Vxiweduvakadevip.bin
[2012/08/25 13:56:34 | 000,000,000 | ---D | M](C:\Windows\SysNative\???????????????????????????????) -- C:\Windows\SysNative\巯﹛矷孿￝￯翿﹛ﵿ뤿￝폕��￟痿翟￟翟罿翟￝ퟓ
[2012/08/25 13:56:34 | 000,000,000 | ---D | C](C:\Windows\SysNative\???????????????????????????????) -- C:\Windows\SysNative\巯﹛矷孿￝￯翿﹛ﵿ뤿￝폕��￟痿翟￟翟罿翟￝ퟓ
[2012/08/25 10:16:33 | 000,000,000 | ---- | M] ()(C:\Windows\SysWow64\??????????????)?????????????????????????????????????????????????????????????????????????) -- C:\Windows\SysWow64\ﵿﵿﵿ矍뤿翷뽷痝뭽꿿ᶿ�）繿﷿뭽꿿ᶿ￭￭ᶿ緿뭽꿿ᶿᶿ뽷ﵾ�痿�￭ᶿﵾ痿ᶿᶿᶿᶿᶿ뽷�￭痿�ﵾ痿폕��睽�￭睽�睽�痿罿睽ᶿᶿᶿᶿ폕痿ᶿ�痿￟￭
[2012/08/25 10:16:33 | 000,000,000 | ---- | C] ()(C:\Windows\SysWow64\??????????????)?????????????????????????????????????????????????????????????????????????) -- C:\Windows\SysWow64\ﵿﵿﵿ矍뤿翷뽷痝뭽꿿ᶿ�）繿﷿뭽꿿ᶿ￭￭ᶿ緿뭽꿿ᶿᶿ뽷ﵾ�痿�￭ᶿﵾ痿ᶿᶿᶿᶿᶿ뽷�￭痿�ﵾ痿폕��睽�￭睽�睽�痿罿睽ᶿᶿᶿᶿ폕痿ᶿ�痿￟￭
@Alternate Data Stream - 168 bytes -> C:\Users\Jared\Desktop\jared notes.jpeg:3or4kl4x13tuuug3Byamue2s4
:Files
C:\Users\Jared\AppData\Local\Ugiburaranaw.dat
C:\Users\Jared\AppData\Local\Vxiweduvakadevip.bin
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run one more RogueKiller scan to make sure it still comes up clean.


Then attach the below logs:

• the log from OTL
• the new RogueKiller log

Make sure you tell me how things are working now!

[TriBeCa99]

I had two trojan.gen.2 warnings from my AV when I came in, so I reran RogueKiller before following these instructions to remove the two service1043.exe hits we've been seeing every time. Then I followed the rest of your instructions, and logs are attached.

[chaslang]

Quote:

Originally Posted by TriBeCa99

I had two trojan.gen.2 warnings from my AV when I came in, so I reran RogueKiller before following these instructions to remove the two service1043.exe hits we've been seeing every time. Then I followed the rest of your instructions, and logs are attached.

Okay but this log does not show it. Are you saying it comes back again after the next reboot?