assistance needed for trojan cleanup

Hi,

1) What's the name of the detected threat by McAfee ?

2) Can you attach a snapshot of the popup window?

3) When you open Internet Explorer, do you notice any warning like "...your system is infected" or "...download this xyz antivirus" ...? If yes please mention what do you see?

4) Please attach hijackthis's log file ?

A Symantec Certified Specialist @ your service

1. From the logs -  2009-03-28      10:01      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      AAWService.exe      C:\QUARANTINE\Av-test.txt.Vir      EICAR test file (Test), But I also recall seeing trojan.tibs detected by Mcafee and zlob trojan detected by spyhunter

2. I closed the Mcafee window with the warning message and can't get it to popup again

3. I have seen warnings across the top of some of the popups.. Not currenty being shown

4. HijackThis plus OTListIt and Malwarebytes logs attached

thanks

hijackthis.log
OTListIt.Txt
mbam-log-2009-03-27--17-42-37-.txt

The EICAR test virus is harmless , probably dropped by OTscanIt or combofix
the only inconsistency I can see in the HJT log is the BITS service, this needs to be repaired
you may want to reinstall this update to repair it http://support.microsoft.com/kb/923845
Also I would suggest you Run Combofix
Please do share the logs .

Hmm.. your PC will slow down a lot if you use SpyHunter, I've had bad experiences with that program. Its a resource hungry application, although effective.

You might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might also help followed by defragmentation, which will make your PC faster again.

Hope it helps.

The following are listed as unknown from your HiJackThis log file. If you do not know their origin you can remove them.

c:\program files\common files\aol\1135203421\ee\aolssc.exe

O15 - Trusted Zone: *.intuit.com

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

Your Malwarebytes log shows one infected Registry entry that was successfully quarantined.

You might want to download and run combofix.
It is important that you follow the directions for this utility.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

VM

Select allOpen in new window

Combofix log file attached
combo-fix-log.txt

Hmmm... your ComboFix log is quite interesting, you have quite a few things that you need to get rid of here, you have Rootkit.Trace which is protecting other malware on your PC from scanners, its a good thing that ComboFix has revealed them:

2009-03-23 15:07      90,112      ------w      c:\windows\genahemo.dll
2009-03-23 14:40      90,112      ------w      c:\windows\yegegeyo.dll
2009-03-23 14:15      90,112      ------w      c:\windows\kepebugu.dll
2009-03-23 13:49      89,600      ------w      c:\windows\gikatuma.dll
2009-03-23 13:24      89,600      ------w      c:\windows\tahemena.dll
2009-03-23 12:42      89,600      ------w      c:\windows\vojiyiye.dll
2009-03-23 12:19      89,600      ------w      c:\windows\suvatonu.dll
2009-03-23 11:56      89,600      ------w      c:\windows\raheleyu.dll
2009-02-25 23:13      26,272      ----a-w      c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
2009-02-04 14:45      6      ----a-w      c:\windows\Fonts\wfonts.key
2007-12-27 02:10      23,728      ----a-w      c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 14:58      23,728      ----a-w      c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 23:39      23,728      ----a-w      c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 22:11      23,728      ----a-w      c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
2007-04-05 17:30      23,728      ----a-w      c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 16:36 . 2009-03-29 16:43      54,156      --ah-----      c:\windows\QTFont.qfn
2009-03-26 16:36 . 2009-03-26 16:36      1,409      --a------      c:\windows\QTFont.for
2009-03-25 18:19 . 2009-03-25 18:19      123,904      --a------      C:\pvnncaoo.exe
2009-03-25 18:18 . 2009-03-25 18:18      10,240      --a------      c:\windows\instsp2.exe

and a few more. Did you run ComboFix in safe mode?? I hope that I haven't missed out anything else from the list. I will compile a ComboFix script to finish all these entries, unless someone else has already done it and will post within seconds of my posting.

As promised, here is the ComboFix script. Reboot your PC in safe mode and carry out the instructions. Open a notepad window and paste everything that is bold and save it as CFScript.txt, then drag and drop this file on top of ComboFix exe file. It will again produce a log, please send that log to us for further analysis:

KILLALL::
File::
c:\windows\genahemo.dll
c:\windows\yegegeyo.dll
c:\windows\kepebugu.dll
c:\windows\gikatuma.dll
c:\windows\tahemena.dll
c:\windows\vojiyiye.dll
c:\windows\suvatonu.dll
c:\windows\raheleyu.dll
c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\Fonts\wfonts.key
c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\QTFont.qfn
c:\windows\QTFont.for
C:\pvnncaoo.exe
c:\windows\instsp2.exe

I didn't run combofix, originally in safe mode.. After I saw the last post, I booted into safe mode and dropped CFScript.txt onto Combofix on the desktop.. I walked away from the PC and when I came back it had done a normal boot into XP.. Once I logged on, combofix completed and generated the attached log file..
log.txt

You might also check the below file for online virus scan at http://virusscan.jotti.org/ since it failed the sigcheck, it could be patched.
c:\windows\system32\drivers\ndis.sys
 

Also go to Start > Run > type in:

services.msc

click Enter and doubleclick on this service -->  Background Intelligent Transfer Service
and check to make sure that the path to executable is same as below:
C:\WINDOWS\system32\svchost.exe -k netsvcs

I am back.

C:\WINDOWS\QTFont.for:bbtrf -> TrojanDownloader.Agent.bc
C:\WINDOWS\QTFont.qfn:blrvcx -> TrojanDownloader.Agent.bq

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t30003.html

If you open it and search for 'QTFont.for' - you will find them both listed as Trojans. Do you still get popups from McAfee??

Just ran the latest CFScript file in safe mode. Log is attached


log.txt

went to http://virusscan.jotti.org/ and this query has been running for over 10 minutes.. Will post results if/when it finishes.

ran services.msc and the path for BITS is %fystemRoot%\system32\svchost.exe -k netsvcs   This is close but shouldn't %fystemRoot% be %SystemRoot% ?

No longer getting AV popups but I'd like to be sure that this machine is really clean.. I haven't used it in over a week and I need to finish my taxes soon.
 thanks

Hmm... there is another website www.virustotal.com which can also scan files for malicious content. You might want to check there as well.

Secondly, I would suggest only keeping 1 antivirus and 1 antispyware product on your PC, as they might interfere with each other's workings as well as with ComboFix and other anti-malware software. Currently, you have SpyBot S&D, SpyHunter and Ad-Aware. Select one of them to keep on your PC and remove others.

Thirdly, I would also install a firewall first of all which scans for both inbound and outbound traffic. My suggestion is ZoneAlarm free firewall or PC Tools free firewall. I've used ZoneAlarm more and think its a great firewall and quite effective at stopping viruses from accessing the internet. Install it and set the security slider for internet zone to highest (stealth mode). and medium level for trusted zone. Note any strange processes asking for internet access and deny them internet access and let us know what your observations are.

Lastly but not finally, you might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might eliminate the strange trojan process such as BN1.tmp which are currently running from temporary internet files. Do all the above steps in safe mode preferably except for removal and installation of products.

>>>C:\WINDOWS\QTFont.for:bbtrf -> TrojanDownloader.Agent.bc
C:\WINDOWS\QTFont.qfn:blrvcx -> TrojanDownloader.Agent.bq

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:<<<<

warturtle please do your research.
The above QTFont.for and QTFont.qfn were flagged as infected because of the infected ADS attached to them.
The ADS which attached itself to the QTFont.for and TFont.qfn are the ones that's bad not the file itself.

Whereas in this thread, the below files we are talking about don't have ADS, see the dfference? I hope you understand what I mean.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

Any comment on the path for BITS being off?

@jbeazell:
Yes, %SystemRoot%  is the correct one to use.

@rpggamergirl:
Thanks for sending that comment, Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because, I found out that this file belongs to QuickTime and can be re-instated by merely a re-installation of QuickTime, I wasn't worried about killing this file to prevent any possibility of ADS. I hope that I am clear enough here, my intention was not to remove any system files, but I was thinking that we need to eliminate all possibilities to find out exactly what is left on the system and finish it off.

So do I change that entry manually or is there another way to fix it? Is the BITS service required or can I turn this off?
thanks

I just rebooted the machine and logged in normally.. Got a McAfee popup that it deleted restore.sys detected as Generix.dx a trojan. I also got a popup that Bifrost was blocked..Another popup bubble says that Automatic Updates is disabled. I launch Security Center and it shows Auto updates is disabled. If I go into system in control panel, it shows that Auto updates is enabled???

BITS is required for Windows Update, so its a neccessary component and should be ON.

I am thinking about Generic.dx, have you got the latest definitions for McAfee VirusScan on your PC?? Because Generic is not exactly the name of a specific virus, instead its more like a file or program which has behaved like a trojan in this case. If McAfee AntiVirus client is unable to update its definitions then I suggest that you manually update them by downloading them from the website (http://www.mcafee.com/apps/downloads/security_updates/dat.asp). I don't know exactly what version of McAfee you use, but the previous link should help you.

For Automatic Updates, you can type sysdm.cpl on Start->Run. Then click on 'Automatic Updates' tab and see what does it say there. You've probably been there already, but worth checking again to make sure. What does it say for Firewall? Automatic Updates? and Virus Protection?

Hello


McAfee still seems to be able to get updates. I just did a manual update and it worked fine..

Did start-run sysdm.cpl and it shows that it is set to Automatic (recommended) however Automatic Updates is showing as disabled in Security Center.  It looks like the invalid path for BITS %fystemRoot%\system32\svchost.exe -k netsvcs is causing this service to NOT start.. If I go to the general tab of the BITS service properties, I cannot change the path to the service executable.. How can I correct the path statement, so that I can get Automatic Updates working again..

Also found that the Automatic Update service is disabled and there is no way to change it through the services window

figured out how to change permissions in order to modify the Image Path.. Started both services and then received a meesage that updates are available..

Started to install Updates and got an error

Service Pack 3 Setup Error
The file c:\windows\system32\drivers\ndis.sys is open or in use by another application
Close all other applications then click Retry

All other applications are closed.. Ideas?
thanks

The path to the BITS has to be fixed or you won't be able to do windows update.
Are you familiar with the registry?

Edit the registry to fix the path there.
Start > Run > type in

regedit

Enter and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

in the right Window pane look for" Imagepath"
Then in the data column it should have the %fystemRoot%\system32\svchost.exe -k netsvcs
doubleclick on Imagepath and change it to %SystemRoot%\system32\svchost.exe -k netsvcs

Just change the F to an S (the only difference there is the F)
and OK.


If regedit won't let you edit the registry, download this regtools.vbs first.
http://www.dougknox.com/security/scripts_desc/regtools.htm

----------
You can also backup that key before editing if you want:
Export the BITS subkey to your desktop s backup.reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

>>> Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because<<<

ADS is NOT present in this case....you misunderstood the info from your source.
This is not the first time that you suggested deletion of legit files ... so I'm sending you an MC... we can't just go around deleting legit files.

Thanks for the detailed instructions but I got the ImagePath problem fixed as stated in my post at 9:29.. .. Now I'm having a problem installing XP SP3, with the error shown above in the same referenced post..
thanks

I just downloaded SP3 and tried to run it in safe mode.. Got the same error message pointing to ndis.sys as before

@rpg:
Yes, I'll remember that in future. Thanks for reminding.

@jbeazell:
Did you scan the ndis.sys file on online virus scanner?? And what did you get?

I did scan this file 2 days ago and the scanner found nothing.. Just re-ran it again and the scanner found nothing.. Results below:

Scan taken on 01 Apr 2009 20:18:46 (GMT)
A-Squared       
Found nothing
AntiVir       
Found nothing
ArcaVir       
Found nothing
Avast       
Found nothing
AVG Antivirus       
Found nothing
BitDefender       
Found nothing
ClamAV       
Found nothing
CPsecure       
Found nothing
Dr.Web       
Found nothing
F-Prot Antivirus       
Found nothing
F-Secure Anti-Virus       
Found nothing
Ikarus       
Found nothing
Kaspersky Anti-Virus       
Found nothing
NOD32       
Found nothing
Norman Virus Control       
Found nothing
Panda Antivirus       
Found nothing
Quick Heal       
Found nothing
Sophos Antivirus       
Found nothing
VirusBuster       
Found nothing
VBA32       
Found nothing

I would suggest booting your PC in 'safe mode with networking' and doing an online scan with Kaspersky Scanner based at:

http://www.kaspersky.co.uk/virusscanner

It has highest rates of detection and might help. Please note that it wouldn't remove any infections, it will only produce a report containing the possible infections within your machine.

I ran the FULL SERVICE SCAN on windows live.. I thought this system would have been pretty clean with all the scans and removals I've done already.. I'd list the results, but I can't copy and paste.. Looks like about 11 Trojans and just a few performance items. I will run kaspersky after I finish the windows scan/cleanup

kaspersky report attached
kaspersky.txt

Trojan
C:\WINDOWS\system32\wazuloro.exe      Infected: Trojan.Win32.AntiAV.aug      1
C:\WINDOWS\temp\BN1.tmp      Infected: Trojan.Win32.Agent.bxrf      1

Hmm.. good, good! So,we have found out what is still lurking within your machine, I've made a list of everything that was detected from the log (apologies if I am duplicating some information here):

1. Exploit.Java.Gimsh.b - If you upgrade your JRE to the latest version, this might be resolved.
2. not-a-virus:AdWare.Win32.HotBar.bq - This has already been quarntined
3. not-a-virus:AdWare.Win32.HotBar.be  - This has already been quarntined
4. EICAR-Test-File  - This has already been quarntined
5. Rootkit.Win32.Agent.iou - present in windows\system32\dllcache\ndis.sys
6. Trojan.Win32.AntiAV.aug - C:\WINDOWS\system32\wazuloro.exe
7. Trojan.Win32.Agent.bxrf - C:\WINDOWS\temp\BN1.tmp

I suggest that since Kaspersky has pointed out that items 5,6 and 7 are malicious, please try to delete them manually in safe mode or if not possible then open AVG/Ewido online scanner based at http://www.ewido.net/en/onlinescan/ and do a scan of c:\windows folder only for the antivirus to detect the above threats and remove them.

Another option is also possible, which is going to be a bit painstaking though, you can download and install Kaspersky Internet Security Suite trial version from http://www.kaspersky.co.uk/trials. Please note that it wouldn't install if there is another antivirus on the machine. You would have to uninstall every antivirus and antispyware software from your machine to install it (excluding MBAM and HijackThis).

Have you checked the c:\windows\system32\drivers\ndis.sys  if that one is infected?

C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp

As already suggested, delete the files that Kaspersky flagged as infected(the others are okay, the one in the java cache can also be removed by clearing the cache while others are already in quarantine pose no risks.
You can delete them manually or use combofix script function; make a new CFScript.txt with below text.

File::
C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp  

Folder::
c:\2081773250

ran the CFCript and when it completed, O checked the temp directory and there are two files there now:
WFV2.tmp and ZLT07fa4.TMP..Both of these files are being used by other programs and cannot be deleted.. I am to the point now, where I think I'm just going to copy important files off and just format the c drive and reinstall XP
thanks

@jbeazell:
I am not convinced that all these files are created only by viruses, such filenames can also be created by McAfee Antivirus engine, please have a look at (the below link only talks about WFV2.tmp though):

http://forums.mcafeehelp.com/showthread.php?p=542344

It is advisable to upload these 2 files for viruscheck on www.virustotal.com .

I'm sure that not all of the files tagged are problems, but some of the tagged files are not able to be removed by any of the removal tools I've tried.. I was able to complete my taxes by re-downloading turbotax on a 'clean' laptop, so that worry is over.. Now I just want to get the desktop PC back to normal and I think the best thing to do, at this point, is to reinstall XP on a formatted C drive.. I was going to copy important files to a spare drive, run the scans (to insure that these files are clean) then format and reinstall. Thoughts?

@jbeazell:
Taking a backup of your important items is always a good idea, regardless of if you have a virus or not. I guess re-install is also an option for sure, that is likely to result in a normal PC again. Make sure to install an antivirus and firewall as soon as you install Windows and its latest updates though to prevent getting any viruses into your PC in the future though. Maybe, you can download the Kaspersky Internet Security suite and install it after the Windows install.

Hope it helps.

thanks to all for all assistance provided.. If anyone else has any thoughts, please reply

>>>O checked the temp directory and there are two files there now:<<<
The temp folder can be safely emptied ... but a reformat is a good idea as it's possible that a file infector is at work there - based on the CF log where 3 locations of ndis.sys failed the sigcheck(which is can be a sign of file infector)
 
Later on if you have spare time you might like to check out these links:

If you like, please check out these links below:
1.  TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955

2.  miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

3.  Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

I have been able to delete all but one file in that directory.. ZLT03482.TMP is the one that is giving me a problem now as I have been unable to delete. ZLT07fa4.TMP was there before, but I used KillBox to delete it after a reboot, but files keep showing up to replace the ones I kill..

As for the ndis files.. How can I know which ones are safe to delete, or attempt to delete?
thanks