Jump to content

4 trojans detected. Startup problems and strange system file behaviors.


Recommended Posts

The free edition of Emisoft Anti-Malware found four trojan files. I allowed it to quarantine the files before finding this forum. I've been having trouble for a week.

I'm running Windows 7 on a new Sony laptop (I5, 4GB Ram). Last week I let my firewall allow what looked like a java update and got a blue screen of death (forgot to write the codes), after which the PC would not boot. I attempted multiple system restores and startup repairs using the included utilities, and tried several fixes offered in forums like this. I believe the one that made the difference was a command-line boot sector restoration. I did not consider at first the possibility of malware, as I have not had any sort of infection in years on my previous computers, but once the computer started again I ran GMER and TDSSKILLER and the Kapersky 2011 Virus Removal tool and Avast Antivirus (my standard protection). Nothing set off any alerts.

Several days passed in which all seemed fine. Yesterday I was having trouble connecting to a wireless network, when an instance of taskmgr.exe identified with the /User/ folder (not the windows or system folders) asked for administrator authorization to change other files. Every time I denied, the request immediately came back up. With ctrl-alt-del I was able to close my other programs and shut down the computer. In safe mode, I ran the Kapersky 2011 Virus Removal tool and Avast, GMER and TDSSKILLER. In regular mode I ran HijackThis, RUBotted and Prevx (both of which seem to have installed themselves). I ran OTL and finally Emisoft Anti-Malware (Free) as referenced above.

Per your instructions, I am attaching the EEK log and the OTL.txt file. I'm also attaching Extras.txt but OTL did not produce a new one today. This is from yesterday's scan.

Thank you!

Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 27.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-6u27-windows-i586.exe)
    Windows x64 (jre-6u27-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O3 - HKLM\..\Toolbar: (Panda Security Toolbar) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    [2011/09/02 10:40:02 | 000,000,000 | ---D | C] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    [2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
    [2011/09/15 17:06:04 | 000,001,264 | -HS- | M] () -- C:\Users\Smash\AppData\Local\5b5s8f0nhi1
    [2011/09/15 17:06:04 | 000,001,264 | -HS- | M] () -- C:\ProgramData\5b5s8f0nhi1
    @Alternate Data Stream - 108 bytes -> C:\ProgramData\Temp:C31F31E6
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Thank you for this! I updated Java and ran the fix as instructed. The only unusual thing I'm noticing right now is the battery power is getting consumed incredibly fast--20% in 45 minutes, for a battery that normally lasts 6 hours. Also, I just got a pop-up warning that I've seen many times and always ignored, citing an "invalid security certificate" at updatecg.com:443.

I just allowed Java updater to access the internet and I'm wondering if that's a bad idea.

The OTL log is attached.

Thanks!

Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

It seems to be running well. After I ran combofix the browsers couldn't connect to the internet but then I remembered to restart. Its running quiet and does not seem to be constantly accessing the hard drive.

I have a question. I use my computer for banking and credit card payments. Do I need to take measures to protect those accounts?

Link to post
Share on other sites

My computer is kind of wigging out today. I put it to sleep and the wireless indicator light stayed on. There are several running services I don't recognize or understand, including four instances of clr_optimization_xx (two versions in 32 bit, two in 64 bit); defragsvc (which I've neither scheduled nor initiated), something called dot3svc / Wired AutoConfig and a number of other oddities.

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - No CLSID value found.
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    [2011/09/01 01:40:33 | 000,000,000 | ---D | C] -- C:\ProgramData\{F77EE8EF-305B-4394-A018-C1A57D2D66B5}
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:C31F31E6
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

OK, switching tools.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Link to post
Share on other sites

AVZ really doesn't like a lot of stuff on your system.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".
  • Attach the TDSSKiller log.

Link to post
Share on other sites

There was an ADS that I had you remove earlier with OTL, that was very likely malicious. However, that is the only thing that looked malicious. We can dig a little deeper, if you like. You've already ran most of the tools I normally use.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...