Serious problems with a trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by Kinas, May 2, 2008.

  1. Kinas

    Kinas Private E-2

    Hello to all! I'm having some problems with a trojan that I can't get rid of.

    FYI, I'm using Kaspersky Internet Security 7.0.1.325 and Spyware Terminator 2.2.0.411. Both are regularly updated. And I'm running Windows XP SP2.

    I'm not sure how my computer was infected, just one day when I turned my computer on, I found that Kaspersky and ST was disabled completely (their services can't be started). When I check the registry, under the "Image File Execution Options", there were a lot of keys that from my experience, I knew that they prevent anti-virus and anti-spyware programs from executing. I was able to deleted them and start my programs again. This time, KIS detected many malwares and successfully deleted them, but only one remains: sperls.dll. This one can't be deleted by any means, KIS report that it could be deleted when the computer is restarted, but when I log in, it keeps coming back. KIS detected the dll as "Trojan program Trojan-PSW.Win32.OnLineGames.abzd". There are a whole lot of dlls in Windows\System32\ that will be activated by the sperls.dll when Windows start up, but luckily I prevented that. Now my only concern is how to remove this sperls.dll

    It cause several problems as follows:
    - The services.msc and search window don't display anything. Later I found out that the Yahoo Messenger is also having the same problems in the conversation windows (but I replaced YM with Trillian and at least I could use instant messaging)
    http://i296.photobucket.com/albums/mm199/royal_noble_capr/services.jpg

    http://i296.photobucket.com/albums/mm199/royal_noble_capr/search.jpg

    - Each time a program start up, it displays a message that the sperls.dll could not be executed because it is not a valid windows image

    Please help
     
    Kinas, May 2, 2008
    #1
  2. Kinas

    Kinas Private E-2

    There are some more informations:
    - Each time a program start up, it displays an error message. The program could be executed successfully, but this is very annoying
    http://i296.photobucket.com/albums/mm199/royal_noble_capr/invalid.jpg

    - Windows Media Player can't be started and a message stated that "an internal application error has occurred"

    - In the registry, the "AppInit_Dlls" key has a bunch of values that I'm sure are malware-related dlls ready to be executed with the sperls.dll. I've tried to deleted the values but it keeps coming back (just like the sperls.dll), even the Registry Guard function of KIS is useless against this.

    Help me please. Thanks
     
    Kinas, May 2, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 2, 2008
    #3
  4. Kinas

    Kinas Private E-2

    Here are the logs
     

    Attached Files:

    Kinas, May 2, 2008
    #4
  5. Kinas

    Kinas Private E-2

    And the last 2 of them

    Thank you for your help. I was able to fix all the problems and had unhooked the sperls.dll from my system.

    But I noticed that the dll still comes back to the windows/system32 folder periodically. I don't have any idea about its origin. At least for now my system is clean, and I only have to do virus scans to get rid of the dll each time it comes back.
     

    Attached Files:

    Kinas, May 2, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below files are for
    Code:
    2008-04-30 17:06 . 2008-04-30 17:06  575,024  --a------  C:\WINDOWS\vsflex8l.ocx
2008-04-30 17:06 . 2008-04-30 17:06  326,396  --a------  C:\WINDOWS\2.Z
2008-04-30 17:06 . 2008-04-30 17:06  209,608  --a------  C:\WINDOWS\TABCTL32.OCX
2008-04-30 17:06 . 2008-04-30 17:06  128,588  --a------  C:\WINDOWS\1.Z
2008-04-30 17:06 . 2008-04-30 17:06   57,404  --a------  C:\WINDOWS\Vnarial.ttf
2008-04-30 17:06 . 2008-04-30 17:06   31,260  --a------  C:\WINDOWS\3.Z
    Uninstall the below software:
    Authentium AntiVirus SDK - 2 <-- should have been uninstalled at the beginning of the READ ME. You must only have one antivirus installed.
    Bach Khoa Antivirus 2006 <-- should have been uninstalled at the beginning of the READ ME. You must only have one antivirus installed.
    Java(TM) 6 Update 5

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {7D5363BA-EA6A-4A20-8AAB-DA7A702F0159} - (no file)
    O18 - Protocol: tbr - (no CLSID) - (no file)
    O20 - Winlogon Notify: fsp_lmwl - C:\WINDOWS\
    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 2, 2008
    #6
  7. Kinas

    Kinas Private E-2

    - I'm not sure about the 3 *.z files, but they look pretty harmless. I'll keep an eye on them from now on
    - The *.ocx files are needed for my VC++ program, they are clean
    - The vnarial.ttf file is the font for my native keyboard typing program, it is also clean

    I've uninstalled Java 6 Update 5 and downloaded the newer version

    About Bach Khoa Antivirus 2006 (Bkav): This is my native country's antivirus program. I only use it to detect threats that KIS could not detect (threats in Asia). It is very useful. I'm certain that it doesn't interferes with KIS at all, and is totally safe to keep it along with KIS

    About Authentium AntiVirus SDK - 2: I have never installed this into my system, maybe it is some rubbish leftover in the registry, or maybe a malware in disguise

    I've ran HJT and fixed the 3 entries

    Before running ComboFix, I modified the script a little bit (remove the Bkav entries, because they're not malwares)

    After finishing with CF, I move on to installed Java Update 6, successfully ran fixme.reg and the ccleaner

    The full scan of KIS shows nothing to be considered a threat

    Here are the logs

    Thanks chaslang
     

    Attached Files:

    Kinas, May 3, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You must not use multiple antivirus programs as stated in the READ ME. They will conflict and make each less effective. If KIS does not work properly for you then uninstall it and keep Back Khoa if you think it is more effective which I would doubt.

    No it is not malware. It was installed by you or software that you installed. Maybe from WinClamAVShield (which I see in your logs too) or also possibly software from an ISP. It is still in your uninstall list and needs to be uninstalled as already requested. It shows as: Authentium AntiVirus SDK - 2

    You still have a malware service that we were trying to remove with ComboFix and also one other item in HJT to fix.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O18 - Protocol: tbr - (no CLSID) - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Double click on the same fixME.reg file you created last time and allow it to be added to the registry.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 3, 2008
    #8
  9. Kinas

    Kinas Private E-2

    I've done all the steps you said, successfully.

    But there is still 1 problem left. This entry
    I've fixed it with HJT after closing my browser. Then I check again, and to my surprised, it came back! I keep fixing it, and it keeps coming back.

    Apart from that entry, everything is ok. My system works very smoothly.

    Thanks for your help, chaslang
     

    Attached Files:

    Kinas, May 3, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really! Authentium AV is still installed. Kaspersky and Bach Khoa are still installed. You need to resolve this.

    This is probably related to having the Crawler Toolbar installed with Spyware Terminator. If you don't use or don't like Crawler Toolbar, uninstall it. Some people don't like it.



    You're logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    2. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had you run Avenger, you can delete all files related to Avenger now.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 4, 2008
    #10
  11. Kinas

    Kinas Private E-2

    I've uninstalled Bach Khoa and the Crawler toolbar.

    Actually, Authentium AV only has database files, these were installed along with Spyware Terminator when ST updated. I've removed them.

    Now my system is clean again. Thanks a lot, chaslang. Best wishes to you :)
     
    Kinas, May 5, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes Spyware Terminator does also have an antivirus option. I did not know they used Authentium. I thought they used Clam as advertised on their website
    You're welcome. Surf Safely.
     
    chaslang, May 5, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds