Hourly URL:Mal to retufator.com/krjbjccop - cannot find trojan

Viruses and worms
1

Hi,

I installed Avast because I suspected a Trojan infection. The Avast scan found an infected wow.dll (Win32-malware-gen) in Temporary Internet Files, and cleaned it.

However I continue to see, every hour on the hour, a blocked access to one of a couple of URLs: retufator.com and krjbjccop.com. A web search turns up very little except a Sophos report that these are related to Troj-Agent/AEQA: https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AEQA/detailed-analysis.aspx (example 3).

I have since run full system scans using Avast, Norton AV, MalwareBytes, Windows Security Essentials but they report no infections.

Avast does find another wow.dll in AppData/Local/Temp/sbpxpoi/sefgcn but cannot scan it, because the file location cannot be accessed. This folder appears to have no permissions and I cannot change the permissions to be able to view it, even it as administrator. I am running aswMBR now, but it went past this location without finding anything.

In addition to the hourly alerts, I also received a Norton AV alert about a file being downloaded to c:\Program Files\Internet Explorer. This download seems related to the trojan.

How to get rid of this trojan? Also, do you have any more details on what this trojan is up to?

Thanks,
j082008

2

Please follow this guide and attach the logs: http://forum.avast.com/index.php?topic=53253.0

Maybe there is something on your system.

When done a malware expert will help you.

3

Hi Steven,

Here are logs from MBAM and OTI.

I am still running the aswMBR, it is likely to take a while.

Thanks,
j082008

4

No problem.

Are you running Norton alongside Avast?

In that case only one can stay behind. Otherwise it will end in problems.

5

Hi Steven,

Yes, I understand. I only installed NAV in case it might detect something. I intend to remove it.

Regards,
J082008

6

Please use this tool to remove Norton completely: https://support.norton.com/sp/de/de/home/current/solutions/kb20080828154508EN_EndUserProfile_de_de

When a malware expert arrives follow his instructions.

7

Hi I can see it :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1024164257-3580554965-1230104890-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
[2013/11/18 09:02:06 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2013/11/18 09:01:01 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job

:Files
C:\Users\Anne & Jonathan\AppData\Local\Temp\sbpxpoi

:Reg
[-HKCU\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKCU\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
  65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

Hi Essexboy,

Nice work… that appears to have gotten rid of it. Here are results of the quick scan. The registry key that refers to wow.dll is still there, but the folder itself is gone.

Have you encountered this Trojan before? I am wondering if any analysis has been done on it.

Thanks,
j082008

9

Yes this is one of my nemesis malwares as I have never yet been able to kill that registry key. I believe it can be done manually, but as the folder and file are gone it is now just words and quite harmless

How is the computer behaving now ?

10

Hi Essex,

PC is behaving well now, thanks so much.

Obviously I am concerned about what kind of information if any this Trojan was trying to obtain, if that is what its purpose is. Both of those domains are registered by bizcn.com to Ipanema, Rio according to whois information. they were created recently on 10/25 and they are clearly very much alive.

Is there a way to report this so that the sites are shut down and the perpetrators stopped?

Regards,
j082008

11

I believe the intention of this one was to register your computer and either use it as a spambot or download additional malware. However, Avast blocked that option

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: