Trojans and Keyloggers

Discussion in 'Malware Help (A Specialist Will Reply)' started by nerdygirl85, Aug 28, 2010.

  1. nerdygirl85

    nerdygirl85 Private E-2

    My husband's computer (specifically AVG Free and Malwarebytes) picked up a couple trojans and a keylogger. I went through the steps in the Read Me First thread. His computer is the one we use for banking, etc. so I want to make sure it is completely clean before hooking it back up to the internet.

    I had trouble with ComboFix, RootRepeal, and MGTools, all three went to a blue screen either when I tried to run them or shortly thereafter. The other scans were run on a normal boot, the three problem scans were run in safe mode.

    If it's any help, the information from the blue screens were as follows:

    ComboFix
    DRIVER_IRQL_NOT_LESS_OR_EQUAL
    Technical Information:
    STOP: 0x000000D1 (0xE5EFF000, 0x000000FF, 0x00000000, 0XB84606BC)
    Mbr.sys – Address B84606BC base at B8460000, DateStamp 4add63e5
    Physical memory dump.


    RootRepeal
    IRQL_NOT_LESS_OR_EQUAL
    Technical Information:
    STOP: 0x0000000A (0x805AE19C, 0x000000FF, 0x00000008, 0x805AE19C)
    Physical memory dump.


    MGTools
    DRIVER_IRQL_NOT_LESS_OR_EQUAL
    Technical Information:
    STOP: 0x00000001 (0XE33B5000, 0x000000FF, 0x00000000, 0XB83A0000
    Mbr.sys – Address B83A06BC base at B83A0000
    Physical memory dump.

    I have attached the logs from the scans, any help would be greatly appreciated.
     

    Attached Files:

    nerdygirl85, Aug 28, 2010
    #1
  2. nerdygirl85

    nerdygirl85 Private E-2

    MGTools log file
     

    Attached Files:

    nerdygirl85, Aug 28, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then you need to give me the file path of the threat avg is finding and attach the mbam log where it shows what it finds.

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

NetSvc::
RPCQT
Driver::
uqbogrt
File::
c:\windows\system32\drivers\brtf.sys
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this, and also include the log from MBAM (showing what it found originally) and the new SAS.

    Is avg still detecting the threat?

    Re run MBAM now to test also.
     
    Kestrel13!, Aug 28, 2010
    #3
  4. nerdygirl85

    nerdygirl85 Private E-2

    First of all, I'd like to apologize; reading back over my original post, I forgot to mention that the virus keeps reinstalling itself. After running a scan and removing an infection, another one generally shows up a day or two later (the computer has not been connected to the internet in over a week, except to download updates to the programs used in the Read Me thread).

    I am attaching the two logs from MBAM that show the infections that it found. I went into AVG to pull the scan logs and they have been deleted (I did not delete them, and my husband doesn't know how to access them). I do remember that the path was C:\Windows\temp and the file was a .txt file. One was Trojan.OnlineGames, if I remember correctly.

    As per your instructions, I updated ComboFix and copied/pasted the code into a notepad file, saved, and attempted to use it to run ComboFix, but again, it went to a blue screen. It created a restore point, and gave me the message that it was starting the scan process, then went to a blue screen before the first stage began. (Blue screen information in my original post.) MGtools was the same, I got the initial screen telling me that it was about to begin, then I got a blue screen.

    I ran both programs in safe mode again, and attached the logs, as well as the updated SAS log. I ran both MB and AVG again, each using a full scan, and they did not detect anything.
     

    Attached Files:

    nerdygirl85, Aug 29, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please boot your PC in normal boot mode and then locate and delete the below file:

    C:\WINDOWS\MBR.exe

    After deleting this file, please do the below.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Are you currently having any malware problems?
     
    chaslang, Aug 29, 2010
    #5
  6. nerdygirl85

    nerdygirl85 Private E-2

    At this moment in time, there is not a malware issue, at least not that AVG or MBAM are picking up. The main issue is that the machine continues to get infections, even though it is not connected either to the internet or to our LAN.

    The original problem was that my husband's online gaming account got hacked, so he changed the password and we added an authenticator to the account (with a unique serial code), one where the code changes every 30 seconds or so. After we added the authenticator, the account was hacked again. Plus trojans and keyloggers consistently show up every couple days, and I have been monitoring internet usage on the computer to make sure no questionable sites have been visited. My main concern is I want to make sure there is no malware that MBAM and AVG are missing that is continuing to allow someone access to the computer to continue to infect it.
     

    Attached Files:

    nerdygirl85, Aug 29, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    According to your logs, no new infections are occurring. I suggest that you do the below.

    • First run Spybot and make sure that you have updated it and that you have run the Immunization feature to immunize your PC.
    • Then download and install SpyWare Blaster , click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. SpywareBlaster is not a malware scanner or removal tool and uses no system resources except a little disk space.
    • Download and install a real firewall like PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.
    • Now refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    • Now connect your PC to the internet and see how things are working.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this
    About 99% of all hacked gaming accounts/passwords occur due to poor security of the gaming site servers. They are always being hacked. If you need to play games online then you should use a special computer only for gaming as these sites are not safe. NEVER use a computer that you use for business or other financial purposes to access gaming sites.
     
    chaslang, Aug 30, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds