So is my system clean now?

Below is my Virus story, please tell me if this sounds like it's over or whether there was (is) some big bad that caused this in my system still alive, and waiting to attack again:

About 3 days ago my firewall (Sygate) went down, my Symantec Anti-virus was disabled (update option failed and main app file disappeared), and almost all my other anti-malware programs stopped working. Attempts to install new ones failed. My internet still functioned for browsing and HJT worked too. I found a few things (not sure what anymore), even got Symantec to run for a round afterwards. It found an puny

mitglieder.exe virus,

and after that Symantec stopped working (main exe-file disappeared). I'm not sure if it had come back temporarily, or whether I had missed it earlier - none of the shortcuts worked, you see, and I'm not sure I checked the program file folder itself initially.

Afterwards I cut my internet connection, downloaded a bunch of anti-malware software onto my laptop (other computer), and after a long battle was able use some of it to beat the Trojans back on my desktop. First I found some minor spyware, which might have been there already (cookie-types,etc.), after running Norman Anti-Malware (it's a 5MB ready-to-go anti-virus program) from an external hard drive I got rid of 3 infected files:

2 W32/Spybot.dam and 3 SDBot.gen8. The Spybots were in zip/rar-files, while the first SDBot was in temp internet files and others in windows\system32\drivers\down

I think killing those SDBots made a big difference. I also enabled alg.exe (Application Layer Gateway Service), and maybe something else from administrative tools/services (something had turned them off) and did general cleaning. Afterwards I was able to install ZoneAlarm, which blocked a bunch of access attempts from outside.

After that I was able to get Windows Defender working again - I think it found a bagle-virus or maybe it was one of the other programs I ran. I then left vcleaner on overnight, but it didn't find anything and ran for 10+ hours, so I decided to try installing AVG while vcleaner was still running. That was fine, and AVG detected (?) another Trojan

1 IRC/BackDoor.SDBot3.XUJ) in windows/system32, and
4 'Virus Identified Exploits,'

but maybe it was the vcleaner that actually found them since the two programs are very much related, and vcleaner was the one scanning (AVG was still waiting for its turn). When I scanned with AVG I found more 'Exploits,' this time in temp internet files, and 3 Trojan horses;

1 Dropper.Agent.FYQ, 1 Generic5.ILD and 1 Proxy.XCJ,

the first two were in my emule folder (emule was the first thing I turned off when this started, so they had been there a while), and the Proxy was in the NProtect\Recycler, which I haven't seen on that hard drive and therefore had not emptied.

So that's where I'm at. Is this over, or should I expect more of these Trojan bastards to pop-up?

By the way, one change I had made recently was to make hidden files/folders invisible because my parents were visiting for New Year's and there were some things on my computer I wanted to keep private. They are, of course, visible again now (though renamed and locked for the most part). Also, I had scanned my emule downloads multiple times with (up-to-date) Symantec Anti-Virus, but it never detected the Trojans, even though I assume they were there all along. Not sure if I used Norman to scan that the hard drive (or partition to be accurate) emule was on (it's separate from the C: partition with windows).

 

Hi On edge!

The only thing we can do is to look at the logs we request and tell you if there are any signs of malware left over. If you've had a bad infection or multiple infections, it would be good to run through the instructions in the READ & RUN ME FIRST and attach the logs so we can look at them.

abri

 

here, but only had time for fast avg scan which is yet to finish- will follow up:

 

Hi OnEdge,
Your computer looks pretty clean, but it has an overdose of protection programs. After you finish with our final cleaning instructions, it's useful to check what we recommend in the How to protect yourself from malware thread. But first please do the following:

1) What's in this folder?

C:\WINDOWS\SYSTEM32\drivers\down

2) Go to add/remove programs and uninstall the below:


- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 11
- J2SE Runtime Environment 5.0 Update 4
- J2SE Runtime Environment 5.0 Update 6
- J2SE Runtime Environment 5.0 Update 9
- Java(TM) 6 Update 2


3) Run C:\MGtools\analyse.exe by double clicking on it. This is

really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK

FIX until you exit all browser sessions including the one you are reading in right now:


O8 - Extra context menu item: Inbox Search - tbr:iemenu

The following two are considered adware. Recommended taking them out.

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Inbox\ctbr.dll
O3 - Toolbar: &Inbox.com Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Inbox\ctbr.dll

Do the following belong to programs you know or want to keep? If not, please fix them as

well.
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Inbox\ctbr.dll


After you click fix, just close hijackthis.

4) Run CCleaner in the default setting with the Windows tab on top.

abri

 

Thanks for the feedback. drivers\down\ folder has 34 exe-files of the form 123456.exe, except with different 6 or 8 digit combinations, all created 12/30/2007 between 10:11 and 10:22 AM. I just scanned them with a-squared, AVG and trojan remover; no threats reported.

I've attached two of these files (a small and large one), except I renamed them txt-files.

 

I left AVG anti-spyware 7.5 (free or trial edition) on for the day. When I came home there was no log-file available, even though it was set to generate a report after each scan even if no threats were found.

It only found 2 tracking cookies according to the scan screen. However, when I later opened AVG Control Center, I found an event history log for the day that included 11 Trojans, which as best I can tell are in various recycle bins or system restore files. I assumed this is where the AVG anti-spyware log had gone.

I exported the log file (attached), but it came out in a weird .log format that's messed up - wordpad works better than notepad for it. I also used printscr to capture pics of the screen for easier viewing.

 

Hi On Edge!

Sorry things have taken longer than I wanted them to. The drivers in the down folder look like things you don't want on your computer but I would like for you to rename them before I ask you to delete them. I will ask you to do that further down.

We keep even infected restore points until we're finished, because it is better to have the possibility to go back to an infected restore point and re-clean things than to have no place to go back to.

Combofix shows that you may have multiple antivirus programs: AVG, Avast and Symantec. I believe the Avast is a remnant. If you've already properly removed this using add/remove programs, please go ahead and delete the remaining folder C:\Program Files\Alwil Software

Also, in your uninstalls list, you have the following listed:

Norton CleanSweep
Norton PartitionMagic 8.0
Norton PartitionMagic
Norton SystemWorks 2005 Premier (Symantec Corporation)
Norton SystemWorks 2005 Premier
Norton SystemWorks
NSW_DRM_COLLECTION

and here in Program Files:

C:\Program Files\Symantec_Client_Security
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton SystemWorks

Norton System Works has great tools with it. If you are using any aspect of their antivirus it will conflict with your AVG. It's not enough to simply disable one or the other antivirus software, you have to actually remove it.

My recommendation is that you run the System Works from the CD when you need it and remove the Symantec files from your computer if you've decided to use AVG as your primary resident antivirus. If you decide to do this, there's a tool called the Norton Removal Tool (SymNRT)

In the logs you first posted, I noticed you are not running your computer in normal system startup. Please go to Start / Run and type in msconfig and make sure normal system startup mode is checked. Click on accept and okay.

After you do the above, I would like for you to produce another set of MG logs, but first do the following:

Go to the drivers folder C:\WINDOWS\SYSTEM32\drivers\down and open it. Rename the drivers inside to names ending with zzz so what was 4609281.sys would become 4609281.sys.zzz

I think they are not good drivers, but I would like to see if there is any effect on your computer by renaming them before we simply remove them all.

And now, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.

Let me know how the above goes.

abri

 

When Symantec AV was disabled by the Trojan Blitzkrieg, I tried to install AVG, but the setup file wouldn't even launch. I got a little further with Avast, maybe it even was fully functional for a few seconds before the Trojans made its main application files disappear. I tried other too, but anything requiring an install was useless. Anyway, I removed the remnants, and deleted the leftover directory yesterday. I still have some others on my computer (but inactive), that I found useful. For example, Norman Malw. Cleaner was pretty cool as a 5 MB, one-file AV program that I could run off an external hard drive...

OK, just ran it. Seems to have worked. No trace of Symantec, except for Partition Magic, and IE tried to make contact to 'reinstall it,' but I got put the internet lock down on it.

It's in normal enough mode. I have many start-up processes and services disabled - some of them don't even exist anymore, just remnants of uninstalled programs. If I check the normal box on msconfig, then it will enable every option, which would be bad...

Renaming done; but the way, I don't recognize those Russian(??) websites inside the 'drivers.'

As an aside: Do you happen to know a decent freeware program to rename/edit multiple files or folders at the same time, say for adding .zzz to 34 files in one go, or editing mp3 lists?

I'm leaving for the office, but I'll leave MGtools to. Will post logs when I get home. Thanks for the help.

 

I ran it anyway since it was the quick one; actually I ran it twice because I got the 16-bit error the first time. Also, both times I got an error message at the end(?) of the scan (see attached jpg), but the zip file was created anyway.

p.s. the warning about inbox is still there - HJT doesn't fix it, and I can't be bothered to follow it up further since a) I don't use IE, and b) I like inbox, which is a well rated free email provider.

 

Msconfig is a diagnostic tool to help you identify startup items that are causing problems. Many people use it as the lazy man's solution rather than removing items from the startup. When you put msconfig into normal system start, the startup items will appear in HijackThis where many of them can be removed safely, because in the default installtion, HijackThis creates a backup before it removes them.

I'm not sure if you use add/remove programs whenever possible to uninstall things, but it's a good idea.

... yes, my eyes zoomed in on those. I wanted to ask if you would put the whole lot of them into a zip folder and attach it to your next post.

No. But I think if you ask in the Software Forum you might get some suggestions there. And ... sorry. I knew that was going to be a pain.

After you attach the zip file with the "down" driver entries, please do the following:

1) Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner in the default setting with the Windows tab as the active one. Do not check anything which is not already checked. After you hit the Run Cleaner button, there will be a warning that all the files will be permanently deleted. Click on ok and allow it to run. When it's finished, just close it.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

here are the zzz-files. i have to run, but will run avenger when i get back.

p.s. i permanently(?) changed some of the 123456.exe file names in a failed attempt to append .zzz to all of them at once, but i doubt it matters to you. didn't see anything private when i skimmed two of them earlier, but please let me know if they were able to grab anything personal from my drive, and please disable the file attachment until you've had a chance to check it out - i mean, if they were part of some trojan hacker files trying to grab personal info and send it to some russian site, or some such, then i probably shouldn't be posting them publicly...

thanks again.

 

new logs attached. i'll update more later once I've had a chance to use the computer properly again (been working on the laptop now for a while, so my work is there...) - and, what should I do about the restore and nprotected files? (or did the symantec take care of the latter?) by the way, if you check the AVG log i posted earlier, one of those 123456.exe's files was infected with a generic trojan and in the nrecycler (AVG said it was cleaned)

 

sorry, thought i had attached them earlier. did i leave the drivers_down.rar out as well, or was it disabled post download per request? (i can post it or send it again if necessary)

 

Good point. I didn't think about that. As soon as I saw the .ru I ran away.

Wait to reset system restore until your logs are clean and you don't have any futher symptoms. I'll give you those instructions, hopefully soon.

As for the nprotected, if you have the Norton Protected Recycle Bin still, then right click on it and click on empty. If you only have the remnant folders left, dump the entire contents and the folder in the trash and run CCleaner at the default setting. You may find multiple instances of nprotect folders. Try and get rid of them all.

abri

 

Hi On Edge!

Be sure to look at post #14 before you continue here. I don't see anything further in your logs except you still have several instances of Avast! If you could get those out, it would be good. If Avast is no longer in add/remove programs, you should be able to locate them with just a search for avast or ash as part of the file name. Do this after you set a new restore point. Before you set a new restore point, a few questions and instructions:

Is anything better? Are the problems you came in with gone now? I'll post you the final cleaning instructions which will remove the logs and tools we put on your computer. If you have other issues or if the ones you came in with aren't resolved, ask before going ahead with this instructions.

abri

 

warning: OLD THREAD

I just wanted to update since I think I said I would at some point earlier in this thread:

my system has been clean since this whole thing happened, except for the occasional Trojan that tries to enter my system through files I download with emule - but AVG is pretty good about picking them out.

My rule of thumb is to scan all emule downloads with AVG anti-virus, AVG anti-spyware, and a^2 before opening or executing, and if zipped, I scan the files again right after unzipping, plus I run full AVG autoscans several times a week. Only one time has it found something, but that got nipped in the bud (internet temp files and/or some emule download). I also run ccleaner frequently, and AVG anti-spyware, AVG rootkit and a2 every now and then, but they only find cookies.

That said I don't use the desktop much these days. I do 99% of my work/web surfing on the laptop, although the desktop is on at home for emuling, and I use it for burning DVDs, watching movies, listening to web-radio, and things like that when at home.

 

Hi On edge!

It sounds like things are working as they should. I hope you will conitinue having good experiences with your computer.

abri

 

I just got booted off while typing my message and lost it (clicked back didn't help restore it either). Here's a second version:

1. Felt vindicated by AVG when it instantly detected a trojan on tech help person's USB zip drive. I was using their free Symantec AV my system crashed.

2. BOC425.EXE sometimes hogs CPU and/or memory. For some reason it jumped to 30-50% CPU and Firefox went to 100,000KB mem usage even though I only have two tabs open on this site + I got booted out. AVG was running a weekly automated scan in the background, but finished as I was typing the first message.

3. AVG reports a change in windows/system32/drivers/etc/hosts file. Before it just had "127.0.0.1 localhost" written in it. But apparently 3 months ago Spybot S&D added a huge list of sites to it. Stuff like:

100sexlinks.com
123topsearch.com
...

A backup was made before the change. Does that sound right? Did Spybot really do that? Should it have done that?

 

Hi OnEdge,

The hosts files are put in by Spybot to protect you from those kinds of sites you listed as examples. It can occur that their hosts files get corrupted and in those cases we have you run a procedure which cleans these, however, it sounds like they are okay. If you look at the list, it should sound like sites you never want to visit, and that is what the list is for, so you get bounced away from those sites.

Did you install Spyware Blaster and update it? Did you click on the immunize button of Spybot? Are you keeping your antivurs/antispyware and Windows updates up to date?
I'm glad that AVG got the tech guy's flash drive. There ought to be some kind of disinfectant you can dip the flash drive into before putting it into someone else's computer. lol

You lost your first message while AVG was doing it's background scan. I think there are two settings for AVG, one which uses more resources while it scans and takes less time and one which uses less resources but takes more time to scan. You might try these out. Also, it doesn't hurt to go to the Alternate Scans page sometimes and run one or the other of the online scans. The antivirus programs don't seem to pick up the same things, so it pays to run different ones as you go.

Good luck with your computer. Try visiting our other forums.
abri