Sign in to follow this  
b-mic80

PC infected by Trojans

Recommended Posts

Hi,

An initial scan detected Trojan.Agent-UM!E2 and Trojan.Agent-UN!E2 however these were not removed.

I have not attached the requested logs as I cannot complete a scan in normal mode using either EEK or OTL (or with any other program I have tried). My PC freezes during any scan and I have to hard boot, although I can complete scans in safe mode.

Any help would be much appreciated thanks.

Share this post


Link to post
Share on other sites

OK, lets try ComboFix, and see if it will complete its scan.

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Ok, ran ComboFix and have attached log. Also managed to complete a scan with OTL afterwards so hope that helps.

Am now getting error messages from various programs though, including my antivirus. PC still froze and also blue screened once after the ComboFix scan.

Share this post


Link to post
Share on other sites

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

  1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
    :OTL
    FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    
    :Commands
    [EMPTYTEMP]


  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

Please run an online virus scan through ESET by following the steps below:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

Tried several scans but my PC froze each time when scanning the same file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

Share this post


Link to post
Share on other sites

Are you able to move that file out of the folder it's in, and then move it back where it was? Try just moving it to your desktop and back again.

Share this post


Link to post
Share on other sites

When you turn your computer on, do you get an option to load the Windows XP Recovery Console?

Share this post


Link to post
Share on other sites

I assume that System Recover Options screen looks like this (if the picture is tiny, then you can click on it to make it bigger):

66b9e3c2-bb67-47bf-802c-b753b54bcc19_48.jpg

Is so, then select the Command Prompt option. This will load a black window with white text. Click in the empty black space, and type in the command that is in the following box:

chkdsk /F C:

This will start an error check on your hard drive, and it should repair any errors in the filesystem automatically. Hopefully this will resolve the issue.

Once it is done, you can simply close the command prompt, and click the Restart button.

Share this post


Link to post
Share on other sites

Ran the error check and windows found no problems in the file system, however it's still not fixed. What should I try next?

Thanks

Share this post


Link to post
Share on other sites

Hi,

Pasted the above box exactly as it is but when I click on execute I get the error message - Syntax error in line 1, Invalid file path

Doesn't look to be anything wrong though?

Share this post


Link to post
Share on other sites

That's a bit odd. Lets try using ComboFix to move it.

I have written a script that will tell ComboFix how to move that file. Here are instructions on what to do with the script:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/

KillAll::

FileLook::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

FCopy::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll | C:\lpsPlugin.dll

File::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

Realised what the problem was, it's IPS with an i rather than L.

Amended and ran BlitzBlank but it didn't restart properly and after about 5 mins of waiting I got the message - Windows failed to start.

Will give ComboFix a try now.

Share this post


Link to post
Share on other sites

Sorry, just realised that depsite my PC not restarting properly, IpsPlugin.dll appears to have been successfully moved and I've attached the BlitzBlank log. I've therefore not ran ComboFix for now, do you still want me to?

Thanks

Share this post


Link to post
Share on other sites

No, if the file was moved then go ahead and run the ESET scan and attach the log for me when it is done. Here are the instructions again:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

Tried to run ESET scan twice and both times it got 93% through before freezing on the following file:

C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-ipsplugin_31bf38...\IpsPlugin.dll

Can't seem to find this file though.

Share this post


Link to post
Share on other sites

Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try the ESET online scan again.

Share this post


Link to post
Share on other sites

OK, things are looking pretty good. Is your computer still displaying any symptoms of an infection?

Share this post


Link to post
Share on other sites

Tried running scans in normal mode with emsisoft anti-malware and malwarebytes anti-malware, both completed and found nothing suspicious. This is an improvement as I've not been able to scan in normal mode without pc crashing up to now.

Haven't noticed any other problems tonight.

Share this post


Link to post
Share on other sites

OK, from your logs it looks like your system is clean now. Here's some final instructions for you:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
    do not
    need to uninstall it).

  5. Click on
    this link
    to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as
PDF X-Change Viewer
and
Foxit Reader
which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  1. Click on the
    Start
    button.

  2. Go to
    All Programs
    .

  3. Click on
    Windows Update
    .

  4. Click
    Check for updates
    in the menu on the left (should be near the top).

  5. Once it is done checking for updates, click the
    Install updates
    button on the right.

  6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System protection
    link in the menu on the left.

  5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
    C:
    drive) and click the
    Configure...
    button.

  6. Click the button near the bottom-right that says
    Delete
    to clear all System Restore data.

  7. Once finished, click
    OK
    to close that window.

  8. Now you will want to make sure that the correct drive is selected again (usually your
    C:
    drive) and click on the
    Create
    button to create a new restore point.

  9. Fill in a name for the restore point, and click the
    Create
    button.

  10. Once it is done, you can close the windows that were opened to get to the System Restore settings.

Share this post


Link to post
Share on other sites

One thing that might be worth mentioning, I've now downloaded avast! Internet Security and the full scan found no threats, however it could not scan one file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

Came up as status 'Error: Incorrect function' Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs?

Thanks

Share this post


Link to post
Share on other sites

... Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs?

Well, lets try deleting it, and see if anything complains. Here's another ComboFix script with instructions:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/

KillAll::

FileLook::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

File::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

Tried that and have attached log. File still seems to be there though.

ComboFix also told me that avast! real-toemscanner was still active, however I checked this and all the components were definitely disabled so don't know if that affected anything.

Share this post


Link to post
Share on other sites

According to that log, your avast! Internet Security was still enabled while ComboFix was running. avast! would have prevented ComboFix from running properly.

Share this post


Link to post
Share on other sites

OK, lets try using OTL to delete it. I have written a script for OTL (if you need to, you may download OTL from this link).

  1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
    :Files
    C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll
    
    :Commands
    [EMPTYTEMP]


  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

Notepad came up with this message after restart. I've attached the OTL log as requested.

All processes killed

Error: Unable to interpret <:FilesC:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll:Commands[EMPTYTEMP]> in the current context!

OTL by OldTimer - Version 3.2.33.2 log created on 03242012_163324

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

When you copy and pasted that script into OTL, did everything appear on the same line, or did it look exactly like it does in little box in my post?

Share this post


Link to post
Share on other sites

OK, that would explain the error message.

Try copying and pasting the script into OTL again, and make the necessary modifications so that it looks just like it does on the forums (it should be 4 lines with a blank line in the middle). Let me know if the script runs properly like that.

Share this post


Link to post
Share on other sites

OK. If your topic gets closed then just send me a private message asking me to reopen it. ;)

Share this post


Link to post
Share on other sites

Ok, this time it crashed on the first scan, second time I managed to run the antivirus to completion but again it couldn't scan the same file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

Looks like it's still causing problems.

Share this post


Link to post
Share on other sites

I've been talking to one of our researchers, and that file is a Windows System File. The reason scans are failing on that file could be due to filesystem damage and it could be due to physical damage to your hard drive.

Follow the instructions at this link, and instead of loading Safe Mode load the Recovery Environment. Once you get into the Recovery Environment, you should see a screen like this:

66b9e3c2-bb67-47bf-802c-b753b54bcc19_48.jpg

You'll want to click the link to load the Command Prompt. At the Command Prompt, type out chkdsk /R C: and it will check the filesystem for errors and check every sector on the hard drive for damage. Any repairs to the filesystem will be made automatically, and any bad sectors on your hard drive will be marked so that Windows won't try to write data in them.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.