I opened a DHL delivery failure email and now computer full of Trojans

[ethelr1]

On Tuesday of this week, I mindlessly opened an email from DHL with an attachment about a missed delivery. While I am normally very cautious about what I open, this particular morning I slipped! I knew as soon as I clicked the attachment that I had made a HUGE mistake. Well towards the end of the 1st day my IE stopped working and I had to switch over to my old Netscape browser. My computer also began to operate very slowly. Over the course of the next few days it became progressively slower. Finally on Friday, late in the afternoon, my Netscape browser stopped working as well. I was able to download all of the recommended programs in safe mode networking. I followed the steps you have listed in the run/read me to a tee. Two Trojans were found during the cleaning process, however, I am still unable to use IE (which makes me think I am still infected). Luckily, I am able to use Netscape again. I have attached all of the requested logs.

Thank you in advance for your help.

[chaslang]

Quote:

Originally Posted by ethelr1

however, I am still unable to use IE (which makes me think I am still infected).

Do you use a Proxy Server to connect to the internet? If not, then you need to change your browser settings so that it is not trying to use a proxy. If you do use a Proxy, then you need to make sure the proper values are entered.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::
File::
C:\WINDOWS\9g234sdfdfgjf23

Folder::
C:\32788R22FWJFW
C:\f2866eda0ef30b562942ec

FileLook::
c:\windows\system32\drivers\MDPMGRNT.SYS
c:\windows\system32\drivers\MDFSYSNT.SYS

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[ethelr1]

I must begin with a HUGE thank you!! Everything appears to be working fine. I have attached the logs that you have requested. I'm crossing my fingers that everything is clean.

thanks again!!!!

[chaslang]

You're welcome.

What happened to your AVG Identity Protection program since the previous posts? It now seems to still be install but is broken. Did you do something to it? Did you try to uninstall it?

[ethelr1]

Well I thought everything was working fine until the very next day (4/1/09), the computer was operating extremely slowly and when I would log onto the web it would take forever for a page to load. I ran a Panda online scan and it found (3) suspicious items….
1. C:\Program Files\SBC Support Tool\bin\closeAll.exe
2. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP9\A0000742.sys
3. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP2\A0000080.sys

I tried to run a number of removal tools and nothing was found until I ran Trojan Hunter. It found something; however, I am not sure what. On 4/2/09 the computer was still running slowly so I am pretty confident that I am still infected with something. I ran a Kaspersky online scan last night (4/2/09) and it found one item however the window would now allow me to expand the screen so that I can copy down exactly what it found. So today, I have rescanned with all of the removal tools that your site recommends and I am attaching new logs.

As far as the AVT being removed, I am not sure what happened. My primary anti spyware program is NOD32 which was active at the time of my first post. When I initially became infected almost two weeks ago, I did not have any type of protection on my computer. I cannot remember making any changes to AVT since I last posted. I could be wrong though. These past two days I have done many things out of sheer desperation to keep my computer running.

Thank you in advance for any help you can provide! You guys are amazing!!

[chaslang]

Quote:

Originally Posted by ethelr1

As far as the AVT being removed, I am not sure what happened.

Okay then let me ask a different question. Did you install AVG Identity Protection yourself or was it installed at some point along with AVG Antivirus and did you forget about it? Also do you want AVG Identity Protection installed? We will have to begin by removing the current broken application.


First answer a few questions:

1. Also did you purchase TrojanHunter 5.0 or are you just running a trial program?
2. If you boot in safe mode and connect to the internet, how do things work?
3. What browser are you using when things are slow.
4. Why are the below programs running at startup? Are the necessary?
   • O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" /n
   • O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
   • O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
   • O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
5. Do you use a ProxyServer to connect to the internet? If you said no, I'm wondering why the below are configured?
   • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
   • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.*;127.0.0.*;192.168.1.*;<local>;*.local

Goto Add/Remove Programs and uninstall AVG Identity Protection

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe (file missing)
O23 - Service: AVGIDSWatcher - Unknown owner - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe (file missing)

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

Driver::
AVGIDSErHr
AVGIDSAgent
AVGIDSWatcher
AVGIDSDriver
AVGIDSFilter
AVGIDSShim

File::
c:\windows\system32\drivers\AVGIDSErHr.sys

Folder::
C:\Program Files\AVG

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now! Also make sure you answered all of my questions.

[ethelr1]

Answers...

1. I did purchase TrojanHunter 5.0

2. When I booted in Safe Mode everything appeared to be working fine. I used IE and it wasn't running slowly like it has been doing these past few weeks. However, yesterday (4/6/09) it wasn't running near as slowly in normal mode as it was on Friday. I'm not sure if one of my many cleaners managed to clean up some things.

3. IE seems to be the slowest and most difficult browser for me since my computer has become infected. I have been using Netscape, which doesn't seem to be causing near as many problems as IE. Netscape was running slow as well, just not as bad as IE.

4. As far as the Sharp programs that are running at startup, I don't know why or if it is even necessary for them to be there. Sharp is the printer that I use on my computer. I am connected wirelessly to the printer. Not sure if that startup is necessary or not. Actually, now that I think about it, Sharpdesk is the program that I use to scan documents. My printer is a copy machine/printer/scanner. It is a full size office copy machine.

5. No I do not use a Proxy Server to connect to the internet. I know nothing about that configuration listed.

Last night (4/6/09) I ran another online Panda scan and it reported the same findings as I mentioned above. I'm not sure if this means anything at all.
1. C:\Program Files\SBC Self Support Tool\bin\closeAll.exe
2. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP9\A0000742.sys
3. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP2\A0000080.sys

I have followed all of your instructions and listed the requested logs.

Again, thank you so very much for all of your help!!!

[chaslang]

If surfing is faster is safe mode then it just may be due to things you are loading and attaching to your browser in normal boot mode. Try disabling all of the browser addons and see what happens.

Also when did you install IE8? Before or after things slowed down. Looks fairly recent.

Quote:

Originally Posted by ethelr1

Last night (4/6/09) I ran another online Panda scan and it reported the same findings as I mentioned above. I'm not sure if this means anything at all.
1. C:\Program Files\SBC Self Support Tool\bin\closeAll.exe
2. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP9\A0000742.sys
3. C:\System Volume Information\_restore{F845E3D...A620-64F2CA1BFB5F}\RP2\A0000080.sys

Not problems. You should not be running anything other than what we request as stated in the READ & RUN ME instructions. Running anything else only serves to confuse you and also us when we see additional files and folders showing up in logs that we had not seen before.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.*;127.0.0.*;192.168.1.*;*.local;<local>
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

After clicking Fix, exit HJT.

You should also delete the below left over folders:
C:\$AVG8.VAULT$
C:\a95692780bc4337d8a66
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\Owner\Application Data\Grisoft
c:\documents and settings\All Users\Application Data\Viewpoint