• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2728
  • Last Modified:

Help with removal of a trojan malware

My computer has been hit by a trojan which I am having difficulty removing. The virus includes files such as c.exe msa.exe yaiexi.exe. It prevents me booting to safe mode, blocks my attempts to download and install some removers, circumvents AVG and spybot search and destroy and reinstalls itself in the startup menu when I use msconfig.
Attached is my HijackThis file.
hijackthis.log
0
bones1nz
Asked:
bones1nz
  • 12
  • 11
  • 3
  • +2
3 Solutions
 
xtreminatorCommented:
0
 
xtreminatorCommented:
ohh sorry...... wrong post.... just ignore it...
0
 
splaitCommented:
Open up Task Manager, select the Processes tab, right-click on yaiexi.exe and stop the process family or tree.

In HiJackThis, select O4 - HKCU\..\Run: [yaiexi] C:\Documents and Settings\Family\yaiexi.exe and remove it.

It is running out of your C:\Documents and Settings|Family directory.  Try to navigate to that location and delete the application yaiexi.exe.

What happens now?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
optomaCommented:
If still unsuccessful:
Download Combofix and Malwarebytes on another machine and rename them prior to saving to desktop.
Transfer them to infected machine using removable media, preferably> burn them to a cd

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.malwarebytes.org/mbam-download.php

Attach both logfiles here after

Also get process explorer-may be needed
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
0
 
bones1nzAuthor Commented:
Thanks - will try these ideas out this evening and come back to you.
0
 
bones1nzAuthor Commented:
Thank you both for your help.
splait - virus prevented the process being stopped. Had previously looked for the file but it was hidden. Removing O4 - HKCU\..\Run: [yaiexi] C:\Documents and Settings\Family\yaiexi.exe was of some help but I was certain the virus was still present. Accordingly proceeded along the lines proposed by optoma. I think the computer is clean now. I have attached the logs and would be grateful if these could be checked.
ComboFix-log.txt
hijackthis-Jan6.log
mbam-log-2010-01-06--23-32-23-.txt
0
 
splaitCommented:
It looks like you got it all!  @optoma is more practiced at reading ComboFix logs than I am, but I think you're clean.
0
 
optomaCommented:
Thanks for logfiles

Upload these to online scanner  http://www.virustotal.com/ :
c:\windows\BHvxfq.batc:\windows\CwhCEa.bat

Run Nod online scan http://www.eset.com/onlinescan/

Make note of detections, if any :)
0
 
splaitCommented:
Good catch!  I missed them totally!

You should write an article about reading ComboFix reports!
0
 
bones1nzAuthor Commented:
Thank you for your help. AVG has indicated a persistent threat (see attached jpg) - I am not sure if this is just a virus signature in a restore file. The first batch file was clean on all scans. The second had one positive result by Fortinet, with the comment BAT/Vobfus. The ESET scanner found and removed several trojans see text file.

When running ComboFix it detected Rootkit activity and then rebooted the computer. Is this a concern?

I will re run all my scanners and post a further HijackThis file.

Many thanks again.
AVG-warning.jpg
ESETscanner.txt
0
 
optomaCommented:
Run Combofix again after reboot and attach new logfile.

Avg scanner detected System Restore infections-ok for now-dorment
Eset detected already caught viruses
0
 
bones1nzAuthor Commented:
SuperAntiSpyWare detected a Trojan - see log. Spybot was negative as was Malwarebytes. Ran Combofix and Hijack this. Logs attached.
SUPERAntiSpyware-Scan-Log---01-0.log
Combofix-Jan7.txt
hijackthis-Jan7.log
0
 
optomaCommented:
SAS detected more restore point infections + Hijackthis is ok.
      ....................................................
Those two .bat files. Unsure of them but will get back to them.
.........................................................
With Combofix detecting a rootkit is a sign that system is not fully clean, unless its a false positive on something like cd emulation software.

1-You could run a boot scanner cd to scan the system "outside" of Windows, but the consequences can be that a Windows repair would be required afterwards if system files are infected+deleted>>>>>>>>>>results in Windows not starting up correctly.

Would you have your Windows XP Professional installation cd?

2-Another option would be to try an get another Expert in on this thread who could advise you on running rootkit detection scanners within Windows.

Let us know and can go further then.
0
 
bones1nzAuthor Commented:
Thank you optoma. The Combofix detected root activity only with the first scan and then rebooted and continued scanning. The second time there was no detection of root activity. I do run CD emulation software (VirtualCD). I have upgraded AVG to 9.0 and rescanned and it reports no rootkits. All other scans seem to be clear.

I do have the Windows XP installation cd and my ultimate solution would be to reinstall the operating system.

In view of the above I thought a reasonable approach might be to use the computer for 48 hours watching for suspicious activity and then run all the scans again and only proceed as you suggest above if further infestation. What do you think?
0
 
optomaCommented:
You can try a live cd scanner but they can take hours to run(downside to them)

Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.



Since you have your installation media:
You may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm

Attach its logfile after
0
 
bones1nzAuthor Commented:
optoma
I did as you suggested above. Updated virus database successfully. But the scanning only took 22 seconds and reports nothing. Tried several times and checked all the settings. Saved a log but can't find it under Windows.

Does this sound right?

My other scans on the machine remain clean.
0
 
optomaCommented:
No, should take longer.
In the boot cd interface, did you check the boxes to scan boot sector and all other folders?

When it completes hit the reports tab to save logfile. Note where its being saved to

Have a look at this link
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/
0
 
bones1nzAuthor Commented:
Hi optoma
I didn't pick up that I had a partition on the hard disk, with my main drive confusingly labelled D:
Scanned okay, log file attached. Other scans remain clean.
Kapersky.txt
0
 
optomaCommented:
Good that all came back clear!
Last few steps:
1-get latest flash player (uncheck free toolbar/security scan addon)
http://get.adobe.com/flashplayer/
2-get latest Java
http://www.java.com/en/
3-Turn off System Restore + Turn Back on
4-get latest Microsoft updates
http://windowsupdate.microsoft.com/
0
 
bones1nzAuthor Commented:
optoma
All done. You made an earlier comment about two bat files which I uploaded to be examined. Any further thoughts? Accept as solution now?
0
 
greyknight17Commented:
Both .bat files are most likely malware related. Right click on them and go to Edit. Copy & paste the contents of those files here so we can take a look at them.

I recommend upgrading your AVG to version 9 also when you get a chance.
0
 
optomaCommented:
Yes, both batch files look dodgy with the naming of them. Make sure you dont double click or run them. Post them as suggested.
0
 
bones1nzAuthor Commented:
Have upgraded to AVG version 9. Batch files contents posted below:
BHvxfq.exe :
:1
Erase "C:\WINDOWS\BHvxfq.exe"
If exist "C:\WINDOWS\BHvxfq.exe" Goto 1
Erase "C:\WINDOWS\BHvxfq.bat"

CwhCEa.bat :
:A
del C:\DOCUME~1\Family\iexplore.exe
If Exist C:\DOCUME~1\Family\iexplore.exe Goto A
:1
del yyWWMj.exe
If Exist yyWWMj.exe Goto 1
:3
del BHvxfq.exe
If Exist BHvxfq.exe Goto 3
del CwhCEa.bat

Should I delete them?
Thanks
0
 
optomaCommented:
They dont look right.
Wait for Greyknight to give an opinion :)
0
 
greyknight17Commented:
The filenames themselves are suspicious as it is. The contents of those files, even though it doesn't look harmful, should be removed. You may delete both files without worrying about any ill-effects afterward.

Sorry for jumping in on this late. Just thought I would answer the .bat file question as I saw that pending. If the issue is resolved, please award a majority of the points to those that helped out initially as they have spent more time (especially optoma) analyzing the log files.
0
 
bones1nzAuthor Commented:
I am very happy with the outcome. Shall I accept a solution and close this off?
0
 
optomaCommented:
You can. Those *.bat files were indeed pending!! :)
0
 
bones1nzAuthor Commented:
optoma - I would like to thank you for your very patient and thorough help with this problem. Thank you also greyknight and splait for your input.
0
 
bones1nzAuthor Commented:
Very thorough approach to successful remove a tenacious trojan. Thanks to all.
0
 
optomaCommented:
You're welcome.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 11
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now