malware, possible backdor...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by giorgiobusoni, Aug 30, 2011.

  1. giorgiobusoni

    giorgiobusoni Private E-2

    Hi all
    I have trouble from some time. It all started when I had the intelligent tought to go on an untrustful website when I had just installed windows 7, and not the antivirus jet, on the last days of april.
    From then I got every 1-2 weeks the antivirus message that some wirus in the appdata/temp folder named something.tmp was deleted. Messages appeared casually, even when I was doing nothing.
    The last month it became worse. One day I found the pc screen full of popups, desktop icons and all the document folder had been put to hidden and display hidden files had been changed to no, so that I cound't see them anymore, also system icons on desktop had been removed and replaced with a fake antivirus-program icon. I closed every process with task manager, perfomed many virus scans. I deleted many virus but many programs didn't work correctly anymore. Even outlook 2010 wasn't working properly, it crashed every 5 minutes, at some point it started crashing on startup.
    Doing virus scans with some other programs, I have found a .dll file in my profile folder root that was recognised as a backdoor. It was run at startup using a registry key (I saw it in msconfig). To delete it I had to boot in safe mode, delete the file and then disable to autorun from msconfig.
    After deleting that, many programs started working normally, but some others like catalyst control center still don't behave normally.
    I have followed the procedure suggested in this forum, superantispyware found only 4 risks and deleted them, mbam found nothig, combofix and mgtools don't know. The fifth program I didn't run because it was told no to run it on 64 bit systems.
    I attack the logs.
    Unfortunately, after doing that procedure last night, this moring my antirirus found many viruses, and many UAC windows pop-upped asking me to run with admin provileges programs like setupxxxxx.exe

    Acoutally my SEP lists this virus in the infectings (the list has been cleaned some days ago, so there are only the latest)
    Troyan.Gen.2 dfa43eb-4787b1b6
    Suspicious.MH690 P1kAlMiG2Kb7Fz.exe
    Troyan.Gen smrxanwoce.exe
    Troyan.Adclicker mxoenrcasw.exe

    I also add the log of a previous scan with some other software
     

    Attached Files:

    giorgiobusoni, Aug 30, 2011
    #1
  2. giorgiobusoni

    giorgiobusoni Private E-2

    here is the log of previous scan
     
    giorgiobusoni, Aug 30, 2011
    #2
  3. giorgiobusoni

    giorgiobusoni Private E-2

    sorry for doulble post but it didn't attack the log
     

    Attached Files:

    • log.zip
      File size:
      105.6 KB
      Views:
      1
    giorgiobusoni, Aug 30, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below softwares.

    Java(TM) 6 Update 14     <--- Outdated.
    Messenger Plus! 5 <--- This is just garbage.

    If you did not deliberately set this proxy yourself then please include it in the HJT fix below:
    Code:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.8.65.5:80
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 151.8.65.5:80

    After clicking Fix exit HJT.


    Now we need to use ComboFix sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\programdata\PLAV
c:\programdata\MessengerDiscovery

Folder::
c:\programdata\ParetoLogic Anti-Virus PLUS

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Could you please get these files: PE_File.dll and PE_Rom.dll into a zipped file and attach it for me in your next post? To do this, see the below:

    On your keyboard, press the Windows key + R at the same time and paste in the following:
    http://www.simplehelp.net/images/winkey/windowskey00.jpg + the letter R (at the same time)
    This brings up the Run dialog box for windows 7
    Now paste in the following:
    Press ENTER
    log retrievable @ C:\collect.zip
    Attach collect.zip to your next message. (How to attach items to your post)

    Please go to virustotal and upload the following files for analysis, and let me know the results.
    • c:\windows\PE_File.dll
    • c:\windows\PE_Rom.dll

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    • analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.


    Are you STILL experiencing redirects? If so...



    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    Kestrel13!, Aug 30, 2011
    #4
  5. giorgiobusoni

    giorgiobusoni Private E-2

    thanks for the reply. proxy is ok, i set it some time ago, and it is now disabled, I'll do the procedure and let you know. For now i can tell that that online scan of those 2 files found nothing
     
    giorgiobusoni, Aug 30, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, post back once you have all of the requested logs! :)
     
    Kestrel13!, Aug 30, 2011
    #6
  7. giorgiobusoni

    giorgiobusoni Private E-2

    may I update java instead of unistalling it completely? some programs won't work without it
     
    giorgiobusoni, Aug 30, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It's best to do it with the method I gave. Once you have new Java installed... You'll be fine!
     
    Kestrel13!, Aug 31, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds