Mod.exe Trojan... Fixed but question

I managed to get a trojan on my computer and, I fixed it but wanted to post here FYI and also I have a question.

The trojan, ran an apparently fake version of Windows Security Manager with a fake scan and wanted you to download something to fix it and my guess is they were trying to steal your cc info.

If I ran MSIE, it would not connect saying there was a virus problem.

If I tried running Malewarebytes, nothing happenned.

There was a process running under Task Manager, Mod.exe, that I did not recognize and ending it ended the fake WSM from running.

I tracked this program down, to...

Doc & Set\Owner\Local Settings\Application Data\Mod.exe

using a standard Windows Search.

If I renamed it, then the fake WSM did not run, and MISE worked, but if I tried to run anything I got prompted with 'what do you want to run this with'.

I fixed the problem (hopefully completely) by writing a program, I have this capability, that invoked MalewareBytes through the API. With this, Malwarebytes ran and it found like 6 problems in the registry, fixed those, and rebooted and, so far so good, not seeing the problems I was seeing before.

But, Malewarebytes did NOT remove Mod.exe from that folder. So, I went into dos and renamed it to Mod.exeCRAP.

My question is, is Mod.exe a program that has some importance to Windows or, is it just what was left over from the trojan, in which case renaming it to non-exe or just deleting it, was appropriate on may part?

Thanks in advance for any help!!

P.S. I have the MalewareBytes log if you are interested but, I would imagine you have seen this all before.

P.S.2. A second way to fix this problem that might work, copying mbam.exe to, say, zzzz.exe and running that in the Malewarebytes folder but, I did not try that myself.

 

OK, thanks for replying! In a subsequent running of MalwareBytes it found mod.exeCRAP and deleted it.

BUT (!), turns out what I had before was just the tip of the iceberg as far as having problems. To make a long story short, after running MWB and SAS many times ran ComboFix and, ComboFix found 'rootkit.zeroaccess' in the TCP/IP stack and said it was a very difficult trojan to remove. Ended up running ComboFix three times (lost keyboard access after the second time but running it the third time fixed that) and, so far the problems I was having seem to be fixed (so far so good). These included...

- Windows Security Manager was not available and the service wasn't even listed in the services.
- When I came back from hibernating, my computer hung. Had to pull power cord.
- If I disabled my Internet connection and then re-enabled it, it would go into an endless loop 'acquiring network address'. It worked but was filling up the error log, etc.
- Would see lots of traffic on my network icon in the tray, which was bad news as something was getting adware cookies and what not off the internet.
- Redirection in MSIE, was getting hideous.

The first 4 are fixed and the last one apparently so but need more testing.

The only concern, last time I ran ComboFix it still said it had found rootkit.zeroaccess but, in the log it didn't seem like it did anything about it. Were no deleted files and the like. So, apprently there is still some trace of it on my system but, it is not active or affecting anything anymore (apparently).

Again, thanks for getting back to me and if you have any other comments they will be appreciated.

Z

P.S. Yeah, the big thing for me is to NOT go to unsavory sites, particularly those like 'check out wet tea shirt broad' posted in free boards, as well as other unsavory sites (unauthorized TV streaming and the like).

 

I was actually following the procedure, have the web page saved on my computer, as well as all the related web pages. Once I ran ComboFix it seemed to fix the problem and had suggested I run it again if necessary so I did that to check. What I should have done is save the ComboFix log before I did that because it overlaid the original one.

When I ran CF the first time, it displayed a pop-up saying I had rootkit.zeroaccess in my TCP/IP stack, and then a short time later, it displayed another similar but different pop-up saying essentially the same thing. It then displayed each of these pop-ups a second time. When CF was done I looked at the log and it had deleted a number of files starting with #uninstall but at the last one, said it could not delete the file.

This is when I ran ComboFix the second time, again just to check. This time, it displayed the two pop-ups again but, only once for each. Same thing the 3rd time around (which I did to restore keyboard access) and the logs for these two are identical and, they do not seem to show any problems.

So, what I did now was to finish up the procedure, as you requested, and then I ran the additional two programs you suggested. Attached are the log files (the last log file for ComboFix is included in MGLogs.zip). TDSKiller did not find any problems, but MBRCheck found a nonstandard MBR.

Yes, I would have been better off running the procedure exactly as mentioned and saving the logs before doing anything else. But, might not know there might still be a problem if I hadn't run CF the second time.

Thanks again for your help!

Z

 

Oh, I should mention here that, on the MBR, when I had a trojan problem maybe 16 months ago, and used ComboFix for the first time, it wanted a recovery console which I did not have and I had to get a logical boot record which it used to create the recovery console.

Possibly this made the MBR non-standard but, I am not an expert on these things.

 

I have run the procedure as directed.

When ComboFix was running, the two pop-ups on the rootkit problem were displayed, and then a 3rd saying it needed to reboot the machine.

Otherwise nothing unusual occurred. ComboFix rebooted the machine once.

MGLogs.zip is attached.

Thank you,

Z

 

Ran ComboFix again as directed and, same results as previous. Two pop-ups stating rootkit activity and then a third saying the same and rebooting the machine.

Log attached.

Thanks,

Z

P.S. Oh, I saw some reports of SAS (SuperAntiSypware) in the logs and so I went to add/remove programs and had it removed. But, this did not remove the service listing (disabled that) and did not remove SAS related entries in the boot record. So, I get an error message on that in the system log whenever I boot my machine. Guess this is not really a problem.

 

I basically do not like programs that run without my permission.

MalWareBytes is one I really like because it doesn't do anything, has nothing running, unless I tell it to. SAS was fine also but the latest version changed all that. Was a process that if I killed it just came back, and then in some of the logs it was showing up with question marks in front of it, and SAS tends to find a lot of adware.tracking cookies that are not really problems.

So, I went to add/remove programs and removed it but, this didn't remove it completely.

I ran OTL and the logs are attached.

Z

 

Code:

"C:\Documents and Settings\Owner\My Documents\"
xxxx.txt      Jan 10 2012       45062  "xxxx.txt"

If you do not know what this text file is for, please delete it.

Code:

"C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mb2b4e~1.txt  Jan 11 2012        1858  [B]"mbam-log-2012-01-11 (22-05-29).txt[/B]"

http://img850.imageshack.us/img850/4124/mbam.gif Please attach the bolded text file above.

http://img7.imageshack.us/img7/2461/sase.gif You shouldn't have uninstalled SAS, we want to review these logs but now they aren't any.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
[2008/04/11 13:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[COLOR="DarkRed"]:services [/COLOR]
!SASCORE
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\$NtUninstallKB57661$
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\BNDHRGIM\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\MGSA6DL7\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\YBRQKN2O\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\YM9WECHB\*.xml
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
dir /s C:\WINDOWS\$NtUninstallKB57661$ /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

* xxxx.txt was an old RootRepeal log which I renamed. Deleted.

* Thinking about it, if I didn't want that SAS process running all the time all's I needed to do was disable the service.

* Ran the procedure as directed. Logs attached. The event log still shows the error with the SAS core service.

Thanks,

Z

 

Make sure you have flushed the Event Logs so you are not seeing the old ones. According to OTL that service was removed successfully so you should not be receiving any errors about that anymore.

http://img194.imageshack.us/img194/4930/combofix.gif Also download a new copy of ComboFix and tell me if it still reports ZeroAccess.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I flushed the event logs and rebooted the machine and still got the error message in the event log. It is:

The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Right after I removed SAS and checked the event logs there were TWO error messages coming up. The above and another one on the SAS service. Once I disabled the SAS service the other error message stopped.

I ran ComboFix and the ZeroAccess warning pop-ups did not appear, and there was no reboot. So, looks like any remaining traces of ZeroAccess have been removed.

The logs from MGTools are attached.

Thanks again!

Z

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
SASKUTIL
SASDIFSV

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Let Kestrel13! know what remaining malware problems you are having, if any.

 

I ran OTL with the fix text as directed. The log is attached.

Then, I flushed the event log and rebooted my machine and the error message on the SAS driver was not there.

So, apparently the problem is fixed.

If I have another problem like this one and need to run the 'read and run me first' again I will run SAS but then if I have a problem with the service always running I will just disable the service from Control Panel.

Many thanks for your help!!

Z

 

You're welcome. I am glad we were able to resolve your malware issues.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!