Malware keeps connecting to lloydstsb.co.uk

Discussion in 'Malware Help (A Specialist Will Reply)' started by zapnsr, Sep 10, 2006.

  1. zapnsr

    zapnsr Private E-2

    Whenever I start my browser I notice the following connections being estabhlished

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP ASADMAHVEEN:1086 lloydstsb.co.uk:1087 ESTABLISHED 3004
    TCP ASADMAHVEEN:1087 lloydstsb.co.uk:1086 ESTABLISHED 3004
    TCP ASADMAHVEEN:1089 216.239.53.104:http ESTABLISHED 3004
    TCP ASADMAHVEEN:1090 static-fxfeeds.nslb.sj.mozilla.com:http ESTABLISHED 3004
    TCP ASADMAHVEEN:1091 newslb11.thdo.bbc.co.uk:http CLOSE_WAIT 3004

    The PID above refers to Mozilla firefox.


    I have followed the instructions mentioned in your post for removal of malware

    1. Microsoft Windows Malware remover : Nothing detected
    2. Microsoft Windows Defender: Nothing
    ( last week when I ran this it detected Virtumonde.D)
    3. Bitdefender : Attached log
    4. Panda : Nothing
    5. Hijackit : Attached log.

    Please let me know what happening !!

    Thanks
    Surya
     

    Attached Files:

    zapnsr, Sep 10, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please attach the other two logs that were requested (GetRunKey and ShowNew)
     
    chaslang, Sep 10, 2006
    #2
  3. zapnsr

    zapnsr Private E-2

    Attaching the log files runkeys.txt, newfiles.txt

    I had also run VundoFix before I ran the above tools.Vundo was detected and removed by this tool.
    The log is being attached.


    Thanks
    Surya
     

    Attached Files:

    zapnsr, Sep 10, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have signs of Vundo (don't run the tool again as it will not remove this newer form of Vundo). However besides Vundo you have a ton of other trojan files showing in your logs. I want to simplify the removal and also make sure we get everything. Thus is that line, I want you to run an Ewido scan. Follow the directions in the below link and then attach the requested log from Ewido.

    Running Ewido Anti-Malware


    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Then goto Add/Remove programs and uninstall the below software:
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 7
    Java 2 Runtime Environment, SE v1.4.2
    Java 2 SDK, SE v1.4.2
    Viewpoint Media Player


    Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to User Initialization ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    usrinit32

    If you receive any error messages just ignore them and continue.

    Now exit HJT and reboot when it tells you it needs to.

    After reboot, look for the below file and delete it if found:
    C:\WINDOWS\userinit.exe <--- only delete this one!!!! Do not delete C:\WINDOWS\System32\userinit.exe

    After reboot, download the current version of ShowNew (yours is now outdated) and then attach a new log from ShowNew.

    Now also attach a new HJT log so we can continue with your cleanup!
     
    Last edited: Sep 11, 2006
    chaslang, Sep 11, 2006
    #4
  5. zapnsr

    zapnsr Private E-2

    Thanks Chaslang, for helping me out...

    I did all the steps indicated by you.

    Ewido detected one more trojan. The Nt Service file userinit.exe was already deleted.

    I have attached the logs.
     

    Attached Files:

    zapnsr, Sep 12, 2006
    #5
  6. zapnsr

    zapnsr Private E-2

    Forgot to add, the connection to "lloydstsb.co.uk" still happens so that malware program is still present.
     
    zapnsr, Sep 13, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As you will see from the below fix, you still have a ton of malware!


    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O20 - Winlogon Notify: qopmj - qopmj.dll (file missing)


    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Documents and Settings\ASAD\Desktop\oaj2se.exe
    C:\WINDOWS\system32\byotqdwi.exe
    C:\WINDOWS\system32\dsfvcbmh.exe
    C:\WINDOWS\system32\eevkfutv.exe
    C:\WINDOWS\system32\hdcybtls.exe
    C:\WINDOWS\system32\hqblqvhk.exe
    C:\WINDOWS\system32\hxbvmouc.exe
    C:\WINDOWS\system32\jkyjdhom.exe
    C:\WINDOWS\system32\mxldpliv.exe
    C:\WINDOWS\system32\ovgtdido.exe
    C:\WINDOWS\system32\vqqhqohh.exe
    C:\WINDOWS\system32\wbukyqww.exe
    C:\WINDOWS\system32\yhnqnsdd.exe
    C:\WINDOWS\system32\ykhjjowv.exe
    C:\WINDOWS\system32\ymxdjmvt.exe
    C:\WINDOWS\system32\bcrfetuf.dll
    C:\WINDOWS\system32\bdnkmwpr.dll
    C:\WINDOWS\system32\bpgyfmnf.dll
    C:\WINDOWS\system32\bupoumji.dll
    C:\WINDOWS\system32\cgbotpim.dll
    C:\WINDOWS\system32\cvtmxqxq.dll
    C:\WINDOWS\system32\cwttnaoi.dll
    C:\WINDOWS\system32\danteunv.dll
    C:\WINDOWS\system32\dgfwtyoe.dll
    C:\WINDOWS\system32\fcmxhadg.dll
    C:\WINDOWS\system32\feqviudd.dll
    C:\WINDOWS\system32\fouggbjj.dll
    C:\WINDOWS\system32\fqflylvv.dll
    C:\WINDOWS\system32\fuxnfnbj.dll
    C:\WINDOWS\system32\gehippub.dll
    C:\WINDOWS\system32\gnuigtuq.dll
    C:\WINDOWS\system32\gphqcpqj.dll
    C:\WINDOWS\system32\gtltndnl.dll
    C:\WINDOWS\system32\hanfheuy.dll
    C:\WINDOWS\system32\haqkjecb.dll
    C:\WINDOWS\system32\hshyrvcr.dll
    C:\WINDOWS\system32\iclrxdtc.dll
    C:\WINDOWS\system32\iiltulfq.dll
    C:\WINDOWS\system32\ioosvdnj.dll
    C:\WINDOWS\system32\iyrdorej.dll
    C:\WINDOWS\system32\jbhqvvfx.dll
    C:\WINDOWS\system32\jbirnblb.dll
    C:\WINDOWS\system32\jgastiod.dll
    C:\WINDOWS\system32\jjwvrgck.dll
    C:\WINDOWS\system32\jonepmle.dll
    C:\WINDOWS\system32\jrluubtq.dll
    C:\WINDOWS\system32\kkykaetn.dll
    C:\WINDOWS\system32\kmaqxgsm.dll
    C:\WINDOWS\system32\kujpceoe.dll
    C:\WINDOWS\system32\kvgxbkur.dll
    C:\WINDOWS\system32\lfcokqsv.dll
    C:\WINDOWS\system32\lfotbdqd.dll
    C:\WINDOWS\system32\lmjqhsxv.dll
    C:\WINDOWS\system32\lukfckkt.dll
    C:\WINDOWS\system32\mkprbfmf.dll
    C:\WINDOWS\system32\mkqghwnj.dll
    C:\WINDOWS\system32\ndkocnsg.dll
    C:\WINDOWS\system32\njbihbje.dll
    C:\WINDOWS\system32\npoeivik.dll
    C:\WINDOWS\system32\ntsdjrhl.dll
    C:\WINDOWS\system32\nuvpnbpb.dll
    C:\WINDOWS\system32\olritryi.dll
    C:\WINDOWS\system32\oucmrtrw.dll
    C:\WINDOWS\system32\qckvkolm.dll
    C:\WINDOWS\system32\qvopcdub.dll
    C:\WINDOWS\system32\rpknrwjc.dll
    C:\WINDOWS\system32\semjngaj.dll
    C:\WINDOWS\system32\shnsdnmk.dll
    C:\WINDOWS\system32\tdkjxdgx.dll
    C:\WINDOWS\system32\usyrtlau.dll
    C:\WINDOWS\system32\uywwdskg.dll
    C:\WINDOWS\system32\vbrtijcq.dll
    C:\WINDOWS\system32\vrxgshhc.dll
    C:\WINDOWS\system32\wywkiika.dll
    C:\WINDOWS\system32\xntiogei.dll
    C:\WINDOWS\system32\xvewxuqo.dll
    C:\WINDOWS\system32\xvndvvdp.dll
    C:\WINDOWS\system32\qqsru.ini2
    C:\WINDOWS\System32\taskdir.exe
    C:\WINDOWS\System32\taskdir.dll

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\ASAD\Local Settings\Temp\

    Now attach a new logs from HJT, GetRunKey and ShowNew.

    Tell me how these steps went and make sure you tell me how things are working now!
     
    chaslang, Sep 14, 2006
    #7
  8. zapnsr

    zapnsr Private E-2

    I did all the steps you mentioned.

    The bank connecting malware is still present :(

    One more thing which I had noticed earlier. "iexplore.exe" used to start off by itself ( no browser UI just in taskmanager), I had tried deleting the file(iexplore.exe)
    it used to get created within 1 min with same size and timestamp

    The behaviour is also still present.


    I have attached the logs. Please take a look.

    p.s : I deleted the !killBox ->backup-> *.dll
     

    Attached Files:

    zapnsr, Sep 14, 2006
    #8
  9. zapnsr

    zapnsr Private E-2

    One more thing ,not sure if the tools you had given already have checked this, but my hosts.txt is filled with major bank addresses. :(
     

    Attached Files:

    Last edited: Sep 14, 2006
    zapnsr, Sep 14, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You CANNOT and must not delete iexplore.exe This is Internet Explorer (your browser) and is a necessary component of the Windows OS.

    Is IE still starting on its own?


    What is the below file?
    C:\av tools\
    javunj~1.exe Sep 9 2006 86016 "javunjadojafijax.exe"


    Now download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Reboot your PC! How are things running now?
     
    chaslang, Sep 14, 2006
    #10
  11. zapnsr

    zapnsr Private E-2

    Thanks Chaslang.
    The connection to lloydstsb.co.uk is no longer seen.

    Guess, the issue which I reported was not a malware at all. But my system is clean of lot of other issues [ like internet explorer suddenly appearing in task manager] and a huge pile of malware .dll files.

    Hosts.txt contains now a single entry for localhost.
    Now I see two connections estabhlished to "localhost". Earlier the first entry in hosts.txt was 127.0.0.1 llyodstsb.co.uk hence "netstat" reported the connection was estabhlished to "llyodstsb.co.uk"

    Checked in lots of systems, Firefox and thunderbird estabhlish two connections to "localhost".

    Thanks for all your help , now iam familiar with lots of stuff "BHO", trojans with funny names etc and common paths they take to attack the system.
     
    zapnsr, Sep 19, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Sep 19, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds