Malware, of course.

Discussion in 'Malware Help (A Specialist Will Reply)' started by BigShot, Dec 2, 2010.

  1. BigShot

    BigShot Private First Class

    Hey folks. Had a few oddities with the system this week.

    Up until running the scans there was an odd clicking/clunking noise coming from the tower. It seems to have stopped now but I'll update about that after I boot up again tomorrow morning.
    Possibly related, but for some reason the network/wireless router was also acting up. The logs showed a number of DoS attacks blocked (our outward IP was the "destination") and a new computer that came in (clean) couldn't find or connect to the network. I reset the router and changed the network key and admin password to new ones and it seems to be working fine now.

    McAfee notified me of a trojan it had removed and said "no further action needed" but I decided to pop on here and run the ReadMe process. A number of threats were found, but I'm sure that will become clear from the logs I'll be attaching now.

    I ran CCleaner on all user accounts (all set to Administrator accounts for the purpose of running CCleaner) and ran the rest of the process on the account I was using when the Trojan alert popped up. This is the stage I'm at the time of posting this thread.

    I'll check back first thing in the morning (UK time) for any replies.

    Thanks folks.
     

    Attached Files:

    BigShot, Dec 2, 2010
    #1
  2. BigShot

    BigShot Private First Class

    And the other log...
     

    Attached Files:

    BigShot, Dec 2, 2010
    #2
  3. BigShot

    BigShot Private First Class

    I know this bump is going to hurt my cry for help, but I can't see an "edit post" button from my Android phone. Dunno if there's usually one there... anyway:

    I forgot to mention that when I ran ComboFix, it produced the log (attached above) but didn't return my desktop. I left it for a long time but nothing changed. In the end I did ctrl+alt+del and used the "new process" (iirc) button to run "explorer". From then I ran MGTools and posted this thread. Shut down the computer and that was the end of my night's work.

    Anyway... bedtime. G'night folks.
     
    BigShot, Dec 2, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Dec 3, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do quite so many users of this machine NEED to have admin privileges? It makes it so much easier for malware to penetrate.

    Ad-Aware SE Personal <--- Outdated and ineffective, might as well uninstall it and use SUPERantispyware and Malware Bytes instead.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
JZTEQESI
Remote Packet Capture Protocol v.0
File::
C:\Documents and Settings\Anne\Start Menu\Programs\Startup\liaimbnt.exe
C:\Documents and Settings\BACKUP\Start Menu\Programs\Startup\liaimbnt.exe
C:\Documents and Settings\Jane\Start Menu\Programs\Startup\liaimbnt.exe
C:\Documents and Settings\John\Start Menu\Programs\Startup\liaimbnt.exe
C:\Documents and Settings\Seán\Start Menu\Programs\Startup\liaimbnt.exe
C:\Documents and Settings\William\Start Menu\Programs\Startup\liaimbnt.exe
C:\Program Files\njxJVwVv\liaimbnt.exe
C:\WINDOWS\Qjanetedabexobe.dat
C:\WINDOWS\Rmufo.bin
c:\windows\system32\jzteqesi.tkq
Folder::
c:\program files\njxJVwVv
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JZTEQESI]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Now run RootRepeal again and attach its log.

    Are all the other accounts okay? Perhaps you should run MBAM and SAS on each one and fix what it may find. Let me know.
     
    Kestrel13!, Dec 3, 2010
    #5
  6. BigShot

    BigShot Private First Class

    Thanks Kestrel.
    I only set the other accounts to Admin for running the cleaning process (the XP cleaning procedure mentioned that some of the tools may not like limited user accounts so I changed them over up front for ease later on).

    At least one other account had a trojan notice pop up on it. I'm not sure if it's affected all of them but I will run SAS and MBAM on all anyway.

    Ad-Aware = gone. Thanks for the tip. It's been on there a long time now. I'm happy enough to remove it if it's a waste of space.

    C:\MGTools\analyse.exe run as requested and both lines selected and "fixed".

    When running ComboFix I got the following message:
    Rootkit!!
    ComboFix has detected the presence of rootkit activity and needs to restart the machine.
    Kindly note down on paper, the name of each file. We may need it later.
    C:\Documents and Settings\William\Application Data\Iwluu\asuky.exe

    After the reboot I clicked to log back in to the same account and ComboFix carried on from where it left off. One more reboot and it made the log file and exited.
    Maybe worth a note that though the CF window said not to open any applications, as it had restarted a load of things did try to start on their own, including SAS.

    Here are the logs from the steps you asked me to take. As mentioned I will run SAS and MBAM on other accounts too.
     

    Attached Files:

    BigShot, Dec 5, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
    Kestrel13!, Dec 5, 2010
    #7
  8. BigShot

    BigShot Private First Class

    Done. No threats found.
    Log attached.

    Full disclosure:
    I don't know if it makes any difference, but I went out for a while after making my previous post and (as usual) I turned the machine off when I went. I wouldn't have thought it would make a difference, but thought I'd better mention it just in case the TDSSKiller step was meant to take place before a reboot.
     

    Attached Files:

    BigShot, Dec 5, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Dec 5, 2010
    #9
  10. BigShot

    BigShot Private First Class

    After running GMER for a rather long time, I got a BSOD. It's far too late to try again so I'm off to bed, but should I try again in the morning or not?
    I've recorded the BSOD if it makes any difference (the joys of digital photography). If so, let me know and I'll upload it.
    Cheers.
     
    BigShot, Dec 6, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
C:\Documents and Settings\William\Application Data\Iwluu
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How're things running now?
     
    Kestrel13!, Dec 6, 2010
    #11
  12. BigShot

    BigShot Private First Class

    Combofix run as requested. Log attached.

    Things certainly seem better. The clunking noise I mentioned seems to have stopped (I'm not even sure it was related, but still).
    I've get to dig into the other accounts as discussed earlier but that's next on the list.

    Other than that, I've not really used the computer other than following the cleanup process and your incredibly helpful assistance so I can't comment a great deal on how things are running.
    Maybe a tad smoother or quicker to boot up to a fully loaded desktop, but I've not timed it so that may be all in my head.

    So, how do we know when this is in the clear? Do we keep going until you no longer see anything in the logs or until I think it's OK?

    Also, when I start running MBAM and SAS on the other accounts, do you want me to post logs in here, start new threads or what?
     

    Attached Files:

    BigShot, Dec 6, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well let's get going on that then. May as well stay in this Thread. Run SUPERantispyware and Malware Bytes on each account you want to check over, and attach the logs, clearly indicating which is which so rename them to SAS xxx MBAM xxx. xxx being whoever'saccount it was run on.
     
    Kestrel13!, Dec 6, 2010
    #13
  14. BigShot

    BigShot Private First Class

    I'll start the scans now (but will porbably post the results tomorrow as it's late here) but before I do I was going to delete the "Backup" account. Is there any reason not to do that before we finish the whole process?
    It'll save a couple of scans and logs that way, but if that might mean malware staying on the system (if that account is even affected) I'd rather take the extra time to scan it.
    Suggestions?
     
    BigShot, Dec 6, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, scan it if you like, you seem to want to take the time to do that so you might as well. :) I will be here waiting.
     
    Kestrel13!, Dec 7, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds