System restore trojan

From what I could find my symptoms best match the system restore trojan, I have gone through all the steps in your clean XP faq. I also ran the unhide.exe program.

Unfortunately I was not able to completely run ComboFix. I installed and updated and made it all the way to the autoscan window and the program made it to the "scan times can double" line and would sit there. The cursor would blink for over an hour but it would go no further.

Oh and when using google my links are being redirected and until just a bit ago I had a dial up connection for MSN that my computer kept trying to use. Enclosed are all the logs I have.

TIA

 

for some reason I can seem to upload the mglogs.zip. I have tried renaming and re ziping to no avail so I will have to upload each file separately.

 

part 3

 

Part 4

 

Part 5.

It seems I can't upload files larger that ~100kb, I don't know if that is another symptom, but is defiantly another problem. :cry I even tried uploading to media fire and file dropper with no luck.

btw sysrest.txt was empty. Please let me know if i missed anything.

 

Hi LtLaForge

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21
• LiveUpdate Notice (Symantec Corporation)

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here except use the Change Parameters feature and select "Detect TDLFS File system" before scanning. Leave the other option uNchecked.
Attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gif Please download OTL by Old Timer to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [COLOR="DarkRed"]:services [/COLOR]
  LiveUpdate  
  LiveUpdate Notice Ex
  LiveUpdate Notice Service
  [COLOR="DarkRed"]:files[/COLOR]
  dir "C:\Documents and Settings\Tower\Desktop\smtmp\" /c
  dir "C:\Documents and Settings\Tower\Local Settings\Temp\smtmp\" /c
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  C:\Documents and Settings\Tower\Start Menu\Programs\System Restore
  C:\Documents and Settings\Tower\Desktop\Norton Installation Files.lnk
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
  "Symantec PIF AlertEng"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyjava]
  [emptyflash]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Thank you for your help. I have enclosed all of the log files.

It looks like my desktop and icons are more or less back.:-D I was also able to upload the complete mglogs file without a problem this time. At a quick glance it look like the redirecting is gone as well.

Is this trojan becoming more common? Does anyone know where it is from or what it exploits in order to spread? How can I prevent a future infection?

 

That's good news

Run another scan with TDSSKiller the same way as before but this time select to Delete the TDSS File System instead of Skip.

Attach this new TDSSKiller log when finished.

Now let's run another OTL fix to tidy things up a bit.

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:commands[/COLOR]
  [clearallrestorepoints]
  [emptytemp]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Yes it's very common nowadays. When we get to our final steps I will provide a link on how to protect yourself from malware.

 

I ran the TDSS again with the same options and it did not find the item that was skipped last time. I'm surprised that old timer trashed about 2.5 gigs of crap, I didn't know I had that much lying around

Enclosed are the logs.

 

Your logs are clean. Are you having any other malware issues?

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thank you again for the help.

I have had to work out a problem with windows update telling me to log in as an administrator but other than that the only other problem I have run into is when I log into a user account the desktop is inaccessible an there are no icons displayed. Do you know how I can retrieve the desktop functionality?

 

Which user account are you referring to? Can you go into more detail?

 

The profiles nick is "Rene" and during my repair of the windows update problem I found that the profile was joined to both the admin and user groups (also was not pw protected :banghead ) and looking back may have been the source of the infection.

I don't know if the rights were incidental to the infection or a result of it, either way that seems to be the only profile with the blank/inaccessible desktop. Of course the profile has since been removed from the admin group. All of the repair work we have been performing have been from what I thought to be the only admin (besides the hidden built-in) profile.

If I give the rights back to the profile and run the unhide program from that profile would that do the trick?

 

According to your logs, Rene was/is admin.

You can try it. I'm not sure if it's your icons that are actually hidden or if you just have "Show Desktop Icons" turned off.

What happens if you right mouse click on the desktop on the affected user > View > Show desktop icons

 

Rene was but should never have been an admin. Is the assigning of admin rights to a profile part of the damage this trojan does? If not it may have been an unfortunate oversight on my part.

I was able to fix the desktop problem, here is where it was:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDesktop"=dword:00000001

Other than that it seems to be back in order, I'll let you know if I run across anything else.

Thanks again! :wave

 

It's not something the trojan has been known to do.

I'm glad you figured it out

Surf safely!