PC infected by Trojans

[b-mic80 0]

Hi,

An initial scan detected Trojan.Agent-UM!E2 and Trojan.Agent-UN!E2 however these were not removed.

I have not attached the requested logs as I cannot complete a scan in normal mode using either EEK or OTL (or with any other program I have tried). My PC freezes during any scan and I have to hard boot, although I can complete scans in safe mode.

Any help would be much appreciated thanks.

[GT500 853]

OK, lets try ComboFix, and see if it will complete its scan.

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[b-mic80 0]

Ok, ran ComboFix and have attached log. Also managed to complete a scan with OTL afterwards so hope that helps.

Am now getting error messages from various programs though, including my antivirus. PC still froze and also blue screened once after the ComboFix scan.

[GT500 853]

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
   

   :OTL
   FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
   FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
   FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
   O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
   O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
   O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
   O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
   O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found
   O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
   O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
   O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
   O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
   O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
   
   :Commands
   [EMPTYTEMP]

   
   

2. Then click the Run Fix button at the top.
   
3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
   
4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
   

[b-mic80 0]

Thanks for that, here's the log from the latest OTL scan.

[GT500 853]

Please run an online virus scan through ESET by following the steps below:

1. Turn off your anti-virus software.
   
2. Click on this link.
   
3. Click on the ESET Online Scanner button.
   
4. Put a check in the box that says YES, I accept the Terms of Use.
   
5. Click the 'Start' button just to the right of the checkbox.
   
6. Uncheck the box that says Remove found threats (this is very important).
   
7. Click on Advanced settings.
   
8. Put a check in the box that says Scan for potentially unsafe applications.
   
9. Verify that Scan for potentially unwanted applications is also checked.
   
10. Verify that Enable Anti-Stealth technology is also checked.
    
11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    
12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
    
13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
    
14. Close the ESET online scan.
    

I will take a look at the log, and let you know if anything needs removed.

[b-mic80 0]

Tried several scans but my PC froze each time when scanning the same file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

[GT500 853]

Are you able to move that file out of the folder it's in, and then move it back where it was? Try just moving it to your desktop and back again.

[b-mic80 0]

Not able to move the file, my pc just keeps crashing every time I try.

[GT500 853]

Do you have a Windows XP CD?

[b-mic80 0]

No, I didn't get a Windows cd with my laptop.

[GT500 853]

When you turn your computer on, do you get an option to load the Windows XP Recovery Console?

[b-mic80 0]

I'm running windows 7, get the option to repair computer on startup which takes me to a system recovery options screen

[GT500 853]

I assume that System Recover Options screen looks like this (if the picture is tiny, then you can click on it to make it bigger):

Is so, then select the Command Prompt option. This will load a black window with white text. Click in the empty black space, and type in the command that is in the following box:

chkdsk /F C:

This will start an error check on your hard drive, and it should repair any errors in the filesystem automatically. Hopefully this will resolve the issue.

Once it is done, you can simply close the command prompt, and click the Restart button.

[b-mic80 0]

Ran the error check and windows found no problems in the file system, however it's still not fixed. What should I try next?

Thanks

[GT500 853]

We can try using BlitzBlank to move the file to your C: drive (note that whatever program uses this file may start displaying an error message after it is moved):

1. Please download BlitzBlank from , and save it on your desktop.
   
2. Run BlitzBlank from the icon on your desktop.
   
3. It will display a warning. Click OK to continue.
   
4. Switch to the Script tab.
   
5. Copy and paste the contents of the following box into the big white box on the Script tab:
   

   MoveFile: 
   "C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll" C:\lpsPlugin.dll

   
   

6. After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner.
   
7. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer.
   
8. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two.
   
9. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
   

[b-mic80 0]

Hi,

Pasted the above box exactly as it is but when I click on execute I get the error message - Syntax error in line 1, Invalid file path

Doesn't look to be anything wrong though?

[GT500 853]

That's a bit odd. Lets try using ComboFix to move it.

I have written a script that will tell ComboFix how to move that file. Here are instructions on what to do with the script:

1. Download an updated version of ComboFix from one of the following links:
   [list=]
   
2. BleepingComputer
   
3. InfoSpyware
   

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/

KillAll::

FileLook::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

FCopy::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll | C:\lpsPlugin.dll

File::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

[b-mic80 0]

Realised what the problem was, it's IPS with an i rather than L.

Amended and ran BlitzBlank but it didn't restart properly and after about 5 mins of waiting I got the message - Windows failed to start.

Will give ComboFix a try now.

[b-mic80 0]

Sorry, just realised that depsite my PC not restarting properly, IpsPlugin.dll appears to have been successfully moved and I've attached the BlitzBlank log. I've therefore not ran ComboFix for now, do you still want me to?

Thanks

[GT500 853]

No, if the file was moved then go ahead and run the ESET scan and attach the log for me when it is done. Here are the instructions again:

1. Turn off your anti-virus software.
   
2. Click on this link.
   
3. Click on the ESET Online Scanner button.
   
4. Put a check in the box that says YES, I accept the Terms of Use.
   
5. Click the 'Start' button just to the right of the checkbox.
   
6. Uncheck the box that says Remove found threats (this is very important).
   
7. Click on Advanced settings.
   
8. Put a check in the box that says Scan for potentially unsafe applications.
   
9. Verify that Scan for potentially unwanted applications is also checked.
   
10. Verify that Enable Anti-Stealth technology is also checked.
    
11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    
12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
    
13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
    
14. Close the ESET online scan.
    

I will take a look at the log, and let you know if anything needs removed.

[b-mic80 0]

Tried to run ESET scan twice and both times it got 93% through before freezing on the following file:

C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-ipsplugin_31bf38...\IpsPlugin.dll

Can't seem to find this file though.

[GT500 853]

Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try the ESET online scan again.

[b-mic80 0]

Completed ESET scan in safe mode and no threats were found.

[GT500 853]

OK, lets move that file back before we proceed:

1. Please download BlitzBlank from , and save it on your desktop.
   
2. Run BlitzBlank from the icon on your desktop.
   
3. It will display a warning. Click OK to continue.
   
4. Switch to the Script tab.
   
5. Copy and paste the contents of the following box into the big white box on the Script tab:
   

   MoveFile: 
   C:\IpsPlugin.dll "C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll"

   
   

6. After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner.
   
7. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer.
   
8. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two.
   
9. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
   

[b-mic80 0]

Ok, I've done that. Please see attached log.

[GT500 853]

OK, things are looking pretty good. Is your computer still displaying any symptoms of an infection?

[b-mic80 0]

Tried running scans in normal mode with emsisoft anti-malware and malwarebytes anti-malware, both completed and found nothing suspicious. This is an improvement as I've not been able to scan in normal mode without pc crashing up to now.

Haven't noticed any other problems tonight.

[GT500 853]

OK, from your logs it looks like your system is clean now. Here's some final instructions for you:

1. Make Sure Java is Updated:

1. Click on the
   Start
   button.
   
   
2. Click on
   Control Panel
   .
   
   
3. Click
   Uninstall a program
   .
   
   
4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.
   
   
5. Click on
   this link
   and download and install the latest Java (the
   Windows Online
   download will be faster).
   
   

2. Make Sure Adobe Flash is Updated:

1. Click on
   this link
   and download the latest version of Adobe Flash Player for your web browser.
   
   
2. You will need to close your web browser when installing Flash.
   
   

3. Make Sure Adobe Acrobat Reader is Updated:

1. Click on the
   Start
   button.
   
   
2. Click on
   Control Panel
   .
   
   
3. Click
   Uninstall a program
   .
   
   
4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
   do not
   need to uninstall it).
   
   
5. Click on
   this link
   to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.
   
   

(please note that some people do prefer to use third-party PDF viewers such as

PDF X-Change Viewer

and

Foxit Reader

which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

1. Click on the
   Start
   button.
   
   
2. Go to
   All Programs
   .
   
   
3. Click on
   Windows Update
   .
   
   
4. Click
   Check for updates
   in the menu on the left (should be near the top).
   
   
5. Once it is done checking for updates, click the
   Install updates
   button on the right.
   
   
6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.
   
   

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click

this link

and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

1. Click on the
   Start
   button.
   
   
2. Right-click on
   Computer
   
   
3. Select
   Properties
   from the list.
   
   
4. In the window that pops up, click on the
   System protection
   link in the menu on the left.
   
   
5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
   C:
   drive) and click the
   Configure...
   button.
   
   
6. Click the button near the bottom-right that says
   Delete
   to clear all System Restore data.
   
   
7. Once finished, click
   OK
   to close that window.
   
   
8. Now you will want to make sure that the correct drive is selected again (usually your
   C:
   drive) and click on the
   Create
   button to create a new restore point.
   
   
9. Fill in a name for the restore point, and click the
   Create
   button.
   
   
10. Once it is done, you can close the windows that were opened to get to the System Restore settings.
    
    

[b-mic80 0]

Ok I've now done all that thanks.

[b-mic80 0]

One thing that might be worth mentioning, I've now downloaded avast! Internet Security and the full scan found no threats, however it could not scan one file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

Came up as status 'Error: Incorrect function' Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs?

Thanks

[GT500 853]

... Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs?

Well, lets try deleting it, and see if anything complains. Here's another ComboFix script with instructions:

1. Download an updated version of ComboFix from one of the following links:
   [list=]
   
2. BleepingComputer
   
3. InfoSpyware
   

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/

KillAll::

FileLook::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

File::
C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

[b-mic80 0]

Tried that and have attached log. File still seems to be there though.

ComboFix also told me that avast! real-toemscanner was still active, however I checked this and all the components were definitely disabled so don't know if that affected anything.

[GT500 853]

According to that log, your avast! Internet Security was still enabled while ComboFix was running. avast! would have prevented ComboFix from running properly.

[b-mic80 0]

Ok this log should be what you're looking for. File's still not moved though.

[GT500 853]

OK, lets try using OTL to delete it. I have written a script for OTL (if you need to, you may download OTL from this link).

1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
   

   :Files
   C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll
   
   :Commands
   [EMPTYTEMP]

   
   

2. Then click the Run Fix button at the top.
   
3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
   
4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
   

[b-mic80 0]

Notepad came up with this message after restart. I've attached the OTL log as requested.

All processes killed

Error: Unable to interpret <:FilesC:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll:Commands[EMPTYTEMP]> in the current context!

OTL by OldTimer - Version 3.2.33.2 log created on 03242012_163324

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[GT500 853]

When you copy and pasted that script into OTL, did everything appear on the same line, or did it look exactly like it does in little box in my post?

[b-mic80 0]

I think it pasted it all on one line

[GT500 853]

OK, that would explain the error message.

Try copying and pasting the script into OTL again, and make the necessary modifications so that it looks just like it does on the forums (it should be 4 lines with a blank line in the middle). Let me know if the script runs properly like that.

[b-mic80 0]

The script ran properly this time and I have attached the OTL log.

[GT500 853]

OK, are you able to complete anti-virus scans now?

[b-mic80 0]

Tried twice today, first time I got the blue screen, second time it froze and I had to hard boot.

[GT500 853]

Do you remember what file it froze on?

[b-mic80 0]

Sorry I should have checked, am not home until Thursday but will try again then and let you know.

Thanks

[GT500 853]

OK. If your topic gets closed then just send me a private message asking me to reopen it.

[b-mic80 0]

Ok, this time it crashed on the first scan, second time I managed to run the antivirus to completion but again it couldn't scan the same file:

C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll

Looks like it's still causing problems.

[GT500 853]

I've been talking to one of our researchers, and that file is a Windows System File. The reason scans are failing on that file could be due to filesystem damage and it could be due to physical damage to your hard drive.

Follow the instructions at this link, and instead of loading Safe Mode load the Recovery Environment. Once you get into the Recovery Environment, you should see a screen like this:

You'll want to click the link to load the Command Prompt. At the Command Prompt, type out chkdsk /R C: and it will check the filesystem for errors and check every sector on the hard drive for damage. Any repairs to the filesystem will be made automatically, and any bad sectors on your hard drive will be marked so that Windows won't try to write data in them.

[b-mic80 0]

Tried that, Windows found no bad sectors and no problems in the file system.

[GT500 853]

Are scans still freezing on that file?