bones1nz
asked on
Help with removal of a trojan malware
My computer has been hit by a trojan which I am having difficulty removing. The virus includes files such as c.exe msa.exe yaiexi.exe. It prevents me booting to safe mode, blocks my attempts to download and install some removers, circumvents AVG and spybot search and destroy and reinstalls itself in the startup menu when I use msconfig.
Attached is my HijackThis file.
hijackthis.log
Attached is my HijackThis file.
hijackthis.log
ohh sorry...... wrong post.... just ignore it...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - will try these ideas out this evening and come back to you.
ASKER
Thank you both for your help.
splait - virus prevented the process being stopped. Had previously looked for the file but it was hidden. Removing O4 - HKCU\..\Run: [yaiexi] C:\Documents and Settings\Family\yaiexi.exe was of some help but I was certain the virus was still present. Accordingly proceeded along the lines proposed by optoma. I think the computer is clean now. I have attached the logs and would be grateful if these could be checked.
ComboFix-log.txt
hijackthis-Jan6.log
mbam-log-2010-01-06--23-32-23-.txt
splait - virus prevented the process being stopped. Had previously looked for the file but it was hidden. Removing O4 - HKCU\..\Run: [yaiexi] C:\Documents and Settings\Family\yaiexi.exe
ComboFix-log.txt
hijackthis-Jan6.log
mbam-log-2010-01-06--23-32-23-.txt
It looks like you got it all! @optoma is more practiced at reading ComboFix logs than I am, but I think you're clean.
Thanks for logfiles
Upload these to online scanner http://www.virustotal.com/ :
c:\windows\BHvxfq.batc:\windows\CwhCEa.bat
Run Nod online scan http://www.eset.com/onlinescan/
Make note of detections, if any :)
Upload these to online scanner http://www.virustotal.com/ :
c:\windows\BHvxfq.batc:\windows\CwhCEa.bat
Run Nod online scan http://www.eset.com/onlinescan/
Make note of detections, if any :)
Good catch! I missed them totally!
You should write an article about reading ComboFix reports!
You should write an article about reading ComboFix reports!
ASKER
Thank you for your help. AVG has indicated a persistent threat (see attached jpg) - I am not sure if this is just a virus signature in a restore file. The first batch file was clean on all scans. The second had one positive result by Fortinet, with the comment BAT/Vobfus. The ESET scanner found and removed several trojans see text file.
When running ComboFix it detected Rootkit activity and then rebooted the computer. Is this a concern?
I will re run all my scanners and post a further HijackThis file.
Many thanks again.
AVG-warning.jpg
ESETscanner.txt
When running ComboFix it detected Rootkit activity and then rebooted the computer. Is this a concern?
I will re run all my scanners and post a further HijackThis file.
Many thanks again.
AVG-warning.jpg
ESETscanner.txt
Run Combofix again after reboot and attach new logfile.
Avg scanner detected System Restore infections-ok for now-dorment
Eset detected already caught viruses
Avg scanner detected System Restore infections-ok for now-dorment
Eset detected already caught viruses
ASKER
SuperAntiSpyWare detected a Trojan - see log. Spybot was negative as was Malwarebytes. Ran Combofix and Hijack this. Logs attached.
SUPERAntiSpyware-Scan-Log---01-0.log
Combofix-Jan7.txt
hijackthis-Jan7.log
SUPERAntiSpyware-Scan-Log---01-0.log
Combofix-Jan7.txt
hijackthis-Jan7.log
SAS detected more restore point infections + Hijackthis is ok.
.......................... .......... .......... ......
Those two .bat files. Unsure of them but will get back to them.
.......................... .......... .......... .......... .
With Combofix detecting a rootkit is a sign that system is not fully clean, unless its a false positive on something like cd emulation software.
1-You could run a boot scanner cd to scan the system "outside" of Windows, but the consequences can be that a Windows repair would be required afterwards if system files are infected+deleted>>>>>>>>>> results in Windows not starting up correctly.
Would you have your Windows XP Professional installation cd?
2-Another option would be to try an get another Expert in on this thread who could advise you on running rootkit detection scanners within Windows.
Let us know and can go further then.
..........................
Those two .bat files. Unsure of them but will get back to them.
..........................
With Combofix detecting a rootkit is a sign that system is not fully clean, unless its a false positive on something like cd emulation software.
1-You could run a boot scanner cd to scan the system "outside" of Windows, but the consequences can be that a Windows repair would be required afterwards if system files are infected+deleted>>>>>>>>>>
Would you have your Windows XP Professional installation cd?
2-Another option would be to try an get another Expert in on this thread who could advise you on running rootkit detection scanners within Windows.
Let us know and can go further then.
ASKER
Thank you optoma. The Combofix detected root activity only with the first scan and then rebooted and continued scanning. The second time there was no detection of root activity. I do run CD emulation software (VirtualCD). I have upgraded AVG to 9.0 and rescanned and it reports no rootkits. All other scans seem to be clear.
I do have the Windows XP installation cd and my ultimate solution would be to reinstall the operating system.
In view of the above I thought a reasonable approach might be to use the computer for 48 hours watching for suspicious activity and then run all the scans again and only proceed as you suggest above if further infestation. What do you think?
I do have the Windows XP installation cd and my ultimate solution would be to reinstall the operating system.
In view of the above I thought a reasonable approach might be to use the computer for 48 hours watching for suspicious activity and then run all the scans again and only proceed as you suggest above if further infestation. What do you think?
You can try a live cd scanner but they can take hours to run(downside to them)
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.
Since you have your installation media:
You may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm
Attach its logfile after
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.
Since you have your installation media:
You may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm
Attach its logfile after
ASKER
optoma
I did as you suggested above. Updated virus database successfully. But the scanning only took 22 seconds and reports nothing. Tried several times and checked all the settings. Saved a log but can't find it under Windows.
Does this sound right?
My other scans on the machine remain clean.
I did as you suggested above. Updated virus database successfully. But the scanning only took 22 seconds and reports nothing. Tried several times and checked all the settings. Saved a log but can't find it under Windows.
Does this sound right?
My other scans on the machine remain clean.
No, should take longer.
In the boot cd interface, did you check the boxes to scan boot sector and all other folders?
When it completes hit the reports tab to save logfile. Note where its being saved to
Have a look at this link
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/
In the boot cd interface, did you check the boxes to scan boot sector and all other folders?
When it completes hit the reports tab to save logfile. Note where its being saved to
Have a look at this link
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/
ASKER
Hi optoma
I didn't pick up that I had a partition on the hard disk, with my main drive confusingly labelled D:
Scanned okay, log file attached. Other scans remain clean.
Kapersky.txt
I didn't pick up that I had a partition on the hard disk, with my main drive confusingly labelled D:
Scanned okay, log file attached. Other scans remain clean.
Kapersky.txt
Good that all came back clear!
Last few steps:
1-get latest flash player (uncheck free toolbar/security scan addon)
http://get.adobe.com/flashplayer/
2-get latest Java
http://www.java.com/en/
3-Turn off System Restore + Turn Back on
4-get latest Microsoft updates
http://windowsupdate.microsoft.com/
Last few steps:
1-get latest flash player (uncheck free toolbar/security scan addon)
http://get.adobe.com/flashplayer/
2-get latest Java
http://www.java.com/en/
3-Turn off System Restore + Turn Back on
4-get latest Microsoft updates
http://windowsupdate.microsoft.com/
ASKER
optoma
All done. You made an earlier comment about two bat files which I uploaded to be examined. Any further thoughts? Accept as solution now?
All done. You made an earlier comment about two bat files which I uploaded to be examined. Any further thoughts? Accept as solution now?
Both .bat files are most likely malware related. Right click on them and go to Edit. Copy & paste the contents of those files here so we can take a look at them.
I recommend upgrading your AVG to version 9 also when you get a chance.
I recommend upgrading your AVG to version 9 also when you get a chance.
Yes, both batch files look dodgy with the naming of them. Make sure you dont double click or run them. Post them as suggested.
ASKER
Have upgraded to AVG version 9. Batch files contents posted below:
BHvxfq.exe :
:1
Erase "C:\WINDOWS\BHvxfq.exe"
If exist "C:\WINDOWS\BHvxfq.exe" Goto 1
Erase "C:\WINDOWS\BHvxfq.bat"
CwhCEa.bat :
:A
del C:\DOCUME~1\Family\iexplor e.exe
If Exist C:\DOCUME~1\Family\iexplor e.exe Goto A
:1
del yyWWMj.exe
If Exist yyWWMj.exe Goto 1
:3
del BHvxfq.exe
If Exist BHvxfq.exe Goto 3
del CwhCEa.bat
Should I delete them?
Thanks
BHvxfq.exe :
:1
Erase "C:\WINDOWS\BHvxfq.exe"
If exist "C:\WINDOWS\BHvxfq.exe" Goto 1
Erase "C:\WINDOWS\BHvxfq.bat"
CwhCEa.bat :
:A
del C:\DOCUME~1\Family\iexplor
If Exist C:\DOCUME~1\Family\iexplor
:1
del yyWWMj.exe
If Exist yyWWMj.exe Goto 1
:3
del BHvxfq.exe
If Exist BHvxfq.exe Goto 3
del CwhCEa.bat
Should I delete them?
Thanks
They dont look right.
Wait for Greyknight to give an opinion :)
Wait for Greyknight to give an opinion :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am very happy with the outcome. Shall I accept a solution and close this off?
You can. Those *.bat files were indeed pending!! :)
ASKER
optoma - I would like to thank you for your very patient and thorough help with this problem. Thank you also greyknight and splait for your input.
ASKER
Very thorough approach to successful remove a tenacious trojan. Thanks to all.
You're welcome.
http://www.identitytheftblog.info/identity-theft/conficker-eye-chart-test-conficker-malware/1356/