Persistent Trojan Horse Agent_r.XJ..HELP

Discussion in 'Malware Help (A Specialist Will Reply)' started by sdellis93, Apr 26, 2011.

  1. sdellis93

    sdellis93 Private E-2

    Malwarebytes found the trojan, but could not remove it. Ran Combofix, Spybot, SuperAntiSpyware, and none of these could remove the trojan.

    Symptoms: unwanted tabs get initiated in Firefox, an 'extra' svchost that takes the cpu to 100%, and the internet connection gets shutdown... this is so irritating..

    Have attempted to run TDSSKiller and it initiates to 80%, then crashes, in either normal mode, and safe mode.

    Avast intercepts and removes various files sporadically.

    THANKS IN ADVANCE TO ANYONE WHO CAN HELP ME WITH THIS
     
    sdellis93, Apr 26, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you have your Windows boot CD? What operating system are you running there?
     
    Kestrel13!, Apr 26, 2011
    #2
  3. sdellis93

    sdellis93 Private E-2

    Running XP, SP3

    PC is a netbook, no internal CD drive, have USB disc drive.
     
    sdellis93, Apr 27, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you have your Windows boot CD?
     
    Kestrel13!, Apr 27, 2011
    #4
  5. sdellis93

    sdellis93 Private E-2

    Yes I do
     
    sdellis93, Apr 27, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to download Combofix to your desktop

    Now follow the information in this link to install the Recovery console if you do not already have it.

    Installing Windows Recovery Console Using ComboFix

    Once done...

    Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    http://i1111.photobucket.com/albums/h479/MysticalMagpie/1.gif?t=1303862256


    http://i1111.photobucket.com/albums/h479/MysticalMagpie/2.png?t=1303862286

    When you get to the above screen, take note of the number that references your operating system.

    If it's '1' like the picture above, type 1 and press Enter

    http://i1111.photobucket.com/albums/h479/MysticalMagpie/3.png?t=1303862308

    Next type FIXMBR

    If it ask if you're sure you want to write a new MBR, answer 'Y'

    Then type EXIT to reboot the machine.

    With that done, please post back and let me know how things are now. Then there will be other scans to work on afterwards as part of the Read and Run Me First procedures. :)
     
    Kestrel13!, Apr 27, 2011
    #6
  7. sdellis93

    sdellis93 Private E-2

    I have downloaded combofix before, and have entered into the recovery console to 'see' what it is. As I recall, when I have seen the fixmbr utility used, it gives a warning that some partitions (?) of the disk may be damaged..?

    You are saying it is ok to run fixmbr?

    The discs I thought were 'recovery' disks are not that.. they are 'utilities' only.. I cannot locate any recovery discs at this time.
     
    sdellis93, Apr 27, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Apr 27, 2011
    #8
  9. sdellis93

    sdellis93 Private E-2

    This was run in safe mode
     

    Attached Files:

    sdellis93, Apr 27, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run what you can of the below.

    READ & RUN ME FIRST. Malware Removal Guide

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread as well as the other requested logs.
     
    Kestrel13!, Apr 27, 2011
    #10
  11. sdellis93

    sdellis93 Private E-2

    The lan connection quit working, I rebooted and I could not boot in Safe Mode. This was run in Normal Mode.

    I cannot paste from the MBR check screen.. Cntl+V kills the Firefox application.
    Here is the output, transcribed from the screen:

    MBR Check, Version 1.2.3
    (c) 2010, AD

    Command Line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drive Mask: 0x00000000c

    \\.\C:-->\\.\PhysicalDrive) at offset 0x00000000 `fa08fc00 (NTFS)
    \\.\D:-->\\.\PhysicalDrive) at offset 0x0000000a `be62d400 (NTFS)

    Size Device Name MBR Status
    ------------------------------------------------------------
    111GB \\.\PhysicalDrive0 Unknown MBR Code

    Found non-standard or infected MBR
    Enter 'Y' and hit Enter for more options....
     
    sdellis93, Apr 27, 2011
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Apr 27, 2011
    #12
  13. sdellis93

    sdellis93 Private E-2

    PC too unstable in NORMAL mode.. all items done in SAFE mode:

    1. Could not uninstall MS Security Essentials. PC goes off into la-la land forever; AVAST also running
    2. Only Windows Firewall used.
    3. No MyWay or Viewpoint ever installed
    4. Cannot uninstall java(s); see #1 above
    5. Ran CCleaner successfully
    6. All hidden files can be viewed
    7. No unused or 'bad' software installed
    8. No disk emulation ever installed
    9. TeaTimer not running in SAFE mode
    10. SuperAntiSpyware, MalwareBytes, and Combofix are loaded on PC
     
    sdellis93, Apr 27, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So after running the below I need to see logs from each:

    • SUPerantispyware
    • Malware Bytes
    • Combofix (Download the current version from the link just to be sure you have the latest)
    • MGTools

    Also TDSSKiller (Only run that after running the rest) - try that again and attach the log if successful.
     
    Last edited: Apr 27, 2011
    Kestrel13!, Apr 27, 2011
    #14
  15. sdellis93

    sdellis93 Private E-2

    Tool log files are attached. Disabled all virus/malware software.

    SuperAntiSpyWare
    MalwareBytes
    ComboFix
    MGTools

    Could NOT run MGTools. In NORMAL mode, PC would not complete re-boot (got wallpaper, no icons..hangs up and won't finish boot). MGTools will not run in SafeMode.
     

    Attached Files:

    sdellis93, Apr 28, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The MBAM log shows "Not selected for removal." Did you indeed fix everything it found?

    I see a bit of malware to remove in your Combofix log, but let's try and get a full set of logs from MGTools. But first check to see if TDSSKIller will now run for you! Let me know.

    Please do this, click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands each followed by the enter key. Note there is a space after the cd

    cd \MGtools
    GetLogs.bat

    Do you now have a C:\MGLogs.zip?
     
    Kestrel13!, Apr 28, 2011
    #16
  17. sdellis93

    sdellis93 Private E-2

    MBAM was re-run and all items removed.

    TDSSKiller will (still) not run.. 80% initialization, then dies.

    Input 'GetLogs.bat' in the MGTools subdir, and get 'not a valid command'.. the bat file does not exist in this subdir
     
    sdellis93, Apr 28, 2011
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    First off, if you have both Avast and Microsoft Security Essentials installed then you need to uninstall one of them immediately before we continue.

    Please disable Spybot's TeaTimer.

    How to disable Spybot's TeaTimer

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Folder::
c:\windows\system32\config\systemprofile\Application Data\whitesmoketoolbar
File::
c:\program files\051120109444040.bat
c:\windows\TEMP\Yh1.exe
c:\windows\TEMP\Yh0.exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GHWAUC6NNZ"=-
"PT25DHYRAW"=-
"SvrWsc"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.

    Rename C:\MGTools.exe to 123.com and see if it will now run for us.

    Tell me how things are running. Of course I think the infection is still in place, and it is an MBR infection, so we may have to start thinking about other ways to repair it if you cannot locate your boot CD or borrow one. Perhaps we could use Hiren's CD to fix the MBR. See what was posted in message # 12 of the below thread and see if you can get this CD to run. If you still need special drivers to access your drive, you will need to post in the Software Forum on how to do this.

    whistler/black internet@mbr again!


    What's inside of ths folder?
    c:\program files\Tdds
     
    Kestrel13!, Apr 28, 2011
    #18
  19. sdellis93

    sdellis93 Private E-2

    MS Essentials was uninstalled; ComboFix gave warnings that it was running, but it was not installed on the PC.

    1. Uninstalled SpyBot; no teatimer to disable

    2. Ran COMBOFIX (it did update, with CFscript) successfully; log attached [Note: this would not run in NORMAL mode, got a 'corrupted file' message; rebooted to SAFE mode and it ran flawlessly]

    3. Ran OTL successfully; log attached

    4. Renamed MGTools.exe to 123.com; ran successfully (!); logs attached

    5. C:\TDDS; there are two files in this directory; eula.txt, TDDSKiller.exe

    6. I cannot find the MSI Windows XP Home discs, but I do have reinstall discs from another computer (Gateway) XP Professional

    7. PC still shows symptoms of infection, after all the above, and several reboots.
     

    Attached Files:

    sdellis93, Apr 29, 2011
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then let's do this.

    You need to use your Windows XP CD to boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command then boot back to normal mode Windows and try running TDSSkiller now. Then attach the log. Also explain if you are still having any malware problems.
     
    Kestrel13!, Apr 29, 2011
    #20
  21. sdellis93

    sdellis93 Private E-2

    To be crystal clear on this procedure:

    1. Should NOT use the Recovery Console that ComboFix installed on my PC?

    2. The infected PC should boot (change boot priority in bios) on the recovery disc? Ok if boot disc is Windows XP Professional, and not Windows XP Home?

    3. Run recovery console to run fixmbr? Answer Yes to all procedures?

    4. Will this procedure be destructive - wipe out data?
     
    sdellis93, Apr 29, 2011
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'll get back to you on that. I think we will be okay but hang in there and I will reply after asking colleagues.
     
    Kestrel13!, Apr 29, 2011
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\3.tmp
c:\windows\system32\2.tmp
C:\Documents and Settings\Steve\Local Settings\Application Data\203296782
C:\Documents and Settings\Steve\Local Settings\Application Data\623261843
C:\Documents and Settings\Steve\Local Settings\Application Data\y24qcl280mo26hc4l3k2x887b4ekht2wptb23ff5
C:\Documents and Settings\All Users\Application Data\203296782
C:\Documents and Settings\All Users\Application Data\623261843
C:\Documents and Settings\All Users\Application Data\y24qcl280mo26hc4l3k2x887b4ekht2wptb23ff5
C:\Documents and Settings\Steve\Templates\203296782
C:\Documents and Settings\Steve\Templates\623261843
C:\Documents and Settings\Steve\Templates\y24qcl280mo26hc4l3k2x887b4ekht2wptb23ff5

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GHWAUC6NNZ"=-
"PT25DHYRAW"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 29, 2011
    #23
  24. sdellis93

    sdellis93 Private E-2

    The following steps were initiated in SAFE mode:

    1. MGTools analyse.exe was successfully run, and the two lines noted checked to 'fix'

    2. ComboFix was run successfully with the noted script; log attached.

    3. MGTools getlogs.bat file did NOT successfully run; when 'analyse.exe' was executed from the batch file, the PC abruptly re-booted into NORMAL mode, then crashed. Attempted to run this again, and got the same result. No log files were created.
     

    Attached Files:

    sdellis93, Apr 29, 2011
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to boot from a Windows Boot CD and run fixmbr. To answer your questions. See inline replies in bold brown.

     
    Last edited: Apr 29, 2011
    chaslang, Apr 29, 2011
    #25
  26. sdellis93

    sdellis93 Private E-2

    1. Used Windows XP Professional Install from CD drive.
    2. PC began booting from CD..loading drivers
    3. Got following message (blue screen):

    A problem has been detected and Windows has shutdown to prevent damage to your computer.

    Check for viruses on your computer. Remove all newly installed hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK/F to check for hard drive corruption, and then restart your computer.

    Technical Information:
    *** STOP: 0x0000007B (0xF7A9463C, 0xc0000034, 0x00000000, 0x00000000)
     
    sdellis93, Apr 30, 2011
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then the options that remain are:

    1. Slave this infected hard disk to a another Windows XP computer and use this second/clean computer to repair the MBR of the infected drive. You will need to use specific commands give in the Microsoft link to repair the second hard disk rather than the first.
    2. Backup your important data, delete partitions, repartition, format and reinstall.
     
    chaslang, Apr 30, 2011
    #27
  28. sdellis93

    sdellis93 Private E-2

    I have already backed up data.. the PC is unstable, but data was backed up, with AVAST running. Data is un-infected?

    Slaving the drive to repair the MBR won't fix permanently?
     
    sdellis93, Apr 30, 2011
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The MBR infection has not impacted your data. However you had many other infections too. They probably have not infected personal data/files. You just need to be very careful about what you backup and only backup necessary personal files and not just everything you have downloaded/installed since there is always a risk that the executables carry infections.

    As long as you get the correct MBR fixed, it should be okay.
     
    chaslang, Apr 30, 2011
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds