Difficulty cleaning multiple trojan infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by jcompton, Feb 3, 2009.

  1. jcompton

    jcompton Private E-2

    OS: Windows XP Pro SP2

    I am having difficulty cleaning out a trojan problem. Using Spybot, AVG, MBAM, ComboFix and SDFix I have been able to get my system to a status where it appears to be clean and I reconnect it to the outside world, only to have problems show up again.

    The first time I performed the cleanup, it appeared that I was getting rid of Agent.pz and Banker.xe. I first noticed the system running more slowly and oddities like usernames not being displayed in task manager. I finally knew what was up when my attempts to browse to antivirus sites were being either blocked or redirected. I ran through the litany of tools and things looked clean. None of my recent downloads appeared to be infected, however.

    This afternoon, after being reconnected for a few hours, I ran Spybot out of paranoia and the problems started anew while Spybot was running (the AVG Resident Shield alert popped up during the Spybot scan, not before!)

    When the problems started anew, there was a much wider range of trojan activity, including MSAntiSpyware 2009 windows.

    At this point I ran through the MajorGeeks protocol described at http://forums.majorgeeks.com/showthread.php?t=139313 . I am somewhat discouraged by the fact that MBAM gave me a clean bill, but Combofix found more problems. I was able to keep this computer offline during the process, except during the Combofix install when I let it install Recovery Console. (I had previously tried the trick of dragging the files on top of the Combofix icon but got no joy.) I used manual profile updates to ensure that the other tools were at their most recent.

    I should add that at some point during the excitement, my computer started booting with an Application Error in spoolsv.exe . This has happened during every reboot since it began. I did not recently touch the printer driver, nor did I touch it during the attempts at cleaning the infections. So I do not know if it is a sign of additional virus activity or damage done by a cleaning tool.

    I am afraid to reattach the affected system to the network until getting further guidance, which I hope will either confirm that I now have a clean system, or give me new instructions to follow.

    Three logs attached here, MG logs to follow in reply. Thank you for your consideration.
     

    Attached Files:

    jcompton, Feb 3, 2009
    #1
  2. jcompton

    jcompton Private E-2

    MGlogs attached.
     

    Attached Files:

    jcompton, Feb 3, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    These system files are infected:
    First I want you to tell me what this is:
    C:\spywaredls ?

    Then use windows explorer to find and delete:
    c:\windows\system32\6.tmp

    Now open your C drive and find each of these and copy them to the above folders:
    C:\i386\userinit.exe --> copy to c:\windows\system32
    C:\i386\spoolsv.exe --> copy to c:\windose\system32
    C:\i386\EXPLORER.EX_ --> copy to c:\windows

    Tell me what problems you have doing this.
     
    TimW, Feb 6, 2009
    #3
  4. jcompton

    jcompton Private E-2

    Thank you for starting on my inquiry.

    The directory I was trying to keep the infection-fighting downloads (SAS, CCleaner, etc.) and logs organized in--separate from my generic downloads directory.

    Done, no problems.

    Done, no problems, datestamp and file size appeared to be identical and Windows allowed me to replace it.

    (I presume you meant "windows")

    Code:
    Error Copying File or Folder
Cannot copy spoolsv: It is being used by another person or program.
Close any programs that might be using the file and try again.
    (filesize/date appeared to be identical.)

    Also, I did not receive the spoolsv.exe crash message upon boot when firing up the machine to make these changes.

    Copy was successful. EXPLORER.EX_ was not already present in C:\windows.

    Ready for more instructions. I have not at this point shut down or restarted the machine since making these changes, please let me know if I should do that before proceeding with any next steps.
     
    jcompton, Feb 6, 2009
    #4
  5. jcompton

    jcompton Private E-2

    Additional info:

    I just checked on the machine (after leaving it running but untouched) and AVG Resident Shield popped up three Win32/Heur hits: one on c:\sdfix\catchme.exe and two on what looked like System Restore-related files. I decided not to touch the alert (did not ask that they be removed/cleaned) but I did shut down. Please advise.
     
    jcompton, Feb 6, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The first ( C:\sdfix ) is not malware. The other two are files in the system restore folder which we will now fix.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Feb 6, 2009
    #6
  7. jcompton

    jcompton Private E-2

    I don't think we're settled yet.

    When I started up, the spoolsv crash was back, and so was the plain-text "Log On to Windows" dialog (under normal circumstances my machine boots straight to the desktop.)

    I decided to forge ahead anyway and entered the Combofix uninstall command, but got two windows:
    Code:
    prep.com has encountered a problem and needs to close.
    The other was AVG Resident Shield.

    Code:
    Accessed File is infected

threat detected!

File name: C:\Documents and Settings\Jason\Local Settings\temp\1.tmp\b2e.dll

threat name: Trojan horse BackDoor.SmallX.VX
Detected on open

Process Name: C:\32788R22FWJFW\Prep.com
Process ID: 2608
    I am shutting down. Please advise.
     
    jcompton, Feb 6, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file ....as well as a new log from SAS and MBAM.

    Open task manager and stop the spoolsvr process, then see if you can replace it as previously instructed.
     
    TimW, Feb 6, 2009
    #8
  9. jcompton

    jcompton Private E-2

    I received a ProcessDll.exe Application Error, which I did not get when previously running MGTools as I updated .Net as indicated when starting this cleanup process. What shall I do?

    Worked fine this time--spoolsv crashed on this particular startup so there was nothing to stop and the replacement went off fine. I replaced it before running SAS. However, it was back to crashing when I rebooted as SAS requested.

    During the SAS process, AVG Resident Shield complained of the System Restore files again, which I allowed it to quarantine. During the MBAM process, AVG Resident Shield complained of c:\windows\explorer.ex_ , which I allowed it to quarantine. I shut down after transferring the logs off the machine.

    New logs attached. Sorry this is turning out to be such a complex problem.
     

    Attached Files:

    jcompton, Feb 6, 2009
    #9
  10. jcompton

    jcompton Private E-2

    I received a ProcessDll.exe Application Error, which I did not get when previously running MGTools as I updated .Net as indicated when starting this cleanup process. What shall I do?

    Worked fine this time--spoolsv crashed on this particular startup so there was nothing to stop and the replacement went off fine. I replaced it before running SAS. However, it was back to crashing when I rebooted as SAS requested.

    During the SAS process, AVG Resident Shield complained of the System Restore files again, which I allowed it to quarantine. During the MBAM process, AVG Resident Shield complained of c:\windows\explorer.ex_ , which I allowed it to quarantine.

    New logs attached. Sorry this is turning out to be such a complex problem.
     

    Attached Files:

    jcompton, Feb 6, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Copy this:
    C:\WINDOWS\system32\dllcache\explorer.exe
    to c:\windows\

    Then re-run ( or download again if you have removed it ) Combofix and attach that log.
     
    TimW, Feb 7, 2009
    #11
  12. jcompton

    jcompton Private E-2

    Cannot copy explorer: It is being used by another person or program.

    Close any programs that might be using the file and try again.

    (I also tried doing it from a command prompt with no Explorer windows open and got "The process cannot access the file because it is being used by another process.")
     
    jcompton, Feb 7, 2009
    #12
  13. jcompton

    jcompton Private E-2

    I went ahead and ran Combofix anyway. Log attached. The infected files list looks lamentably familiar...

    Do we need to do some of this copying from the recovery console, perhaps?
     

    Attached Files:

    jcompton, Feb 7, 2009
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes....your system files are infected and if we run any more AV scans they are likely to remove those infections and leave your system unbootable. Sadly, the only way to deal with this is to save all your documents and data and do a clean installation. :(
     
    TimW, Feb 9, 2009
    #14
  15. jcompton

    jcompton Private E-2

    I'm really reluctant to do that--I invariably end up losing files because something didn't copy over correctly or the new Thunderbird install doesn't want to recognize my inbox or some such.

    What about copying the three affected system files over from their backup locations while booted into Recovery Console or a Linux distro? Might that not help? Which of these copies would be most likely to be valid/correct?

     
    jcompton, Feb 9, 2009
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can do that using the recovery console if you have access to an xp cd of the same version as yours (home, pro, etc).

    These are the correct files that should be on your system....note the size and date for these files.
    Code:
    Win XP SP2 - Normal Filesizes and Modified Dates
explorer.exe  1,033,216 bytes  Modified: 06/13/2007
ctfmon.exe       15,360 bytes  Modified: 08/04/2004
spoolsv.exe      57,856 bytes  Modified: 06/10/2005
userinit.exe     24,576 bytes  Modified: 08/04/2004
 
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 1,033,216  Modified 06/13/2007
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe    1,032,192  Modified 08/04/2004
=================== 
 
===================
Win XP SP3 - Normal Filesizes and Modified Dates
explorer.exe  1,033,728 bytes  Modified: 04/14/2008
ctfmon.exe       15,360 bytes  Modified: 04/14/2008
spoolsv.exe      57,856 bytes  Modified: 04/14/2008
userinit.exe     26,112 bytes  Modified: 04/14/2004
    You should note that the infected files are 16,896 bytes bigger.
     
    Last edited by a moderator: Feb 10, 2009
    TimW, Feb 10, 2009
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds