DallasRaines42
2006-12-05, 22:44
I am dealing with a serious trojan infection that I can't seem to shake. The symptoms include an increasingly slower system start time as well as active performance loss and frequently non-responsive programs. The following are my step by step attepts at resolution to this point (as close as I can recall ion this order).
01. I began with simple Avast and Spybot scans under the running environment to eliminate a minor threat. Spybot succesfully removed several problems, as did Avast. However, Avast encountered several problems while trying to repair/delete/move to chest:
( Win32ownloader-DS [Trj] )
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OPQFGH6V\L2[1].exe
( Win32:Trojan-gen. {UPX!} )
C:\Program Files\Alwil Software\Avast4\Data\moved\A0608462.exe.vir
( Win32elf-BIP [Trj] )
C:\Program Files\Alwil Software\Avast4\Data\moved\admparsek.dll.vir
( Win32elf-CFA [Trj] )
C:\WINDOWS\g204200324.dll
( Win32:Agent-RY [Trj] )
C:\WINDOWS\system32\hfohwb.dll\[PECompact]
( Win32:Purityscan-Q [Trj] )
C:\WINDOWS\system32\?ssembly\dexplore.exe\[PECompact]
( Win32elf-BTD [Trj] )
C:\WINDOWS\system32\fontextd.dll\[PECompact]
( Win32elf-CFE [Trj] )
C:\WINDOWS\system32\sxserv101.exe\[UPX]
( Win32elfBIP [Trj] )
C:\WINDOWS\system32\admparsek.dll
( Win32:Agent-AKV [Trj] )
C:\WINDOWS\system32\clc.exe
( Win32:Agent-AKV [Trj] )
C:\WINDOWS\system32\clc_my.exe\[UPX]
02. At this point I realized my infection was more serious then I had hoped, so I began by running add/remove programs where I came across the "IpWins" file (After some forum reading I went ahead and deleted this)
03. In trying to empty my virus chest (Avast) I encountered errors:
"Initialization of Chest files: Action was completed with errors"
->Errors report
"Program cannot use Chest client: (null)--->Description: Virus chest server is not running. RPC communication failed"
->Detailed information
"Initialization of Chest files/Program will try to lead all Chest files from the following server; (null)/Action was complered with errors!"
04. At this point I scheduled a boot-time scan for both Spybot and Avast. And restarted into safe mode.
05. Avast failed to open, citing "keyboard error" and went on to load windows. (Could this be due to my wireless keyboard?)
06. Spybot found several new issues which it resolved, but cited errors with two programs: "Smitfraud_C.Toolbar888" and "Virtumonde". To which I scheduled a further boot-time scan.
07. Finally Safe Mode loaded, but under both my administrator account and my normal user account (after a restart) I recieved nothing but a blank Safe Mode screen stating my version information: "Microsoft ® WindowsXP ® (Build2600.XPSP_SP2_GDR.050301-1519:serv.pack2)"
08. My only option at this point was to restore to my previous system.
09. At this point windows started normally, untill my desktop came up. All my desktop items failed to show up, and instead i was given an error message saying windows was unable to find '(null)'
10. Running the explorer through the start menu (still operative) resulted in the same error.
11. I then ran Ccleaner via the "run" prompt, and allowed it to fix all the errors found.
12. It was while i was waiting for Ccleaner to finish that my desktop finally loaded. along with it came 2 pages of adware spam ive been experiencing far more frequently then desired (they always show up on MSIE as opposed to Firefox, my default browser). along with the browsers came another prompt that is a recurring problem: "NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss. Would you like to install SysProtect to check your computer for free? (Recommended)", there are several other versions of this message, all offering SysProtect or other virus programs.
13. At this point I ran Spybot again, including a fresh update and immunization. It was still unabel to fix "Smitfraud_C.Toolbar888" and "Virtumonde" due to User Settings.
14. Next I ran CounterSpy (However it was unable to update definitions) I accepted the default action for all 9 issues. [See counterspy.txt]
15. Around this point I noticed for the first time two "antivirus" programs in my toolbar which i did not install: both where for "virus-busters 6.3" neither of these qould close in the toolbar. and continue to give system alerts for various spyware.
16. Then came the online scans, first BitDefender- after accepting the user agreement and clicking start scan, bitdefender because unresponsive even after several attempts. I gave up on this one for the time being and went on to the next scan
17. Next was pandascan (for which i had to open MSIE) At this point i am waiting for pandascan to finish.... I only will have internet access for the next 48 hours, so i am trying to resolve this issue before then, thus the incomplete post. included with this post is a premature getrunkey and Shownew log. I will wait untill the current scan is finished before trying to post a HJT log.
at this point I posted this thread on a similar support forum and it was suggested i run SmitfraudFix (by S!Ri)
in normal environment, and then under safe mode.
attached is the first Smitfraudfix log, as well as the activescan log from pandascan. I then attempted to restart into safe mode, but as you can see from my first post, I was previously unable to run any programs of any sort, or input commands at all from safe mode. Possibly this has something to do with why my normal desktop is taking so long to show up, so i gave it 30 minutes to attempt to load safe mode. And as I suspected, I was still unable to do anything under safe mode. This time however, there was no system restore profile to revert to, so lacking other options i had to manually edit the boot.ini file to remove the /SAFEBOOT line and return to my "normal" OS. for the sake of completion I have left the process at that, but went ahead and created new logfiles which are included below. It should also be noted that i ran vundofix and removed several entries it found based on my forum research.
note: I was unable to upload several of my log files: counterspy.txt, rapport.txt, newfiles.txt & hijackthis.log is there a way to do so on these forums?
01. I began with simple Avast and Spybot scans under the running environment to eliminate a minor threat. Spybot succesfully removed several problems, as did Avast. However, Avast encountered several problems while trying to repair/delete/move to chest:
( Win32ownloader-DS [Trj] )
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OPQFGH6V\L2[1].exe
( Win32:Trojan-gen. {UPX!} )
C:\Program Files\Alwil Software\Avast4\Data\moved\A0608462.exe.vir
( Win32elf-BIP [Trj] )
C:\Program Files\Alwil Software\Avast4\Data\moved\admparsek.dll.vir
( Win32elf-CFA [Trj] )
C:\WINDOWS\g204200324.dll
( Win32:Agent-RY [Trj] )
C:\WINDOWS\system32\hfohwb.dll\[PECompact]
( Win32:Purityscan-Q [Trj] )
C:\WINDOWS\system32\?ssembly\dexplore.exe\[PECompact]
( Win32elf-BTD [Trj] )
C:\WINDOWS\system32\fontextd.dll\[PECompact]
( Win32elf-CFE [Trj] )
C:\WINDOWS\system32\sxserv101.exe\[UPX]
( Win32elfBIP [Trj] )
C:\WINDOWS\system32\admparsek.dll
( Win32:Agent-AKV [Trj] )
C:\WINDOWS\system32\clc.exe
( Win32:Agent-AKV [Trj] )
C:\WINDOWS\system32\clc_my.exe\[UPX]
02. At this point I realized my infection was more serious then I had hoped, so I began by running add/remove programs where I came across the "IpWins" file (After some forum reading I went ahead and deleted this)
03. In trying to empty my virus chest (Avast) I encountered errors:
"Initialization of Chest files: Action was completed with errors"
->Errors report
"Program cannot use Chest client: (null)--->Description: Virus chest server is not running. RPC communication failed"
->Detailed information
"Initialization of Chest files/Program will try to lead all Chest files from the following server; (null)/Action was complered with errors!"
04. At this point I scheduled a boot-time scan for both Spybot and Avast. And restarted into safe mode.
05. Avast failed to open, citing "keyboard error" and went on to load windows. (Could this be due to my wireless keyboard?)
06. Spybot found several new issues which it resolved, but cited errors with two programs: "Smitfraud_C.Toolbar888" and "Virtumonde". To which I scheduled a further boot-time scan.
07. Finally Safe Mode loaded, but under both my administrator account and my normal user account (after a restart) I recieved nothing but a blank Safe Mode screen stating my version information: "Microsoft ® WindowsXP ® (Build2600.XPSP_SP2_GDR.050301-1519:serv.pack2)"
08. My only option at this point was to restore to my previous system.
09. At this point windows started normally, untill my desktop came up. All my desktop items failed to show up, and instead i was given an error message saying windows was unable to find '(null)'
10. Running the explorer through the start menu (still operative) resulted in the same error.
11. I then ran Ccleaner via the "run" prompt, and allowed it to fix all the errors found.
12. It was while i was waiting for Ccleaner to finish that my desktop finally loaded. along with it came 2 pages of adware spam ive been experiencing far more frequently then desired (they always show up on MSIE as opposed to Firefox, my default browser). along with the browsers came another prompt that is a recurring problem: "NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss. Would you like to install SysProtect to check your computer for free? (Recommended)", there are several other versions of this message, all offering SysProtect or other virus programs.
13. At this point I ran Spybot again, including a fresh update and immunization. It was still unabel to fix "Smitfraud_C.Toolbar888" and "Virtumonde" due to User Settings.
14. Next I ran CounterSpy (However it was unable to update definitions) I accepted the default action for all 9 issues. [See counterspy.txt]
15. Around this point I noticed for the first time two "antivirus" programs in my toolbar which i did not install: both where for "virus-busters 6.3" neither of these qould close in the toolbar. and continue to give system alerts for various spyware.
16. Then came the online scans, first BitDefender- after accepting the user agreement and clicking start scan, bitdefender because unresponsive even after several attempts. I gave up on this one for the time being and went on to the next scan
17. Next was pandascan (for which i had to open MSIE) At this point i am waiting for pandascan to finish.... I only will have internet access for the next 48 hours, so i am trying to resolve this issue before then, thus the incomplete post. included with this post is a premature getrunkey and Shownew log. I will wait untill the current scan is finished before trying to post a HJT log.
at this point I posted this thread on a similar support forum and it was suggested i run SmitfraudFix (by S!Ri)
in normal environment, and then under safe mode.
attached is the first Smitfraudfix log, as well as the activescan log from pandascan. I then attempted to restart into safe mode, but as you can see from my first post, I was previously unable to run any programs of any sort, or input commands at all from safe mode. Possibly this has something to do with why my normal desktop is taking so long to show up, so i gave it 30 minutes to attempt to load safe mode. And as I suspected, I was still unable to do anything under safe mode. This time however, there was no system restore profile to revert to, so lacking other options i had to manually edit the boot.ini file to remove the /SAFEBOOT line and return to my "normal" OS. for the sake of completion I have left the process at that, but went ahead and created new logfiles which are included below. It should also be noted that i ran vundofix and removed several entries it found based on my forum research.
note: I was unable to upload several of my log files: counterspy.txt, rapport.txt, newfiles.txt & hijackthis.log is there a way to do so on these forums?