Jump to content

Trojan Dropper reloads on boot and authorises others


Recommended Posts

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

The TDSSKiller updated and was run fully this time and it found 1 

 

Malware Object High Risk 

Rootkit.Boot.Cidox.b

 

on the HDD Harddisk0\Partition1

 

 

I ran it with the default settings - Enabling the untick options required a reboot so I used the standard scan 

It just crsahed Explorer On though it never usually crashes after It boots using the Windows Memory Diagnostic.

 

Default action was Cure - Should I try again and click Continue (with Cure) or do you want me to follow some other instruction/s?

 

Attaching the log reported Upload Skipped (Error500) 

So I zipped it - Be careful :-) this log file even looks to be active/suspicious

 

 

TDSSKillerNew.zip

Link to post
Share on other sites

Results were GREAT - Cured !

 

I've rebooted and returned to work and I've not seen it crash once, not even in last 20 minutes while having my dinner. It seems to be done. Your Time, Effort, Knowledge and Patience is worth more than just gratitude - I hope I can help you out enough or some other time. 

 

Clifford

Freshcafe.

Link to post
Share on other sites

Thanks for the update, good to hear we finally make progress..... Continue as follows:

 


On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

How to get logs:

(Export log to save as txt)

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Export'.
Click 'Text file (*.txt)'
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named 'File Saved' should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those two logs, also give an update on any remaining issues or concerns...

 

Kevin....

Link to post
Share on other sites

OK - 

 

I checked the other two user profiles and the User Profile with a password has issues.

 

I hope it's just on this profile - The McAfee found unwanted programs (non malware), I then ran MSERT (Microsoft.....)

 

The full scan found Virus DOS\Rovnix!A and "partially repaired it.

 

I came back here to tell you and saw your instructions -

 

I have now Run FRST and Malwarebytes but neither has found anything to report.

 

With no log to export, I am now about to continue with your "Next" sequence by downloading SecurityCheck

Link to post
Share on other sites

It did say partially fixed but I've not yet seen evidence of it affecting the usage. None of the programs seem to pick it up since the reboot directly afterwards. I've attached the Securitycheck - Checkup filie/log. 

 

I will boot again and keep running Anti-Malware used in last few days to make sure it is ok.

 

I will also check back here for your insight.

 

Thanks

checkup.txt

Link to post
Share on other sites

Your Java javaicon.gif is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them. <<-- Very Important

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is ticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Kevin....

Link to post
Share on other sites

I ask that you update Java and run ESET online AV in reply #35, leave those instructions for now. The FRST logs you attach in reply #36 still show reference to ZeroAccess infection.

 

Continue exactly as follows:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post those logs in next reply please...

 

Kevin..

fixlist.txt

Link to post
Share on other sites

Going to bed now - Attached is the log from ComboFix 

 

Seem to have caught quite a few entries esp in registry - Will await further instruction.

 

I'm about ready to give up and call this one a loss. The original user wants it back and I said ok to be returned this weekend. Will hammer at it one more day and try returning it tomorrow night. You've been a great help. Thanks again. Let me know what you find and what's next, please.

ComboFix.txt

Link to post
Share on other sites

Good morning,

 

I looked up an entry (E_ITSLEE.EXE) in the Combofix.txt and was heartened to find not everything mentioned are illegitmate entries as suggested by the sub-heading notes - Reg Loading Points - empty entries and legit default entries are not shown.

 

It seems that its an Epson thing which was found to be clean, so I'll leave the log diag to you. I did however spot the quarntine file at the end, found it and attached it here for you. 

ComboFix-quarantined-files.txt

Link to post
Share on other sites

OK we continue,

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the c0debox below into it:

 

ClearJavaCache::

 

 

 

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run AdwCleaner:

Download AdwCleaner by Xplode onto your Desktop.
 

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[sn].txt.

 

Next,

 

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


Next,

Download Security Check by screen317 from either of the following:
http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Next,

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.
 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option "Remove found threats"  is ticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish


When the scan is complete



  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found


If threats were found



  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish


close program

Copy and paste the report in next reply.

 

Kevin...

Link to post
Share on other sites

I uninstalled Java - All thre old versions with the JavaRa and loaded the newest version.

 

I am currently running the CFScript in ComboFix 

 

(It looks like it is all gone - I ran the Microsoft scan and it did find 1 infection but looking at the details - it was already in the Quarantine of one of the scanners we have used above, FRST or TDSSKiller)

 

Adware and the JRT is on the desktop to be run next - out to work for awhile - will continue when i'm back home.

Link to post
Share on other sites

BACK -  AdwCleaner found dozens in different sections -

 

I recognise most as malware or adware - Under the Folder Tab I recognise ASK and AVG Secure Search so I'll untick them before clicking Clean.

 

100% of items found in File, Registry, Firefox and Chrome I believe should go. The others are already clean/empty. Log Attached 

 

SecurityCheck did not work - tried to run twice and reported Operating system not supported.

 

ESET sees Avast, ZoneAlarm and McAfee but I cannot find Avast, I've unistalled Zonealarm before running scan and McAfee is on but no active.

 

Eset log to follow. 

JRTLog.txt

AdwCleanerS0Log.txt

ComboFix.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.