Jump to content

Major Problems With Unrecognised Trojan


Recommended Posts

I posted this in one of the other forums yesterday and was direct to report it here. I have since followed the instructions regarding analysing the data:-

I have spent the better part of the last 24 hours [it's now over 60 hours] attempting to clear out a Trojan of some type that has appeared on my machine after attempting to watch a streaming video.

The trojan in question hijacks the Windows Automatic Updates alerts and sends constant messages that the firewall and update alerts are off. It also has rooted itself somewhere so that it can still activate when the computer is in safe mode. It is not possible to remove it with System Restore as no matter how far back one takes it, it insists that no changes are made to the system. It also refuses to allow a browser to open and rewrites the registry so that the computer will no longer recognise the file associations when you double click on them. The File Manager showed that a program known as owu.exe was in operation during the worst of these.

I have run every virus scan under the sun from Malwarebytes, Adaware, AVG, Iobit and SuperAntiSpyware. Some of these have picked up problems and removed them. The owu.exe is removed, the web accessible, the file associations restored and the worst of the numerous pop-ups about windows alerts gone. However, there is still a persistent taskbar icon that says that windows alerts are turned off and I cannot use system restore.

I am at wits end regarding trying to get rid of this. Can someone out there please help with some suggestions as to what else I might be able to do?

To this I would add a couple of things. People have suggested that the little red shield pop-up that keeps appearing at the bottom of the taskbar is simply Windows wanting me to turn back on the firewall and automatic updates. This is not the case as:-

1) this is the exact same error message that first appeared when the trojan did

2) no matter how many times I click on them on via Security Center under Control Panel, the firewall will not turn up, while the System under Control Panel insists that Automatic Updates are already turned on

3) It is still not possible to conduct a System Restore

I have followed the instructions given and the log is posted. HOWEVER, after conducting a GMER rootkit search, at the point when the scan was completed the program informed me that it was unable to complete the scan, all data had been lost and the computer then froze up.

Other logs are as follows:-

mbam-log-2011-08-01 (09-00-53).txt

Attach.txt

DDS.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes,

Is the only issue you are experiencing the security center messages?

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt in your reply.

Link to post
Share on other sites

Apologies. Here are requested logs.

I should add there was some difficulty during the DDS scan. About two dozen times during the three minutes of the scan an error message saying "The NTVDM CPU has encountered an illegal instruction. CS:06e IP:0147 OP:63 68 61 72 73" appeared.

Logs are as follows:-

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7373

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

04/08/2011 3:30:12 AM

mbam-log-2011-08-04 (03-30-12).txt

Scan type: Quick scan

Objects scanned: 206971

Time elapsed: 26 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by Everyone Else at 3:40:24 on 2011-08-04

Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.502.88 [GMT -7:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

svchost.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe

C:\Program Files\IObit\IObit Malware Fighter\IMF.exe

C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [AVG9_TRAY] Disable_By_c:\progra~1\avg\avg9\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [dellsupportcenter] Disable_By_"c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175715926328

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.254 192.168.1.254

TCP: Interfaces\{CDE026FF-8337-41F3-A59A-1E5CDFE7AAE8} : DhcpNameServer = 192.168.1.254 192.168.1.254

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\everyone else\application data\mozilla\firefox\profiles\se7t3lqv.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

============= SERVICES / DRIVERS ===============

.

.

=============== File Associations ===============

.

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

============= FINISH: 3:43:50.10 ===============

Link to post
Share on other sites

  • Staff

Hi,

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

Click Start --> Run, enter cmd.exe, and press Enter

In the black box that appears, enter this command exactly as shown:

chkdsk>"%userprofile%\desktop\chkdsk.txt"

Press Enter.

When it finishes, open chkdsk.txt on your Desktop and post its contents here.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.