# assistance needed for trojan cleanup

Started getting McAfee alerts about files that were detected but deleted. Then I started getting IE popups (never use IE) for antivirus software. System slowed to the point that I couldn't logon. Booted to safe mode and ran spyhunter, hijackthis OTListIt2 and malwarebytes, but I don't know enough to finish the cleanup. Please help with instructions or suggestions on what I need to do to cleanup this mess
thanks
###### Who is Participating?

Commented:
Hmm... good, the ComboFix log appears clean to me. I would still suggest doing a scan with the antivirus you have - McAfee and also with MalwareBytes, if possible in safe mode just to make sure that there is absolutely nothing left. Is your computer working normal for now?? I mean without any popups from McAfee?
0

Commented:
Hi,

1) What's the name of the detected threat by McAfee ?

2) Can you attach a snapshot of the popup window?

3) When you open Internet Explorer, do you notice any warning like "...your system is infected" or "...download this xyz antivirus" ...? If yes please mention what do you see?

4) Please attach hijackthis's log file ?

0

Author Commented:
1. From the logs -  2009-03-28      10:01      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      AAWService.exe      C:\QUARANTINE\Av-test.txt.Vir      EICAR test file (Test), But I also recall seeing trojan.tibs detected by Mcafee and zlob trojan detected by spyhunter

2. I closed the Mcafee window with the warning message and can't get it to popup again

3. I have seen warnings across the top of some of the popups.. Not currenty being shown

4. HijackThis plus OTListIt and Malwarebytes logs attached

thanks

hijackthis.log
OTListIt.Txt
mbam-log-2009-03-27--17-42-37-.txt
0

Senior IT ConsultantCommented:
The EICAR test virus is harmless , probably dropped by OTscanIt or combofix
the only inconsistency I can see in the HJT log is the BITS service, this needs to be repaired
you may want to reinstall this update to repair it http://support.microsoft.com/kb/923845
Also I would suggest you Run Combofix
Please do share the logs .

0

Commented:
Hmm.. your PC will slow down a lot if you use SpyHunter, I've had bad experiences with that program. Its a resource hungry application, although effective.

You might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might also help followed by defragmentation, which will make your PC faster again.

Hope it helps.
0

Commented:
The following are listed as unknown from your HiJackThis log file. If you do not know their origin you can remove them.

c:\program files\common files\aol\1135203421\ee\aolssc.exe

O15 - Trusted Zone: *.intuit.com

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

Your Malwarebytes log shows one infected Registry entry that was successfully quarantined.

It is important that you follow the directions for this utility.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

VM

0

Author Commented:
Combofix log file attached
combo-fix-log.txt
0

Commented:
Hmmm... your ComboFix log is quite interesting, you have quite a few things that you need to get rid of here, you have Rootkit.Trace which is protecting other malware on your PC from scanners, its a good thing that ComboFix has revealed them:

2009-03-23 15:07      90,112      ------w      c:\windows\genahemo.dll
2009-03-23 14:40      90,112      ------w      c:\windows\yegegeyo.dll
2009-03-23 14:15      90,112      ------w      c:\windows\kepebugu.dll
2009-03-23 13:49      89,600      ------w      c:\windows\gikatuma.dll
2009-03-23 13:24      89,600      ------w      c:\windows\tahemena.dll
2009-03-23 12:42      89,600      ------w      c:\windows\vojiyiye.dll
2009-03-23 12:19      89,600      ------w      c:\windows\suvatonu.dll
2009-03-23 11:56      89,600      ------w      c:\windows\raheleyu.dll
2009-02-25 23:13      26,272      ----a-w      c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
2009-02-04 14:45      6      ----a-w      c:\windows\Fonts\wfonts.key
2007-12-27 02:10      23,728      ----a-w      c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 14:58      23,728      ----a-w      c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 23:39      23,728      ----a-w      c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 22:11      23,728      ----a-w      c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
2007-04-05 17:30      23,728      ----a-w      c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 16:36 . 2009-03-29 16:43      54,156      --ah-----      c:\windows\QTFont.qfn
2009-03-26 16:36 . 2009-03-26 16:36      1,409      --a------      c:\windows\QTFont.for
2009-03-25 18:19 . 2009-03-25 18:19      123,904      --a------      C:\pvnncaoo.exe
2009-03-25 18:18 . 2009-03-25 18:18      10,240      --a------      c:\windows\instsp2.exe

and a few more. Did you run ComboFix in safe mode?? I hope that I haven't missed out anything else from the list. I will compile a ComboFix script to finish all these entries, unless someone else has already done it and will post within seconds of my posting.
0

Commented:
As promised, here is the ComboFix script. Reboot your PC in safe mode and carry out the instructions. Open a notepad window and paste everything that is bold and save it as CFScript.txt, then drag and drop this file on top of ComboFix exe file. It will again produce a log, please send that log to us for further analysis:

KILLALL::
File::
c:\windows\genahemo.dll
c:\windows\yegegeyo.dll
c:\windows\kepebugu.dll
c:\windows\gikatuma.dll
c:\windows\tahemena.dll
c:\windows\vojiyiye.dll
c:\windows\suvatonu.dll
c:\windows\raheleyu.dll
c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\Fonts\wfonts.key
c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\QTFont.qfn
c:\windows\QTFont.for
C:\pvnncaoo.exe
c:\windows\instsp2.exe

0

Author Commented:
I didn't run combofix, originally in safe mode.. After I saw the last post, I booted into safe mode and dropped CFScript.txt onto Combofix on the desktop.. I walked away from the PC and when I came back it had done a normal boot into XP.. Once I logged on, combofix completed and generated the attached log file..
log.txt
0

Commented:

c:\windows\QTFont.qfn
c:\windows\QTFont.for

warturtle, the above files have never been classified as bad before, they're legit.

Run combofix again using this script.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\drivers\bbcdcb25.sys
c:\windows\system32\driver.sys

DirLook::
C:\2081773250

Driver::
bbcdcb25
botdrv
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0

Commented:
You might also check the below file for online virus scan at http://virusscan.jotti.org/ since it failed the sigcheck, it could be patched.
c:\windows\system32\drivers\ndis.sys

Also go to Start > Run > type in:

services.msc

click Enter and doubleclick on this service -->  Background Intelligent Transfer Service
and check to make sure that the path to executable is same as below:
C:\WINDOWS\system32\svchost.exe -k netsvcs
0

Commented:
I am back.

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t30003.html

If you open it and search for 'QTFont.for' - you will find them both listed as Trojans. Do you still get popups from McAfee??
0

Author Commented:
Just ran the latest CFScript file in safe mode. Log is attached

log.txt
0

Author Commented:
went to http://virusscan.jotti.org/ and this query has been running for over 10 minutes.. Will post results if/when it finishes.

ran services.msc and the path for BITS is %fystemRoot%\system32\svchost.exe -k netsvcs   This is close but shouldn't %fystemRoot% be %SystemRoot% ?

No longer getting AV popups but I'd like to be sure that this machine is really clean.. I haven't used it in over a week and I need to finish my taxes soon.
thanks
0

Commented:
Hmm... there is another website www.virustotal.com which can also scan files for malicious content. You might want to check there as well.

Secondly, I would suggest only keeping 1 antivirus and 1 antispyware product on your PC, as they might interfere with each other's workings as well as with ComboFix and other anti-malware software. Currently, you have SpyBot S&D, SpyHunter and Ad-Aware. Select one of them to keep on your PC and remove others.

Thirdly, I would also install a firewall first of all which scans for both inbound and outbound traffic. My suggestion is ZoneAlarm free firewall or PC Tools free firewall. I've used ZoneAlarm more and think its a great firewall and quite effective at stopping viruses from accessing the internet. Install it and set the security slider for internet zone to highest (stealth mode). and medium level for trusted zone. Note any strange processes asking for internet access and deny them internet access and let us know what your observations are.

Lastly but not finally, you might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might eliminate the strange trojan process such as BN1.tmp which are currently running from temporary internet files. Do all the above steps in safe mode preferably except for removal and installation of products.
0

Commented:

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:<<<<

The above QTFont.for and QTFont.qfn were flagged as infected because of the infected ADS attached to them.
The ADS which attached itself to the QTFont.for and TFont.qfn are the ones that's bad not the file itself.

Whereas in this thread, the below files we are talking about don't have ADS, see the dfference? I hope you understand what I mean.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
0

Author Commented:
Any comment on the path for BITS being off?
0

Commented:
@jbeazell:
Yes, %SystemRoot%  is the correct one to use.

@rpggamergirl:
Thanks for sending that comment, Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because, I found out that this file belongs to QuickTime and can be re-instated by merely a re-installation of QuickTime, I wasn't worried about killing this file to prevent any possibility of ADS. I hope that I am clear enough here, my intention was not to remove any system files, but I was thinking that we need to eliminate all possibilities to find out exactly what is left on the system and finish it off.
0

Author Commented:
So do I change that entry manually or is there another way to fix it? Is the BITS service required or can I turn this off?
thanks
0

Author Commented:
I just rebooted the machine and logged in normally.. Got a McAfee popup that it deleted restore.sys detected as Generix.dx a trojan. I also got a popup that Bifrost was blocked..Another popup bubble says that Automatic Updates is disabled. I launch Security Center and it shows Auto updates is disabled. If I go into system in control panel, it shows that Auto updates is enabled???
0

Commented:
BITS is required for Windows Update, so its a neccessary component and should be ON.

For Automatic Updates, you can type sysdm.cpl on Start->Run. Then click on 'Automatic Updates' tab and see what does it say there. You've probably been there already, but worth checking again to make sure. What does it say for Firewall? Automatic Updates? and Virus Protection?
0

Author Commented:
Hello

McAfee still seems to be able to get updates. I just did a manual update and it worked fine..

Did start-run sysdm.cpl and it shows that it is set to Automatic (recommended) however Automatic Updates is showing as disabled in Security Center.  It looks like the invalid path for BITS %fystemRoot%\system32\svchost.exe -k netsvcs is causing this service to NOT start.. If I go to the general tab of the BITS service properties, I cannot change the path to the service executable.. How can I correct the path statement, so that I can get Automatic Updates working again..
0

Author Commented:
Also found that the Automatic Update service is disabled and there is no way to change it through the services window
0

Author Commented:
figured out how to change permissions in order to modify the Image Path.. Started both services and then received a meesage that updates are available..

Started to install Updates and got an error

Service Pack 3 Setup Error
The file c:\windows\system32\drivers\ndis.sys is open or in use by another application
Close all other applications then click Retry

All other applications are closed.. Ideas?
thanks
0

Commented:
The path to the BITS has to be fixed or you won't be able to do windows update.
Are you familiar with the registry?

Edit the registry to fix the path there.
Start > Run > type in

regedit

Enter and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

in the right Window pane look for" Imagepath"
Then in the data column it should have the %fystemRoot%\system32\svchost.exe -k netsvcs
doubleclick on Imagepath and change it to %SystemRoot%\system32\svchost.exe -k netsvcs

Just change the F to an S (the only difference there is the F)
and OK.

If regedit won't let you edit the registry, download this regtools.vbs first.
http://www.dougknox.com/security/scripts_desc/regtools.htm

----------
You can also backup that key before editing if you want:
Export the BITS subkey to your desktop s backup.reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
0

Commented:
>>> Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because<<<

ADS is NOT present in this case....you misunderstood the info from your source.
This is not the first time that you suggested deletion of legit files ... so I'm sending you an MC... we can't just go around deleting legit files.
0

Author Commented:
Thanks for the detailed instructions but I got the ImagePath problem fixed as stated in my post at 9:29.. .. Now I'm having a problem installing XP SP3, with the error shown above in the same referenced post..
thanks
0

Author Commented:
I just downloaded SP3 and tried to run it in safe mode.. Got the same error message pointing to ndis.sys as before
0

Commented:
@rpg:
Yes, I'll remember that in future. Thanks for reminding.

@jbeazell:
Did you scan the ndis.sys file on online virus scanner?? And what did you get?
0

Author Commented:
I did scan this file 2 days ago and the scanner found nothing.. Just re-ran it again and the scanner found nothing.. Results below:

Scan taken on 01 Apr 2009 20:18:46 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
0

Commented:
I would suggest booting your PC in 'safe mode with networking' and doing an online scan with Kaspersky Scanner based at:

http://www.kaspersky.co.uk/virusscanner

It has highest rates of detection and might help. Please note that it wouldn't remove any infections, it will only produce a report containing the possible infections within your machine.
0

Author Commented:
I ran the FULL SERVICE SCAN on windows live.. I thought this system would have been pretty clean with all the scans and removals I've done already.. I'd list the results, but I can't copy and paste.. Looks like about 11 Trojans and just a few performance items. I will run kaspersky after I finish the windows scan/cleanup
0

Author Commented:
kaspersky report attached
kaspersky.txt
0

Commented:
Trojan
C:\WINDOWS\system32\wazuloro.exe      Infected: Trojan.Win32.AntiAV.aug      1
C:\WINDOWS\temp\BN1.tmp      Infected: Trojan.Win32.Agent.bxrf      1
0

Commented:
Some virus can only be removed by restarting computer and booting  in safe mode.
If your antivius software wont clean it see:
http://www.kaspersky.com/removaltools

This will guide you:
http://www.mydigitallife.info/2008/02/16/how-to-clean-and-remove-trojanwin32obfuscatedgx-trojanwin32agentakk-trojanzlob-and-etc/
or
http://www.kaspersky.com/removaltools?vtopen=146410248

Also try these free programs to rid your system of spyware , trojans, and other malware:
Make sure to download the most up-to-date data before you run the Antivirus:
Spybot - Search & Destroy
0

Commented:
Hmm.. good, good! So,we have found out what is still lurking within your machine, I've made a list of everything that was detected from the log (apologies if I am duplicating some information here):

4. EICAR-Test-File  - This has already been quarntined
5. Rootkit.Win32.Agent.iou - present in windows\system32\dllcache\ndis.sys
6. Trojan.Win32.AntiAV.aug - C:\WINDOWS\system32\wazuloro.exe
7. Trojan.Win32.Agent.bxrf - C:\WINDOWS\temp\BN1.tmp

I suggest that since Kaspersky has pointed out that items 5,6 and 7 are malicious, please try to delete them manually in safe mode or if not possible then open AVG/Ewido online scanner based at http://www.ewido.net/en/onlinescan/ and do a scan of c:\windows folder only for the antivirus to detect the above threats and remove them.

Another option is also possible, which is going to be a bit painstaking though, you can download and install Kaspersky Internet Security Suite trial version from http://www.kaspersky.co.uk/trials. Please note that it wouldn't install if there is another antivirus on the machine. You would have to uninstall every antivirus and antispyware software from your machine to install it (excluding MBAM and HijackThis).
0

Commented:
Have you checked the c:\windows\system32\drivers\ndis.sys  if that one is infected?

C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp

As already suggested, delete the files that Kaspersky flagged as infected(the others are okay, the one in the java cache can also be removed by clearing the cache while others are already in quarantine pose no risks.
You can delete them manually or use combofix script function; make a new CFScript.txt with below text.

File::
C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp

Folder::
c:\2081773250
0

Author Commented:
ran the CFCript and when it completed, O checked the temp directory and there are two files there now:
WFV2.tmp and ZLT07fa4.TMP..Both of these files are being used by other programs and cannot be deleted.. I am to the point now, where I think I'm just going to copy important files off and just format the c drive and reinstall XP
thanks
0

Commented:
@jbeazell:
I am not convinced that all these files are created only by viruses, such filenames can also be created by McAfee Antivirus engine, please have a look at (the below link only talks about WFV2.tmp though):

It is advisable to upload these 2 files for viruscheck on www.virustotal.com .
0

Author Commented:
I'm sure that not all of the files tagged are problems, but some of the tagged files are not able to be removed by any of the removal tools I've tried.. I was able to complete my taxes by re-downloading turbotax on a 'clean' laptop, so that worry is over.. Now I just want to get the desktop PC back to normal and I think the best thing to do, at this point, is to reinstall XP on a formatted C drive.. I was going to copy important files to a spare drive, run the scans (to insure that these files are clean) then format and reinstall. Thoughts?
0

Commented:
@jbeazell:
Taking a backup of your important items is always a good idea, regardless of if you have a virus or not. I guess re-install is also an option for sure, that is likely to result in a normal PC again. Make sure to install an antivirus and firewall as soon as you install Windows and its latest updates though to prevent getting any viruses into your PC in the future though. Maybe, you can download the Kaspersky Internet Security suite and install it after the Windows install.

Hope it helps.
0

Author Commented:
thanks to all for all assistance provided.. If anyone else has any thoughts, please reply
0

Commented:
>>>O checked the temp directory and there are two files there now:<<<
The temp folder can be safely emptied ... but a reformat is a good idea as it's possible that a file infector is at work there - based on the CF log where 3 locations of ndis.sys failed the sigcheck(which is can be a sign of file infector)

Later on if you have spare time you might like to check out these links:

1.  TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955

2.  miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

3.  Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

0

Author Commented:
I have been able to delete all but one file in that directory.. ZLT03482.TMP is the one that is giving me a problem now as I have been unable to delete. ZLT07fa4.TMP was there before, but I used KillBox to delete it after a reboot, but files keep showing up to replace the ones I kill..

As for the ndis files.. How can I know which ones are safe to delete, or attempt to delete?
thanks
0