HELP- Trojans/Backdoors TCMicro 2007 and Read and Run me first didnt help

Discussion in 'Malware Help (A Specialist Will Reply)' started by thevictim, Dec 30, 2006.

  1. thevictim

    thevictim Private E-2

    Hi,

    My Sony VAIO running a Windows XP Service Pack 2 has been infested with Trojans. I learnt this , unfortunately not from my recently upgraded Trend Micro Pc-Cillin Internet Security 2007 but from the excellent Read and Run Me First on this malware removal forum.

    The symptoms
    1. The options "Save password" and "Connect automatically" on the DSL account dialer were permanently
    disabled and the username / password fields were empty (which they normally arent because I have saved these settings)

    2. Launching regedit in normal mode launches the window but closes it immediately thereafter (in a split second).



    Actions taken so far
    1. Ran the antivirus installed on my machine (Trend Micro PC-Cillin Internet Security 2007 /recently upgraded from version 2006). Found oreans32.sys and TSPY_HUPIGNON on my machine on the very first run soon after I had detected suspicious activity.
    2. Googled and immediately came upon your read and run me first.
    3. Followed the instructions to a T except the Panda Activescan which I couldnt run because of problems I couldnt fix or didnt know how to fix.

    Possible causes stated on the Panda website said
    a. Insufficient priviliges to ActiveX object
    b. Problems with Internet connection
    c. Insufficient disk space or errors

    None of these seemed to be the issue so I didnt know what to do so I skipped Panda.


    RESULTS
    Special removal procedures -> I chose Vundo -> detected nothing
    Add Remove programs -> didnt apply to me as I didnt see absolutely anything suspicious in the list
    Spybot Search & Destroy -> detected nothing
    CounterSpy -> detected Trojan.Sheeta and removed it from the computer

    Bitdefender -> detected more problems (generic malware ,Backdoor.SDBot.CO)
    PandaActiveScan -> couldnt run bcoz of reasons explained earlier
    Alternative scans -> Ran Kaspersky online scan (I must say I was impressed...this one detected the maximum problems compared to all the above..).

    The online scans were performed in normal boot mode.


    The 2 Main culprits found by Kaspersky were
    1. Backdoor.Win32.Rbot.bsn
    2. Trojan-Downloader.Win32.Agent.bdr
    The Kaspersky online scanner however only detects problems but doesnt fix them. Kaspersky says that the tool must be installed on the local machine if cleaning requires to be carried out. But it insists that I uninstall TMicro
    first (something which I would like to do as the last resort because I fear I might run into other problems which might divert my attention from the main problem at hand)

    Havent toggled system restore yet as the system isnt clean yet .


    I would really appreciate your help to remove this stubborn malware and guidance on how to move forward.
     

    Attached Files:

    thevictim, Dec 30, 2006
    #1
  2. thevictim

    thevictim Private E-2

    Next set to attachments
     

    Attached Files:

    thevictim, Dec 30, 2006
    #2
  3. thevictim

    thevictim Private E-2

    Adding the Kaspersky and HijackThis log
     

    Attached Files:

    thevictim, Dec 30, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Also uninstall the free CounterSpy trial now! We are finished with it and it may get in our way of doing the below cleanup.
    You need to download and from now on use the current versions of GetRunKey and ShowNew. The versions you have are out of date which means you are not working from the current version of the READ & RUN ME.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_01

    Make sure you reboot after uninstalling the above!
    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Program Files\Common Files\{D44DDBA9-0AE7-2057-0119-040401150001}\Update.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [{D44DDBA9-0AE7-2057-0119-040401150001}] "C:\Program Files\Common Files\{D44DDBA9-0AE7-2057-0119-040401150001}\Update.exe" mc-110-12-0001299
    O4 - HKLM\..\Run: [run32] run32dll.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Systems2] C:\WINDOWS\aps\spoolsv.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001299 (file missing)

    After clicking Fix, exit HJT.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\{D44DDBA9-0AE7-2057-0119-040401150001}\Update.exe
    C:\WINDOWS\clockupdate.exe
    C:\WINDOWS\update_today.exe
    C:\WINDOWS\windowsVISTAupdate.exe
    C:\WINDOWS\system32\run32dll.exe
    C:\WINDOWS\system32\svchosts.exe
    C:\WINDOWS\system32\RIFKRIFK.exe
    C:\WINDOWS\system32\systemhelper.exe
    C:\WINDOWS\system32\update_anti-virus.exe
    C:\WINDOWS\system32\windowsupdate.exe
    C:\WINDOWS\aps\svchost.exe
    C:\WINDOWS\aps\spoolsv.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\WINDOWS\aps
    C:\Program Files\Common Files\{344DDBA9-0AE7-2057-0119-040401150001}
    C:\Program Files\Common Files\{D44DDBA9-0AE7-2057-0119-040401150001}

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey - get the new version first
    2. ShowNew - get the new version first
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Dec 31, 2006
    #4
  5. thevictim

    thevictim Private E-2

    Thanks a lot for your response , chaslang ! And wish you a very Happy 2007. Keep up the excellent work that you are doing.

    Before I received your response , I tried doing something myself to remove the trojans. Uninstalled Trend Micro PC-Cillin Internet Security 2007 and installed Kaspersky Anti Virus 6.0 to remove the trojans that I this tool had detected. I installed its trial version and could successfully remove the following 3 infected files mentioned in my original post.
    1. C:\WINDOWS\system32\update_anti-virus.exe
    2. C:\WINDOWS\system32\windowsupdate.exe
    3. C:\WINDOWS\windowsVISTAupdate.exe

    Had toggled system restore before this.

    After receiving your response , I followed the steps as mentioned by you.
    Symptom 2 (regedit window closing soon after launching) has ceased to exist right away. The HijackThis log also looks better.

    But I still feel that there is something suspicious happening on my machine.Kaspersky's Proactive defense feature warns me of riskware on my machine., especially about a keylogger redirecting keyboard input. It names the culprit as C:\WINDOWS\System32\drivers\sskbfd.sys. The alerts from Kaspersky normally come with 2 buttons asking for the user's decision to allow or terminate the process. For this keylogger , the terminate button is not enabled and the only action I can allow is "Allow". You will see this file in the newfiles.txt dated Dec 8,2006.

    I am also suspicious of the Drag'n Drop CD+DVD file in C:\Documents and Settings\Rahul\Local Settings\Temp\ dated Jan 1,2007 (today). This is a CD/DVD burning software which came bundled with my laptop. Why does this show a new date?

    The .sqm files in C:\ also look suspicious but I think they might be from Windows Live Messenger (I am not so sure).All files with a Nov and Dec timestamp need to be relooked but I am not sure which ones are ok and which ones are bad.

    The keylogger is my first worry right now.

    BTW , there was no prompt while using the Pocket Killbox for deleting the files.

    Over to you. Thanks again.
     
    thevictim, Jan 1, 2007
    #5
  6. thevictim

    thevictim Private E-2

    I forgot the attachments. Here they are.
     

    Attached Files:

    thevictim, Jan 1, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This file is for Spy Sweeper. Ignore Kaspersky, the file is safe.

    The Temp folder was emptied during previous cleanup and since Drag'n Drop creates a folder here for temporary data, the just recreated it.

    Yes they are from Windows Live. Another one of Microsoft's blunders. They should know better than to put the files there.

    Manually delete the below left over folders from CounterSpy:
    C:\Documents and Settings\Rahul\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Use Pocket Killbox to delete
    C:\WINDOWS\system32\run32.dll

    Now attach a hopefully final log from ShowNew.

    How is everything running?
     
    chaslang, Jan 3, 2007
    #7
  8. thevictim

    thevictim Private E-2

    Seems to me that the trojans have been removed from my machine because none of the scans report anything suspicious. The Hijackthis log however shows an O17 now and then. I have attached this log along with the runkeys and newfiles txts.

    I dont know these IPs. I had tried removing this entry using Hijackthis but wasnt successful. It keeps coming back.

    Additionally , symptom 1 still persists.
     
    thevictim, Jan 8, 2007
    #8
  9. thevictim

    thevictim Private E-2

    Forgot the attachments once again. Here they are.
     

    Attached Files:

    thevictim, Jan 8, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should know them! They belong to what I Tiscali which I assume is your ISP!
    Code:
    [B]IP Address[/B]   : 195.247.247.195 [ cache-d.nas.tiscali.de ]
[B]ISP          :[/B] Tiscali Business GmbH
[B]Organization :[/B] Tiscali  - Online Services
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/de.gif[/IMG] DE, Germany
[B]City         :[/B] Dreieich, 05 -
 
 
[B]IP Address[/B]   : 62.27.27.62 [ cache-f.nas.tiscali.de ]
[B]ISP          :[/B] Tiscali Business GmbH
[B]Organization :[/B] Tiscali  - Online Services
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/de.gif[/IMG] DE, Germany
[B]City         :[/B] Dreieich, 05 -
    This is not a malware problem! It is some kind of coniguration issue with your software. You may need to reinstall something or you may need to speak to your ISP about it. You could also try posting in the Software Forum. Either way it is not an issue for the Malware Forum
     
    chaslang, Jan 8, 2007
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds