Trojan and possible rootkit infection

Eric · November 15, 2009

My wife's notebook received a trojan warning through Avast. She removed it through Avast, and shortly thereafter encountered the wondrous BSOD. Computer would not boot at all (normal, last good config, or safe mode). I ended up doing a windows repair installation, at which point I did get the computer to boot. After scanning, (and following instructions for this forum), I received the following logs to post...

Thanks in advance for any help in removing these from the system.

Eric · November 15, 2009

Iseeyouxp & hijackfree logs...

ShadowPuterDude · November 15, 2009

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

ComboFix (C:\combofix.txt)
a-squared Free/Anti-Malware
ISeeYouXP
HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Eric · November 16, 2009

Done. here are the new logs...

IE still isn't working properly. I get an error message "The requested lookup key was not found in any active activation context" when I try to type a website in the address bar. Further, since the repair installation of windows, an error message pops up every few minutes that says "Microsoft Feeds Synchronization has encountered a problem ad needs to close..." That's a new one for me. Furthermore, it appears that I still cannot browse to microsoft's update site (page displays blank in firefox).

ShadowPuterDude · November 17, 2009

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u17 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

J2SE Runtime Environment 5.0 Update 6
Java 6 Update 13

Java 6 Update 5

Java SE Runtime Environment 6 Update 1

-----------------------------------------------------------

Download Avenger from HERE and unzip to your desktop.

Run Avenger
Read the prompt that appears, and press OK

Copy & paste the following text in Input script Box:

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{AE7CD045-E861-484f-8273-0445EE161910}

Folders to delete:
C:\Documents and Settings\Jen\Local Settings\Application Data\mbhuew

Then click "Execute".

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Attach fresh logs for:

Avenger (C:\avenger.txt)
ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Eric · November 17, 2009

No change in the above mentioned problems.

ShadowPuterDude · November 18, 2009

You are still using IE6, upgrade to IE8.

-----------------------------------------------------------

Download -->> OTL <<-- to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Attach both logs with your next reply.

Eric · November 19, 2009

Ok. upgrade to ie8 was easier said than done. still unable to do updates, so I downloaded the network admin version of sp3 update. once I installed that, ie8 was able to be installed. once ie8 was installed, the updates worked. browser issues are resolved, and the pop up error about Microsoft Feeds Sync is gone.

Nevertheless, I have attached the requested log files (I ran OTL after installing sp3 and the ie8 update).

Is there a scan I should run and log file I should post to confirm that the malware has been completely removed?

ShadowPuterDude · November 19, 2009

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) 
SRV - (winvnc) --  File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

:Files
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\System32\drivers\*.tmp

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

ShadowPuterDude · November 22, 2009

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Sign In

Trojan and possible rootkit infection

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company