Trojan Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by DallasRaines42, Dec 4, 2006.

  1. DallasRaines42

    DallasRaines42 Private First Class

    I am dealing with a serious trojan infection that I can't seem to shake. The symptoms include an increasingly slower system start time as well as active performance loss and frequently non-responsive programs. The following are my step by step attepts at resolution to this point (as close as I can recall ion this order).

    01. I began with simple Avast and Spybot scans under the running environment to eliminate a minor threat. Spybot succesfully removed several problems, as did Avast. However, Avast encountered several problems while trying to repair/delete/move to chest:

    ( Win32:Downloader-DS [Trj] )
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OPQFGH6V\L2[1].exe

    ( Win32:Trojan-gen. {UPX!} )
    C:\Program Files\Alwil Software\Avast4\Data\moved\A0608462.exe.vir

    ( Win32:Delf-BIP [Trj] )
    C:\Program Files\Alwil Software\Avast4\Data\moved\admparsek.dll.vir

    ( Win32:Delf-CFA [Trj] )
    C:\WINDOWS\g204200324.dll

    ( Win32:Agent-RY [Trj] )
    C:\WINDOWS\system32\hfohwb.dll\[PECompact]

    ( Win32:purityscan-Q [Trj] )
    C:\WINDOWS\system32\?ssembly\dexplore.exe\[PECompact]

    ( Win32:Delf-BTD [Trj] )
    C:\WINDOWS\system32\fontextd.dll\[PECompact]

    ( Win32:Delf-CFE [Trj] )
    C:\WINDOWS\system32\sxserv101.exe\[UPX]

    ( Win32:DelfBIP [Trj] )
    C:\WINDOWS\system32\admparsek.dll

    ( Win32:Agent-AKV [Trj] )
    C:\WINDOWS\system32\clc.exe

    ( Win32:Agent-AKV [Trj] )
    C:\WINDOWS\system32\clc_my.exe\[UPX]

    02. At this point I realized my infection was more serious then I had hoped, so I began by running add/remove programs where I came across the "IpWins" file (After some forum reading I went ahead and deleted this)

    03. In trying to empty my virus chest (Avast) I encountered errors:
    "Initialization of Chest files: Action was completed with errors"

    ->Errors report
    "Program cannot use Chest client: (null)--->Description: Virus chest server is not running. RPC communication failed"

    ->Detailed information
    "Initialization of Chest files/Program will try to lead all Chest files from the following server; (null)/Action was complered with errors!"

    04. At this point I scheduled a boot-time scan for both Spybot and Avast. And restarted into safe mode.

    05. Avast failed to open, citing "keyboard error" and went on to load windows. (Could this be due to my wireless keyboard?)

    06. Spybot found several new issues which it resolved, but cited errors with two programs: "Smitfraud_C.Toolbar888" and "Virtumonde". To which I scheduled a further boot-time scan.

    07. Finally Safe Mode loaded, but under both my administrator account and my normal user account (after a restart) I recieved nothing but a blank Safe Mode screen stating my version information: "Microsoft (R) WindowsXP (R) (Build2600.XPSP_SP2_GDR.050301-1519:serv.pack2)"

    08. My only option at this point was to restore to my previous system.

    09. At this point windows started normally, untill my desktop came up. All my desktop items failed to show up, and instead i was given an error message saying windows was unable to find '(null)'

    10. Running the explorer through the start menu (still operative) resulted in the same error.

    11. I then ran Ccleaner via the "run" prompt, and allowed it to fix all the errors found.

    12. It was while i was waiting for Ccleaner to finish that my desktop finally loaded. along with it came 2 pages of adware spam ive been experiencing far more frequently then desired (they always show up on MSIE as opposed to Firefox, my default browser). along with the browsers came another prompt that is a recurring problem: "NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss. Would you like to install SysProtect to check your computer for free? (Recommended)", there are several other versions of this message, all offering SysProtect or other virus programs.

    13. At this point I ran Spybot again, including a fresh update and immunization. It was still unabel to fix "Smitfraud_C.Toolbar888" and "Virtumonde" due to User Settings.

    14. Next I ran CounterSpy (However it was unable to update definitions) I accepted the default action for all 9 issues. [See counterspy.txt]

    15. Around this point I noticed for the first time two "antivirus" programs in my toolbar which i did not install: both where for "virus-busters 6.3" neither of these qould close in the toolbar. and continue to give system alerts for various spyware.

    16. Then came the online scans, first BitDefender- after accepting the user agreement and clicking start scan, bitdefender because unresponsive even after several attempts. I gave up on this one for the time being and went on to the next scan

    17. Next was pandascan (for which i had to open MSIE) At this point i am waiting for pandascan to finish.... I only will have internet access for the next 48 hours, so i am trying to resolve this issue before then, thus the incomplete post. included with this post is a premature getrunkey and Shownew log. I will wait untill the current scan is finished before trying to post a HJT log. Once I have done both those things i will post their respective logs as well. If you have any ideas or suggestions as to what else i should try at this point any advice is greatly appreciated.
     

    Attached Files:

    DallasRaines42, Dec 4, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now make sure to attach all of the new logs from the below (this will take two messages):
    • both rapport.txt logs if not already attached
    • ComboFix
    • GetRunKey
    • ShowNew
    • HJT - follow the procedure in step 7 of the READ & RUN ME for installing, renaming, and running HijackThis. It is VERY IMPORTANT that this be done properly.
    How are things working now?
     
    chaslang, Dec 5, 2006
    #2
  3. DallasRaines42

    DallasRaines42 Private First Class

    Ok I am attaching the first Smitfraudfix log at this time, as well as the activescan log from last night's pandascan. I am now going to attempt to restart into safe mode, but as you can see from my first post, I was previously unable to run any programs of any sort, or input commands at all from safe mode. Possibly this has something to do with why my normal desktop is taking so long to show up, so i will give it 30 minutes after starting safe mode before i give up and come back here. Thank you for your assistance
     
    DallasRaines42, Dec 5, 2006
    #3
  4. DallasRaines42

    DallasRaines42 Private First Class

    Aaaand I forgot to attach the logs....
     

    Attached Files:

    DallasRaines42, Dec 5, 2006
    #4
  5. DallasRaines42

    DallasRaines42 Private First Class

    Okay, as I suspected, I was still unable to do anything under safe mode. This time however, there was no system restore profile to revert to, so lacking other options i had to manually edit the boot.ini file to remove the /SAFEBOOT line and return to my "normal" OS. for the ssake of completion I have left your process at that, but gone ahead and created new logfiles which are included below. I await your response, and let me thank you again for your patience and assistance, i would have been lost many times over were it not for this site.
     

    Attached Files:

    DallasRaines42, Dec 5, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the second rapport.txt log that I rquested. I need this before I can continue. It actually looks like you did not complete the second part of the procedure. Is this because of your problems in safe boot mode? Can't you open Task Manager in safe mode and run processes from it using File-->New Task (Run...)

    Why are there no restore points?

    I did not need new logs until the other steps were completed! Can you run ComboFix?
     
    chaslang, Dec 5, 2006
    #6
  7. DallasRaines42

    DallasRaines42 Private First Class

    1. No, as I said I get nothing but a blank Start menu showing my windows version when i start in safe mode. In my reply post i also mentioned that i gave the computer over 30 minutes of idling on the safe mode screen in hopes that the start menu or desktop would show up. as neither did, i could not run any programs. I could not even get the Task Manager to open, so had to return to normal startup with system restore after a restart as i mentioned.

    2. I thought I had already posted my ComboFix Log, I ran it again and am including the latest logfile. I will now try safe mode again for lack of other options and see if i cant get that second log file
     
    DallasRaines42, Dec 5, 2006
    #7
  8. DallasRaines42

    DallasRaines42 Private First Class

    Who knew? I restarted in safe mode again and this time the start menu showed up. The only thing i have done differently is to run vundofix as i was sure i was infected with vundo from reading other threads. well whatever the reason, i was now able to run the second SmitFraudFix log which (should) be included below. I will now close the browser, run HJT again and return to post the log when im done
     

    Attached Files:

    DallasRaines42, Dec 5, 2006
    #8
  9. DallasRaines42

    DallasRaines42 Private First Class

    and here it is:

    I appreciate your help... im hoping you are still around and reading these as i have to unplug my pc at about noon tomarrow (EST) and wont have internet access for several weeks. Well, lets hope these logs help you to help me diagnose my exact issue. thanks again!
     
    DallasRaines42, Dec 5, 2006
    #9
  10. DallasRaines42

    DallasRaines42 Private First Class

    It would probably be a good idea for me to actually attach the files since simply thinking about it doesnt seem to work
     

    Attached Files:

    DallasRaines42, Dec 5, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was the reason I had ComboFix in my instructions and wanted you to run it. It address some Vundo issues which you had and it also fixes PurityScan issues which you had.

    Let's continue!
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Service: SX Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteSXServ into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Since you did not attach the log from Vundo fix and since so many things were run since you last attach the logs from GetRunKey and ShowNew, the below steps I'm giving may refer to many things that no longer exist. If not found, just continue on thru ALL steps.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    MediaTickets by OIN <-- should have been uninstall in step 0 of the READ ME
    Microsoft AntiSpyware <-- discontinued
    Mozilla Firefox (1.0.7)
    Safety Bar <-- should have been uninstall in step 0 of the READ ME
    Spybot - Search & Destroy 1.3 <-- 2 years out of date. Follow directions in the READ ME

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {6F1DF4AE-1769-4AED-3808-4A31C6B3FBCB} - (no file)
    O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\cyqggosq.dll
    O2 - BHO: (no name) - {3F634120-467F-4D25-9775-EE7CCAD38E51} - C:\WINDOWS\system32\ddcaw.dll (file missing)
    O2 - BHO: (no name) - {6F1DF4AE-1769-4AED-3808-4A31C6B3FBCB} - (no file)
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKCU\..\Run: [Apou] "C:\DOCUME~1\user\MYDOCU~1\CURITY~1\attrib.exe" -vt ndrv
    O20 - Winlogon Notify: winzue32 - winzue32.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\cyqggosq.dll
    C:\WINDOWS\system32\gidyppee.exe
    C:\WINDOWS\system32\ismini.exe
    C:\WINDOWS\system32\issearch.exe
    C:\WINDOWS\system32\vnlcjtda.exe
    C:\WINDOWS\system32\wapitr.exe
    C:\WINDOWS\system32\byuatfsx.dll
    C:\WINDOWS\system32\byvuv.dll
    C:\WINDOWS\system32\cyqggosq.dll
    C:\WINDOWS\system32\ddcaw.dll
    C:\WINDOWS\system32\deuyjtyo.dll
    C:\WINDOWS\system32\drvtiv.dll
    C:\WINDOWS\system32\ixt1.dll
    C:\WINDOWS\system32\kldibtna.dll
    C:\WINDOWS\system32\mlraakb.dll
    C:\WINDOWS\system32\qomkl.dll
    C:\WINDOWS\system32\raokutqi.dll
    C:\WINDOWS\system32\whqthoxi.dll
    C:\WINDOWS\system32\wvurqop.dll
    C:\WINDOWS\system32\wvutsrp.dll
    C:\WINDOWS\system32\ydcsrybe.dll
    C:\WINDOWS\system32\wacdd.tmp
    C:\WINDOWS\system32\wacdd.ini
    C:\WINDOWS\system32\wacdd.ini2
    C:\WINDOWS\system32\components\flx7.dll
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe


    Now run Ccleaner.

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now locate the below folder and delete it if found:
    C:\Program Files\Common Files\oowi
    C:\Program Files\Common Files\{3C4AD437-031B-1033-1102-990521040001}
    C:\Program Files\Common Files\{6C4AD437-031B-1033-1102-990521040001}

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\user\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Dec 6, 2006
    chaslang, Dec 6, 2006
    #11
  12. DallasRaines42

    DallasRaines42 Private First Class

    Ok I followed your directions and with the exception of a few things you told me to delete not being found, it looks like everything went right.

    I couln't find any of the following files when in safe mode to delete, but deleted the rest:

    C:\WINDOWS\system32\cyqggosq.dll
    C:\WINDOWS\system32\ismini.exe
    C:\WINDOWS\system32\issearch.exe
    C:\WINDOWS\system32\cyqggosq.dll
    C:\WINDOWS\system32\ddcaw.dll
    C:\WINDOWS\system32\ixt1.dll
    C:\WINDOWS\system32\mlraakb.dll
    C:\WINDOWS\system32\wvurqop.dll
    C:\WINDOWS\system32\wvutsrp.dll
    C:\WINDOWS\system32\wacdd.tmp
    C:\WINDOWS\system32\wacdd.ini
    C:\WINDOWS\system32\wacdd.ini2
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

    I also could not ffind the "components" folder at all

    C:\WINDOWS\system32\components\flx7.dll

    and back in normal conditions i could not locate:

    C:\Program Files\Common Files\{3C4AD437-031B-1033-1102-990521040001}
    C:\Program Files\Common Files\{6C4AD437-031B-1033-1102-990521040001}

    but deleted the other folder.

    When booting back to windows this last time, it still took a ludicrously long time for my desktop to load (close to an hour), giving me the same "unable to find (null)" response when i tried to open explorer.exe via the run prompt. I wanted to go ahead and post these logfiles now while my pc seems happy before i try a restart and see if these latest changes have helped to resolve that issue. I will repost once my OS is back up...
     

    Attached Files:

    DallasRaines42, Dec 6, 2006
    #12
  13. DallasRaines42

    DallasRaines42 Private First Class

    newfiles didnt attach for some reason
     

    Attached Files:

    DallasRaines42, Dec 6, 2006
    #13
  14. DallasRaines42

    DallasRaines42 Private First Class

    Well, the explorer problem still seems to be an issue, but the MSIE popups are at least gone. At this point if I am just patient enough to give the PC a long time to boot it seems to be working normally. Unfortunatly I am not going to have direct internet access for the next few weeks so i will likely have to make do with this for now. I will however find a way to check on your reply to this thread and will continue diagnostics as soon as i am able. And let me thank you again Chas, as I would be wholly lost without your assistance.
     
    DallasRaines42, Dec 6, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    A bunch of the files you said you could not find are still there and need to be deleted. Also because they all were not deleted, your Virtumonde infections multiplied. You now have at least 8 infections from Virtumonde.

    Let's first take some steps to speed up your boot up a little.

    -Uninstall CounerSpy

    The run HijackThis and have it fix the below unnecessary startups:
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"


    Now back to the malware! Start by downloading a tools we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\bbnatpvq.dll
    C:\WINDOWS\system32\khfed.dll
    C:\WINDOWS\system32\urqrp.dll
    C:\WINDOWS\system32\wvurqop.dll
    C:\WINDOWS\system32\wvutsrp.dll
    C:\WINDOWS\system32\yabab.dll
    C:\WINDOWS\system32\wacdd.tmp2
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Dec 6, 2006
    chaslang, Dec 6, 2006
    #15
  16. DallasRaines42

    DallasRaines42 Private First Class

    Well, Im back on the web at long last. I printed out your instructions at the library about two weeks ago, (I already had pocket killbox installed thankfully) and everything went smoothly. The slow bootup issue seems to have been resolved and the past two weeks of non-net connected pc usage has been without noticable error (with the exception of the computer clock, which i cant seem to get off of military time). I am posting the logs you requested now, and i await your next directions in cleaning/protecting my pc. thanks again for all your help
     
    DallasRaines42, Jan 11, 2007
    #16
  17. DallasRaines42

    DallasRaines42 Private First Class

    1. GetRunKey
    2. ShowNew
    3. HJT
     

    Attached Files:

    DallasRaines42, Jan 11, 2007
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay things have changed a bunch since you were last here. Please download the current versions of GetRunKey and ShowNew and use them from now on! ........Well let's see if there is anymore to do first before bothering with downloading the new versions. I look thru your logs and post another message on what to do next.
     
    chaslang, Jan 12, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay no need to post new logs! You are clean, but we have a couple minor things to finish!

    First delete the below left over folders from CounterSpy:
    C:\Documents and Settings\user\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 12, 2007
    #19
  20. DallasRaines42

    DallasRaines42 Private First Class

    Thanks again Chas, you're a saint.
     
    DallasRaines42, Jan 12, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf Safely!
     
    chaslang, Jan 13, 2007
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds