Malware - Adware.Borlan, Trojan.Peed.Gen, others, recurrent

Discussion in 'Malware Help (A Specialist Will Reply)' started by qweds, Feb 28, 2007.

  1. qweds

    qweds Private E-2

    having trouble posting apologies if duplicates turn up, vbulletin is telling me something about an invalid thread...?

    Hello,

    I have read the FAQs and am running through the generic clean process now (READ AND RUN FIRST), so far the results have been less than inspiring.

    I have been attempting to deal with a virulent and recurrent malware problem for the last week or so. At this point I'm pretty sure that the main, or at least initial, culprits are Adware.Borlan and Trackware.Alexa.

    Also a process by the name of EC36329D.exe is now present at every system load, and I was unable to find anything about this file in a Google search.

    I will try to explain as fully as possible the symptoms I am experiencing.

    I believe the infection began when I opened a TV ants stream. Immediately my browser closed and my mail client (Firefox) began spamming. I shutdown my machine as quickly as possible, but too late.

    When I rebooted I was greeted with a DCOM Service Launcher Process error and the "NT Authority" was rebooting my computer, it gave me a minute and then reset. I have since worked around that issue with the 'shutdown -a' command.

    Becuase of the domain structure here (i think) only users that log on to the domain seem to be able to execute run commands with any effect. (I created an administrative user called 'Repair' off the domain but with that user could not circumvent the DCOM shutdown) At any rate what this means is that every time I reboot I have to log on the the net for a second while the user authenticates, I immediately unplug the cable thereafter.

    I work at a small firm and we have Symantec Client Security 3.0, though I can't currently update. The definition files are current as of 2/14 or so. Scans run through that appeared at first to be succesful but always required a reboot to fully remove.

    Every time after a reboot the infection seems to have completely reinstated itself. I created a directory on my computer where I placed logs and such, it has since disapeared. I am using a second uninfected machine to write this. The infected machine is currently running bit defender, (another 4 hours!!!?).

    At one point I was able to access certain websites eg: www.merijn.org, www.yahoo.com, but not others, this one, google.com. Thought that was rather strange.

    I am able to monitor net traffic through a packet sniffing program and I have noticed that as soon as my machine logs on the DNS traffic on the network spikes and remains elevated. I worry that this machine it thereby trying to infect other machines or pursuing other nefarious ends. Do I need to remain connected to the internet while bit defender works or can I unplug.

    After I have been in safe mode and attempt to reboot into normal mode I get a BSOD once and then it will reset and proceed to the login screen, where it will hang for a minute or so before completing login.

    I do not have any any log files to post. After I ran counter spy and allowed it to quarantine all the files my machine immediately reset itself before I could create a log file.

    I have attempted to manually log the infections as they have been listed:

    smitfraud -c
    smitfraud.toolbar
    sogou
    Nunech.A
    WinXPServicePackCrack
    AdRevolver
    Zedo
    Cure PC Solution
    StatCounter
    Infostealer.Eyoni
    Downloader
    Tojan.Dropper
    Trojan.Proxy.Agent.Df (I think this one is part of the DNS traffic I'm seeing)
    trojan.spambot.h
    trojan.NSAnti.B
    Trojan.Muldrop.M
    trojan.dropper.agent.ol / iu / dd
    Trojan.Proxy.Dlena.AB


    (and too many more to count)

    I will attempt to post the bit defender log as soon as possible. In the meantime can anyone tell me if I can unplug my machine while that scan runs as I am rather apprehensive about the network traffic levels (we have already received one spam warning from our provider when the infection began)

    Any advice?

    many thanks,

    tim
     
    Last edited: Feb 28, 2007
    qweds, Feb 28, 2007
    #1
  2. qweds

    qweds Private E-2

    I'm not trying to bump this, but after I edited my post once it won't let me again so in order to attach the Bit Defender log i'm forced to reply
     

    Attached Files:

    qweds, Feb 28, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Are your log files missing, or are the saved under another user account name?

    Please try to do the below.

    First empty your Norton Quarantine which is full of malware.

    Also empty your Recycle Bin!

    Now try to run this: RogueRemover

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\1010s.exe
    C:\WINDOWS\bar.exe
    C:\WINDOWS\system32\cryptig.dll
    C:\WINDOWS\system32\t21.exe
    C:\WINDOWS\system32\tubar1250.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now run Ccleaner!

    Now attach try to get us the below logs which will better help us to remove your problems.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    chaslang, Mar 1, 2007
    #3
  4. qweds

    qweds Private E-2

    chaslang:

    Thanks for your reply.

    Unfortunately I was unable to keep trying to run the online virus scans as every time I did so my machine would become a DNS server of some type and take up ~ 200k of bandwidth doing so. As well, every reboot would see all of the problems begin anew. I imagine your fix would probably have worked but my machine's downtime was becoming to costly to continue.

    As such I decided to do a format and reinstall. I'll be watching my box closely over the next while to make sure nothing crops up again.

    Thank you again for your responsiveness.
     
    qweds, Mar 1, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 1, 2007
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds