recent trojan attack

cenfin · Nov 28, 2013

Hi all,

I was recently hit by a nice little trojan that had my IP address black listed. I found the virus and cleaned pc, well think I have. I also had black list removed.

The main problem I have now is that I have found that all PDF and microsoft documents have been corrupted. Unfortunately I also had my backup hard drive connected to the system at the time, and all backups of my files have also be affected.

I have been running "Mcafee as a service" as protection.

I am looking for some assistance on 2 points,
1. to make sure my system is clean
2. to try and recover document files if at all possible.

I have ram HiJackthis and the results are below

I hope someone can help on both the cleaning of the machine and the recovery of the data files.

cheers

Kestrel13! · Nov 28, 2013

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****

Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

cenfin · Nov 28, 2013

thanks, I am starting the process now.

cenfin · Nov 28, 2013

I have followed the procedures as best as possible. I hope I have done it correctly as I have been working on this problem now for over 9 hours straight, and it is a lot of new information to absorb in a short period of time.
My apologies if I have done something out of order.

I have attached x2 log files RKreport and the Hitman report. Is there any other information you require ?

I look forward to your guidance.

Dazza

Kestrel13! · Nov 28, 2013

I still need to see logs from Malware Bytes and MGTools please.

cenfin · Nov 28, 2013

HI I trust I have done the right thing. Please see the attached files. I assume the MGZip file has all the data you require logs and other pc data.

If not please let me know.

Thanks again fro your time, I do appreciate it

Dazza

Kestrel13! · Nov 29, 2013

Hi Dazza,

Please re run Hitman and have it delete all of the Potential Unwanted Programs.

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

[V1][SUSP PATH] Dealply.job : C:\Users\Darren\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

[V2][SUSP PATH] Dealply : C:\Users\Darren\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Delete the below:

C:\ProgramData\Babylon

C:\ProgramData\DSearchLink

C:\ProgramData\ErrorEND6

C:\Users\Darren\AppData\Roaming\Dealply

Reboot the machine again, navigate back to where those folders were, are they still gone?

Explain how things are running.

cenfin · Dec 1, 2013

HI Kestrel13!,

Thanks again for your help. I do appreciate your effort and time involved with my case.

Ran Hitman and followed its recommendations for deletion of programs reg entry's etc.
I have attached multiple Rk logs, as I have ran the program as you instructed and then afterwards.

I deleted the V1 and V2 lines in reg detection.

I also checked for any traces of Babylon, DsearchLink and ErrorEND64. When found there were deleted also. or almost for got also Dealply.

Machine is clean of them.

does this mean that machine is fully clean of Virus and malware ?

Do you know if there is any way of fixing/repairing damaged files from the trojan attack ? mainly the mircosoft office files and PDF files ?

I believe I do have a backup which is 2 months old. But a lot has taken place in 2 months.

Prior to this attack I would have all current working data on a secondary had drive in pc. then back up thios data to a usb hardrive. Unfortunately I was hit withe trojan when all were connected to the system at the same time.

After speaking to some of my clients (IT support/provider companies) they have suggested having data on a NAS (with backup app running) taking snapshot of info onto attached USB hard drive. This si what and how they have recovered all their clients that have had simular attacks.

As I have this company and another (running soft copy of all records) I really need to have a fail proof engineered system to back ups, for both machines but most importantly the data.

I would be very interested in what you would recommend. Using a cloud provider is out of the questin due to the amount of data, currently only 1tbit but due to expand to 4 tbit over the next 18 months.

Your guidance and advice would be greatly appreciated.

Sorry, machine performance...it has been fine, even with virus infection... but it is a high spec machine. I do notice a lot of svhost.eve (currently 11 with out pc doing anything except browser connection) processes running but then again I am still getting used to win 7 and its requirements compared to XP. This seems high to me. What are your thoughts ?

On another subject I have a laptop that seems to have issues but will try some basic stuff first before wasting your time with it.

Is there any other information that you require, or feed back ?
If there is a way of recovering office and PDF files, I would very much appreciate knowing how, as it would save me a lot of work, in fact at least a week.

Kind regards,

Dazza

Kestrel13! · Dec 1, 2013

Hi there Dazza, only malware removal is deal with in this forum. The questions you have about the corrupted pdf's etc and the other things you are asking about can all be further discussed in the software forum, so feel free to post there!

Here's an interesting article about scvhost and multiple instances of it.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

recent trojan attack

cenfin Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

cenfin Private E-2

cenfin Private E-2

Attached Files:

HitmanPro_20131129_0017.log

RKreport[0]_S_11282013_233640.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

cenfin Private E-2

Attached Files:

MGlogs.zip

mbam-log-2013-11-28 (23-56-16).txt

mbam-log-2013-11-29 (00-08-22).txt

mbam-log-2013-11-29 (00-11-54).txt

protection-log-2013-11-29.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

cenfin Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member