Re: How to remove Trojan: winrscmde (it is back!!!)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KaisorSoze, Jul 30, 2012.

  1. KaisorSoze

    KaisorSoze Private E-2

    Hello. thanks for the help last time. I have just been hit with the same trojan this morning while doing a search on google, using firefox privacy setting. As soon as my search came up, my comodo firewall warned me of a threat, all my programs closed and my computer rebooted by it self. I check my task manager and there again was winrscmde running very high, causing my backup fan to kick on (which sounds like a loud lawnmower). The new logs are attached. Please help.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Hello KaisorSoze,

    [​IMG] Please download and scan with TDSSKiller
    • Do not use the Change Parameters button
    • When the scan is finished, a log will be created in the root of your C: drive
    • Example: C:\TDSSKiller.2.7.47.0_25.07.2012_15.06.22_log.txt
    • Attach this to your next message. (How to attach)
     
  3. thisisu

    thisisu Malware Consultant

    After completing the above:

    Uninstall one of the following:
    • Avira Free Antivirus
    • COMODO Internet Security

    Uninstall these:
    • Coupon Printer for Windows
    • Java(TM) 6 Update 31 (outdated)
    • Spybot - Search & Destroy
    • SpywareBlaster 4.2 (outdated)
    • SUPERAntiSpyware

    __

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      /md5start
      afd.sys
      i8042prt.sys
      netbt.sys
      nsiproxy.sys
      svchost.exe
      tcpip.sys
      tdx.sys
      /md5stop
      %windir%\$ntuninstallkb*. /120
      %windir%\system32\drivers\*.sys /lockedfiles
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  4. KaisorSoze

    KaisorSoze Private E-2

    Hello.

    Thanks for the response. Attached is the log. In addition, i notice an error in my scanning and saw the post on the removal of the Trojan:DOS/Alureon.A and followed that post prior to seeing this message. So, the results may seem different. (In short, i did the trojan/alureon post with TDSSKiller, the other program, and re-did the RogueKiller, Malwarebytes, HitmanPro, and MGTools scans.) If you need them new logs, I can post those.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    Yes I'd like to see the initial TDSSKiller log and other any logs you have from running the How to Remove Trojan:DOS/Alureon.A thread.

    And you can still follow the directions mentioned above.

    Also, did you cure anything with HitmanPro after you obtained the log?
     
  6. KaisorSoze

    KaisorSoze Private E-2

    Hello.

    No, i did not cure anything with HitmanPro.

    Attached are the logs. Next post will consist of the other logs.
     

    Attached Files:

  7. KaisorSoze

    KaisorSoze Private E-2

    Hello.

    Second Logs. These are what i got when i followed the Trojan/DOS post. Also, the log from OTL.exe.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Ok that explains it.

    [​IMG] Re-scan with TDSSKiller with the "TDLFS File System" parameter enabled.
    This time if TDSS File System appears, delete it!
    Then attach the latest TDSSKiller log. (How to attach)

    __

    More instructions incoming..
     
  9. KaisorSoze

    KaisorSoze Private E-2

    Here is the log.
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    IE - HKU\S-1-5-21-1539952246-2422038135-1643356441-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
    CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
    O3 - HKU\S-1-5-21-1539952246-2422038135-1643356441-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-21-1539952246-2422038135-1643356441-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
    [2012/01/04 23:20:08 | 000,001,266 | -HS- | C] () -- C:\Users\Dansey\AppData\Local\148wl81cw72u12151025pwdnof4e525rjf7uj88446x
    [2012/01/04 23:20:08 | 000,001,266 | -HS- | C] () -- C:\ProgramData\148wl81cw72u12151025pwdnof4e525rjf7uj88446x
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:5C321E34
    [COLOR="DarkRed"]:files[/COLOR]
    c:\windows\svchost.exe /d
    C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll /d
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons /d
    C:\Program Files (x86)\Coupons /d
    C:\Windows\CouponPrinter.ocx /d
    C:\programdata\Microsoft\Windows\DRM\706F.tmp.dat
    C:\programdata\Microsoft\Windows\DRM\709F.tmp
    C:\Users\All Users\Microsoft\Windows\DRM\706F.tmp.dat
    C:\Users\All Users\Microsoft\Windows\DRM\709F.tmp
    [COLOR="DarkRed"]:reg[/COLOR]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  11. KaisorSoze

    KaisorSoze Private E-2

    Here are the logs.
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    Memory and CPU usage looks normal now, what problems are you still having?
     
  13. KaisorSoze

    KaisorSoze Private E-2

    Memory and all looking good. I no longer see winrscmde in the task manager window. All seems well.
     
  14. thisisu

    thisisu Malware Consultant

    Excellent ;)

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     
  15. KaisorSoze

    KaisorSoze Private E-2

    Not sure if this is malware related, but my icons disappear then reappear after startup. Should I be concerned?
     
  16. thisisu

    thisisu Malware Consultant

    That happens sometimes. I wouldn't worry about it.
     
  17. KaisorSoze

    KaisorSoze Private E-2

    Hello

    I am just confused. I have not used this computer since my last post. Turned it on, went on google, and did a search, and notice I was redirected. Long story short, seems like winrscmde is back for the third time (i have a desktop and i dont get this problem...). Logs are attached.

    Everything seems ok as of now. I dont see winrscmde in my processes list.
     

    Attached Files:

  18. thisisu

    thisisu Malware Consultant

    Hello again :)

    You need to practice safe surfing. Read this: http://forums.majorgeeks.com/showthread.php?t=44525

    You did get infected again and TDSSKiller removed the bulk of the infection.

    Code:
    21:35:43.0711 6104  TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
    21:35:44.0367 6104  ============================================================
    21:35:44.0367 6104  Current date / time: 2012/11/26 21:35:44.0367
    21:37:09.0182 0516  ============================================================
    21:37:09.0182 0516  Scan finished
    21:37:09.0182 0516  ============================================================
    21:37:09.0199 4060  Detected object count: 1
    21:37:09.0199 4060  Actual detected object count: 1
    21:37:44.0718 4060  \Device\Harddisk0\DR0\# - copied to quarantine
    21:37:44.0746 4060  \Device\Harddisk0\DR0 - copied to quarantine
    21:37:44.0839 4060  \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
    21:37:44.0863 4060  \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
    21:37:44.0902 4060  \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
    21:37:44.0912 4060  \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
    21:37:44.0915 4060  \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
    21:37:44.0918 4060  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
    21:37:44.0921 4060  \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
    21:37:44.0926 4060  \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
    21:37:44.0954 4060  \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
    21:37:44.0963 4060  \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
    21:37:44.0977 4060  \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
    21:37:44.0997 4060  \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
    21:37:45.0193 4060  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
    21:37:45.0194 4060  \Device\Harddisk0\DR0 - ok
    21:37:45.0451 4060  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure 
    21:37:48.0590 6096  Deinitialize success
    Just delete this file: C:\programdata\Microsoft\Windows\DRM\47B.tmp.dat

    Uninstall

    • Java(TM) 6 Update 32 (outdated!)
    • Coupon Printer for Windows

    Update Java: here
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds