Malware/Trojan Help Please

I am working on trying to fix a friends computer. I have never seen such a horrible bunch of infections on one machine before. I ended up finding this forum while looking for help on trying to rid these problems that standard anti-virus programs aren't helping with.

I went went thru the READ & RUN ME FIRST thread but encountered problems with Malwarebytes'. I got to the point of installing it and running the scan. After the scan was finished I tried fixing the 60 infections it located. The first time it simply stopped responding. The second time I ran it and tried fixing, it terminated with no messages.

I am hoping I can get some help as I am still encountering problems after finishing with the rest of the instructions to the best of my ability. A lot of this was quite new to me so please go easy on me if I've made any errors.

My logs are below but I am missing Malwarebytes log file as I could not get it to finish.

As a side note, one of the indicators I'm getting for this infection is a constant alert from AVG every time I open a browser window.

File name: C:\WINDOWS\system32\dpwsoc.dll
Threat name: Trojan horse Downloader.Delf.12.AN
Detected on open.

It says it removes it everytime but it's still there.

 

Hi Coffee,
Welcome to Major Geeks!

Please do the following and attach your results. If you aren't able to do this, please tell me what happens.



Download FixIEDef by ShadowPuterDude to the Desktop.

Disable real-time protection that can interfer with FixIEDef:

Disable Windows Defender until the computer is clean

• Open Windows Defender
• Select Tools and then General Settings
• Under Real Time Protection Options uncheck Turn on real-time protection
• Select Save

Don't forget to re-enable it, when your computer is clean.

Disable SUPERAntiSpyware until the computer is clean

• Right-click on the shortcut from the system tray
• Choose View Control Center (preferences/options)
• On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
• Click Close to exit.

Don't forget to re-enable it, when your computer is clean.

Disable Teatimer
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

Run FixIEDef:

Double-click FixIEDef


Click 'OK'


Click 'Scan'


Click 'OK' FixIEDef requires Adminstrator Privileges to run correctly. This box tells you that FixIEDef successfully elevated it's privileges to that of Administrator.


Wait for the scan to finish. It won't take very long.


WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Everything will be restored to normal, once the malicious file is removed.

Click 'Exit' once FixIEDef displays the All Finished message.


Post the Results of the scan:

Post the FixIEDef log file, located on the Desktop.

 

abri - Did as you suggested but it came up negative. (log attached)

TimW - Got closer with this one but still ran into problems. The Avenger program was unable to delete the first file. I was also unable to locate the second directory you gave me to manually delete. (logs attached) (I ran Avenger in safe mode. This wasn't the wrong thing to do was it?)

Unfortunately I'm still getting the AVG trojan warnings when opening web pages.

 

Hey TimW,

I apreciate all the help so far but still having troubles with this file. I ran the instructions below but still came up with the same error to delete file in Avenger.

While in explorer I was able to locate the directory ...user/local settings/temp this time though. (No idea why I was unable to see it before.) I attempted to manually delete all files in there but came up with an access denied for one. This prompted me to take a closer look at the HJT log to see if I could locate anything in reference to that directory, and found the following.


O4 - HKLM\..\Run: [C:\DOCUME~1\ADAMRI~1\LOCALS~1\Temp\update.exe] C:\DOCUME~1\ADAMRI~1\LOCALS~1\Temp\update.exe

I re-ran all the instructions below adding the above to be removed by HJT. I also added the file I could not delete into the Avenger script. Unfortuanetly I came up with the same error for trying to delete both files in Avenger.

I have log files attached below from after the second attempt adding the additional items. I also have attached a jpg of a windows error message I am randomly getting every so often about a program trying to write to memory. I believe this may also be part of the infection problem. The source file referenced for the error is named wmiprvse.exe.

Again, I apreciate all the help thus far. I have high hopes we will corner this wiley thing soon.

 

I apologize for this as it is not part of my actual virus/malware removal probelm. This is a test post and inquiry into posting time/approval. I had submitted a response post to the actions taken many hours ago. I received notice that my post would be submitted after aproval from an admin. I'm not sure that this post has gone thru properly. I'm also not able to find instructions or information regarding such delays/inspections of posts by registered users.

This is to 1) test and ensure that I am able to post, and did not loose my previouse post... and 2) ask/inquire about this delay/approval procedure for new posts (any information regarding this process would be appreciated.)

 

Hi Coffee,

I'm sorry for the difficulty. Some of your posts are being suspended before they are posted. The approval message you got was valid, I'm just not sure what set it off. There have been a number of posts among different users that have been suspended that shouldn't have been and others which should have been picked up which weren't.

For now, I just wanted to let you know your post is visible and that it would be to the people working on your thread in any case.

abri

 

Think I boned it on this one. Got to the point after running combofix and realized I still had AVG running and that I should probably be doing this with that disabled. That would explain why I wasn't finding the dll file in any of the process threads when I ran ProcessExplorer.

Both files are still there and were not succesfully deleted. I will try to run this process again with AVG disabled. Interestingly though, I looked thru the 04 startup entries again while I was running HJT. I noticed an entry in there for GoogleToolbarNotifier:

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

As I had uninstalled it for my friend during initial cleanup (I personally detest the thing) I checked it to be removed while trying to remove the dll file entry again.

After all was said and done running the process below (with AVG running ) I went to locate the directory listed above (GoogleToolbarNotifier) to delete it. I found the Google folder but no sub folder existed with the name GoogleToolbarNotifier.

Even though nothing else has seemed to change (those two persistant files are currently still there) I am no longer getting the AVG Trojan warnings for the dpwsoc.dll when opening IE or an Explorer window.

For now I will attach the log files from below but I will rerun the process with AVG disabled and attach log files again.

 

Here are the log files after running the process again with AVG disabled.

 

Well went on a massive manual clean up after uninstalling any extra programs I thought could go from his computer. No more poker games on here. Went and manualy deleted all left over application folders from previouse installs he had.

Unhooked from internet and all security/anti-virus/malware protection off I ran the process again. Still no love.

Unfortuanetly I am dealing with a Dell laptop and they are notorius for not supplying windows install disks or back up disks. I also don't have any of my own for Windows Media Center to use. I do have a Windows XP Proffessional install disk with SP 2, but I don't think that can be used instead? So the last part I am unable to perform unless I can find a WMC Install disk.

I'll see what I can do to try and locate one, but it won't be an easy task for me.

 

Scratching my head here. The windows sticker on bottom of his laptop says "Windows XP Media Center Edition 2005", yet when I look at system info it says it's installed with 2002.

Having the key(serial) on the computer itself, is there any way I can get ahold of an iso for MCE 2005 somewhere reliable for download? (Do I need 2002 disk because of what's above? Really confused as to the difference in his system info compared to key sticker on back.) The key itself is what authenticates it anyway. I don't suppose MS offers anything like that?

 

Yes there is a dpwsock.dll, a dpwsockx.dll, and a dpnwsock.dll along with a number of other dp items. Have printscreen snapshot of system32 section for dp*.* and snapshot of dpwsoc.dll properties attached. The Summary section was fully blank.

The dpwsoc.dll is the only one not showing a version tab, and stating its a microsoft file under that tab, out of the above named dll files.

 

That's a No-Go as well. The file is clearly in use, but running through Process Explorer again, doing a complete search, resulted in no finds. Even just a look at properties and changing the summary tab to advanced gave me a file in use error when trying to click ok. I was able to copy the file to desktop and rename it there. I changed it to dpwsoc.old.dll, then to just dpwsoc.old for safety.

I opened it up in notepad then word pad to see if I could see anything in plain text that might give some clue. The only things I picked up from a quick visual scan of it was at the top stating "This program must be run under Win32" and a refernce to "kernel32.dll".

Is there a PE dissasembler I can run that might give me more access to the workings of the file? I would upload a copy of the file but I'm afraid to post something that might be potentialy dangerous in some way if used incorrectly.

Edit: Went thru file in wordpad again and found a line with the following plain text information in it. Don't know if this will help any but trying hard to help give more info.

Kernel32.dll advapi32.dll ole32.dll oleaut32.dll shell32.dll user32.dll wininet.dll LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree RegCloseKey IsEqualGUID LoadTypeLib SHGetMalloc SetTimer InternetCrackUrlA bhra55.dll DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer InitEntry

The above was all on one line with unreadble characters between them. Don't know if that was even worth posting but figured it can't hurt. I thought it might spark something for you if I was lucky.