Jump to content

Constant trojan attacks


Recommended Posts

Hello, I posted here a few days ago looking for help with a trojan infection, which turned out to be poweliks, which was completely successful in removal. Since then, i have been attacked by poweliks again as well as some chrome based trojan. I dont know how I am getting these, I dont even know where to begin. Each has been removed with relative ease, but it seems every day theres a new attack. I need help permanently blocking these, or at least identifying where they are coming from in the first place. Thank you for any help.

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

I wasnt able to turn system restore on. In the first place I find it strange that it was off. "Could not apply the settings for the following reason: The filename, directory name, or volume label syntax is incorrect. (0x8007007b)" Additionally I dont use any P2P software, too scared of the malware. In fact if you find any evidence of it please let me know because its not supposed to be there.

 

MBAM log

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/27/2014
Scan Time: 11:05:08 AM
Logfile: MBAM log.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2014.12.27.06
Rootkit Database: v2014.12.23.02
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Aaron
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 379306
Time Elapsed: 9 min, 31 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
 
RogueKiller'
 
RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Aaron [Administrator]
Mode : Scan -- Date : 12/27/2014  11:28:53
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 35 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  WDC WD10JPVX-75 SCSI Disk Device +++++
--- User ---
[MBR] a856e6ca17efab1bcc91d1d77f8f3981
[bSP] 8d77050f4b41abe8ac791719f39290e6 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 10942 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 22491136 | Size: 942882 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
+++++ PhysicalDrive1:  LITEONIT DMT-80 SCSI Disk Device +++++
--- User ---
[MBR] a119863d300306e89cff6b501d614b24
[bSP] 3c6283bf2791e32458320daba0f0e9f7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 10781 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
 
============================================
RKreport_DEL_10162014_211538.log - RKreport_DEL_10182014_014012.log - RKreport_DEL_10182014_130624.log - RKreport_DEL_12202014_153859.log
RKreport_DEL_12202014_153907.log - RKreport_DEL_12202014_153913.log - RKreport_DEL_12202014_153923.log - RKreport_DEL_12272014_003047.log
RKreport_SCN_10162014_211128.log - RKreport_SCN_10162014_211718.log - RKreport_SCN_10182014_013950.log - RKreport_SCN_10182014_130530.log
RKreport_SCN_12202014_153811.log - RKreport_SCN_12272014_002806.log - RKreport_SCN_12272014_112638.log
 

Addition.txt

FRST.txt

Link to post
Share on other sites

Right now im perfectly fine. I have managed to get through each attack attempt without serious or long lasting issue. My concern is that I have some massive exploit, wildly outdated software, something that keeps letting these in. I dont do any risky web surfing, so the fact that I keep getting trojans is baffling to me and I have no idea where to begin. I dont know if its malware, or an exploit, or what and I need helping figuring out how these trojans keep getting in, even if they get shut down before anything happens.

Link to post
Share on other sites

OK..please run these scans:

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

    tds2.jpg

  • Put a checkmark beside loaded modules.

    13040712472913819.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    tds2.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdsskiller_guide_5.gif

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    tdsskiller_guide_3.gif

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/<---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

Last:

Clean out temp files:

Download TFC from here and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe

http://www.bleepingcomputer.com/download/tfc/dl/92/

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

MrC

Link to post
Share on other sites

I havent had any issues for a while now, and some other measure have been taken to clean the computer, I can create a system restore point after additional cleaning so whatever was causing that issue is done. Im going to operate for now under the belief that things are taken care of, You can close this now. Thanks for the help, and sorry I feel like I lead everyone on a bit of a goose chase.

Link to post
Share on other sites

Ok, finally finished. Heres the logs.

 

TDSSKiller

 

21:14:07.0161 0x0bf8  TDSS rootkit removing tool 3.0.0.42 Dec 12 2014 00:35:20
21:14:13.0147 0x0bf8  ============================================================
21:14:13.0147 0x0bf8  Current date / time: 2014/12/29 21:14:13.0147
21:14:13.0147 0x0bf8  SystemInfo:
21:14:13.0147 0x0bf8  
21:14:13.0147 0x0bf8  OS Version: 6.1.7601 ServicePack: 1.0
21:14:13.0147 0x0bf8  Product type: Workstation
21:14:13.0163 0x0bf8  ComputerName: AARON-PC
21:14:13.0163 0x0bf8  UserName: Aaron
21:14:13.0163 0x0bf8  Windows directory: C:\Windows
21:14:13.0163 0x0bf8  System windows directory: C:\Windows
21:14:13.0163 0x0bf8  Running under WOW64
21:14:13.0163 0x0bf8  Processor architecture: Intel x64
21:14:13.0163 0x0bf8  Number of processors: 8
21:14:13.0163 0x0bf8  Page size: 0x1000
21:14:13.0163 0x0bf8  Boot type: Normal boot
21:14:13.0163 0x0bf8  ============================================================
21:14:17.0927 0x0bf8  KLMD registered as C:\Windows\system32\drivers\44791621.sys
21:14:18.0317 0x0bf8  System UUID: {93923562-DC2C-0A35-2934-65ADB2EE7453}
21:14:19.0084 0x0bf8  Drive \Device\Harddisk0\DR0 - Size: 0xE8E0960E00 ( 931.51 Gb ), SectorSize: 0x200, Cylinders: 0x1DB00, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:14:19.0084 0x0bf8  Drive \Device\Harddisk1\DR1 - Size: 0x2A1F00000 ( 10.53 Gb ), SectorSize: 0x200, Cylinders: 0x55E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:14:19.0100 0x0bf8  ============================================================
21:14:19.0100 0x0bf8  \Device\Harddisk0\DR0:
21:14:19.0100 0x0bf8  MBR partitions:
21:14:19.0100 0x0bf8  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x155F000
21:14:19.0100 0x0bf8  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1573000, BlocksNum 0x73191000
21:14:19.0100 0x0bf8  \Device\Harddisk1\DR1:
21:14:19.0100 0x0bf8  MBR partitions:
21:14:19.0100 0x0bf8  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x150E800
21:14:19.0100 0x0bf8  ============================================================
21:14:19.0100 0x0bf8  C: <-> \Device\Harddisk0\DR0\Partition2
21:14:19.0100 0x0bf8  D: <-> \Device\Harddisk1\DR1\Partition1
21:14:19.0100 0x0bf8  ============================================================
21:14:19.0100 0x0bf8  Initialize success
21:14:19.0100 0x0bf8  ============================================================
21:15:10.0404 0x18c8  KLMD registered as C:\Windows\system32\drivers\87231070.sys
21:15:12.0902 0x18c8  Deinitialize success
 
There was a second log, it was immense. 
Combofix also seemed incredibly large.

TDSSKiller.3.0.0.42_29.12.2014_21.17.31_log.txt

ComboFix.txt

Link to post
Share on other sites

I have run all of these for all users yes. But ever say 12 hours I never the less explode with warnings from malwarebytes that the same programs that were being called in by poweliks when I had the first time are attempting to invade my computer again, and my computer slows down immensely and I begin to see dll.host.exe pop up as a running process. It doesnt happen constantly, only after a great many hours of run time. Also my computers visual settings get altered and start up times slow immensely until after extensive cleaning. Is there something else that could possibly be causing these symptoms? How should I proceed at this point?

Link to post
Share on other sites

Update and run a Threat scan with Malwarebytes

 

======================================

Then download and run Norton Power Eraser, let it do the rootkit scan also.
Be very careful with the program, it's very powerful and often comes up with false positives!
Carefully research what it finds and whats to delete
If there's any questions, ask me first before fixing anything.


Norton Power Eraser:
https://support.norton.com/sp/en/us/home/current/solutions/v69675421_EndUserProfile_en_us?OpenDocument&src=smr2011


MrC

Link to post
Share on other sites

So Ive run NPE. As far as I can tell, none of these are malicious. I recognize all these programs, either as rainmeter functions or modding tools. Also it hit up combofix. The only thing that worries me Is that it registered "Registry System Settings Bad". I looked around but there seems to be a lot of ambiguity over whether or not this is a false positive when it comes up. I included the logs In case you want to view them. It comes in xml, I also added a .txt buuut that might not be useful in its current form. How should I proceed?

Info20141231095112.xml

Info20141231095112.txt

Link to post
Share on other sites

Sorry, one last thing. I think the infection started when I plugged in an external drive used in cleaning the families public computer. Someone came in later and found that I missed a self replicating virus that was on that computer, hiding in the temp files. Is it possible that we already got it? If so, we could just try waiting a little, see if any symptoms reappear. Sorry if im not being helpful, just trying to provide any context I may have missed.

Link to post
Share on other sites

Im very sorry for all these posts, but just one more piece of information. After this last time, I noticed that internet explorer stopped working when the attack began, despite not being active. I uninstalled internet explorer and ran npe, restarting the computer (I didnt actually do anything with npe, just ran a scan). When the computer came back on, it was running fine, mbam wasnt freaking out and all other symptoms were absent.

Link to post
Share on other sites

I've been watching this topic here on a possible new rootkit:


 

=========================

 

Lets see if anything shows in a new scan:

 

Please re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

 

MrC
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.