Let the Trojans in

Ok. So I thought I knew enough to keep trojan horses at bay - however, 1 day after sending a mail about holiday apartments asking for availability and more information I got a mail with an attachment and text that looked almost exactly like a reply to the message that I sent. I didn’t look carefully or I’d have noticed that the e-mail address that it was sent to was incorrect.

So after double clicking on the attachment I heard Avast doing its job and spotting the infection. However, once cleaned, I have been infected many times since. The noticable infection is that my internet explorer homepage keeps getting set to Google and when I have been looking for web pages using Google I have selected a link and been sent to a similar site but not the site that I selected.

I tried a full virus scan several times but I did not seem to find the culprit so I searched for recently updated files and found one that looked suspicious. It was in program files / nxmcoqe and called ApiAppCfg.dll.

I’ve tried searching the web but not found any reference to it.

I searched the registry to remove any reference to the file…

It seems that during the clean-up something went wrong. For some reason MS Explorer (the directory browsing software) will not start. I get placed into XP without the explorer bar. The only way to start tasks is through the task manager. When I navigate to explorer.exe and try to start it, task manager reports that the file is not found. Changing the name allows explorer to start but not the associated task bar.

Does anyone have an idea of what I could do to restore normal service… The only advice I have so far is to “always back up the registry before you edit it”…

TIA

LS

Trojans installed : Win32:Bravix [Drp], Win32:Trojan-gen (other) and Win32:Adware-gen

Hi LostSheep,

You can first try the instructions here: http://forums.majorgeeks.com/showthread.php?t=139313
If after following the instructions there step by step not omitting a thing, and you still encounter problems, you can post the various logtxt.files with a fresh hjt logtxt.file with your next posting, download hjt here:
http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

It sounds like that trojan was like a suiside bomber once inside and killed before he died he let his bombs go off!
ide say you have explorer infected some viruses can infected a whole computer in a matter of seconds!
I say reinstall explorer!
or get a new browser like FireFox!

Rsdogy

I say reinstall explorer! or get a new browser like FireFox!
The OP is referring to [i]Windows[/i] explorer, not the browser of similar name.
It sounds like that trojan was like a suiside bomber once inside and killed before he died he let his b......
Rather melodramatic analogy, isn't it?

Sorry, don’t mean to be the “post police”, but this is a bit ott.

Hello Tarq57,

Yes first rule here is “Don’t panic!”. Let us wait for him to conclude the general malware routine, then let us see where we stand with the logs he provides,

polonus

Hi,

Thanks for all the replies.

I have run the list of tests over the last few days. Explorer is now working again but when I re-run Super AntiSpyware it seems as if Trojan.DNSChanger-Codec registry entry is either never deleted or it reinstalls on boot up. I also get occasional issues where Spybot S&D detects “Virtumonde” but this is not as regular - I’ve been trying to get to the bottom of these hence the delayed reply.

I’ve attached all the logs I could - I’m limited to 4 per message (please let me know if I missed an important one). I have not found a way to view a Spybot log but the recovery panel tells me that it has worked on delf.spool.cn, Virtumonde, Nebuler.BHO and Premium search

Explorer now seems to be working correctly.

Now that I am closer to a “working” system, I have a few more questions :

  1. Should I be worried about the trojans that are still being seen ?
  2. What should I do to avoid future infections (the sheet on MajorGeeks was not very helpful - I do all that already but still got infected)
  3. I had expected Avast to block an attempt by a trojan to install itself as deeply as this one has. Is there something else that I need to do ?

Hi LostSheep,

On your hijackthis log:
These are the process scan results:

smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
Ati2evxx.exe

Driver

ATI Display Adapter Assistant
svchost.exe

System task

Microsoft Service Host Process
MsMpEng.exe

Anti Add/Spyware software

Microsoft Windows Defender Antispyware
svchost.exe

System task

Microsoft Service Host Process
smc.exe

Firewall

Sygate Personal Firewall
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
Explorer.EXE

System task

Microsoft Windows Explorer
LEXBCES.EXE

Backgroundtask

LexBce Service
spoolsv.exe

System task

Microsoft Printer Spooler Service
LEXPPS.EXE

Backgroundtask

Lexmark Printer Sharing

lobktmfa.exe

Unknown task

Unknown task
issch.exe

Application

InstallShield Update Service
HPWuSchd2.exe

Backgroundtask

Hewlett Packard Software Update Scheduler
ashDisp.exe

Virusscan

Avast AntiVirus
GrooveMonitor.exe

Backgroundtask

GrooveMonitor Utility
DevDetect.exe

Backgroundtask

Watches for external digital imaging products being connected from ACD Systems
DSAgnt.exe

System task

Dell Support Agent offers additional support and update features for your Dell computer or laptop
msmsgs.exe

Application

MSN Messenger
ctfmon.exe

System task

Alternative User Input Services
HOMERunner.exe

Application

Onderdeel van TomTom routeplanner software - TML P
SUPERAntiSpyware.exe

Anti Add/Spyware software

SUPERAntiSpyware
hpqtra08.exe

Backgroundtask

Hewlett Packard Imaging
AppleMobileDeviceService.exe

Backgroundtask

Apple Mobile Device Service
mDNSResponder.exe

Backgroundtask

Bonjour for Windows Component
ehRecvr.exe

Backgroundtask

Media Center Receiver Service
ehSched.exe

Backgroundtask

Microsoft Media Center Scheduler Service
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
snmp.exe

System task

Microsoft SNMP Agent
svchost.exe

System task

Microsoft Service Host Process
iexplore.exe

Application

Microsoft Internet Explorer
iexplore.exe

Application

Microsoft Internet Explorer
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
dllhost.exe

System task

Microsoft DCOM DLL Host Process
hpqSTE08.exe

Driver

HP Imaging
svchost.exe

System task

Microsoft Service Host Process
wuauclt.exe

System task

AutoUpdate for WindowsME
HijackThis.exe

Application

Merijn Hijackthis
imapi.exe

System task

Microsoft IMAPI

/////////////////////////////////////////////////////////////////////////////////////////////////////////////

Now fix with hijackthis:

C:\Documents and Settings\All Users\Application Data\jefinqte\lobktmfa.exe

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM..\Policies\Explorer\Run: [7JLvP50b85] C:\Documents and Settings\All Users\Application Data\jefinqte\lobktmfa.exe

O21 - SSODL: msgwinmnt - {6FA079C2-2699-051C-FAC2-0B80DB7B6981} - C:\Program Files\cehdwgf\msgwinmnt.dll

Also delete C:\Program Files\cehdwgf

This one did not transcribe properly but needs killing
C:\WINDOWS\000001_.tmp

Now give a new fresh HJT log txt as an attachment,

polonus

The O3 entry CLSID is associated with SiteAdvisor.

Hi DavidR,

It is empty and therefore should be fixed. Had a second op on my analysis, and according to this source also this entry had to go. Some entries are not malware per sé, but the hjt manual advises us to fix empty, ergo nonfunctional entries period,

polonus

Hi,

You guys are really quick - Thanks

I have performed the tasks that you requested (paid period for Macafee had ended so I unistalled so that’s where the empth registry came from).

Since last run I have updated Java so there are some differences there.

One more question - based on the infections that I have had, is there a risk that any passwords have been compromised ?

TIA
LS

Hi LostSheep,

OK, congratulations, this hijackthis log is as clean as a baby’s bum. Re: your question on log in information, passwords etc., you can change them, you should do that anyways every couple of months where they are critical. Using a browser like Firefox with NoScript and clicking “do not remember password” will let you surf a lot more secure in this respect. Hope your OS running smoothly, I say welcome to the forums, and come to visit us here from time to time,

polonus (malware fighter)

Whilst it might appear empty, you may find it still works, this is the case with another CLSID Windows Live Mail, even there is supposedly no file, it works perfectly.

So if LostSheep used the SiteAdvisor toolbar and it then no problems, but he has already removed it so it is a moot point.

Hi DavidR,

Water under the bridge now. About the 03 entries in general: 03 has the information for the toolbars. In an entry for example, you see the name &Google. Also in the path after it you can see that it comes from the Google directory, and that the file is even named googletoolbar1. This section is yet another example of if you don’t recognize, then remove. Toolbars are also another common thing for adware to add to your system in the faux of being helpful. Anything that looks randomly named 99.9% of the time is bad. If it feels funky, whack it,

polonus

I tend to check it out here first, http://www.systemlookup.com/lists.php?list=1.

Hi DavidR,

Never said that I did not meticulously check out all the items, I repeat as that you find random names and they are not always to be looked up, that this concerns malware in 99% of the cases, I think we are going off-topic here, because the above malware routine is aready successfully resolved, an additional PM is more appropriate I think,

polonus

OP asked what else he could do
first he has spybot
let’s do the drill
update every Wednesday and re-immunize
are you running sd-helper?
t-timer?

please confirm that you have gone through all of the geeks procedures including all the sub branches

I’d use that no-script
I’d add a Hosts file- if you do update it every Wed right before updated spybot

I’d like to see some real time anti spyware
are you running anything not mentioned?

what firewall?

Hi,

Thanks fo rall the input.

Having seen a thread elsewhere on the forums that suggested running a Kaspersky online scan where Virtumonde was found, a couple of infected files were highlighted (see attached)

How would I best clean these ?
Do I need to submit them to Avast ?

TIA
LS

Yes but when we offer advice that could potentially break a function on a users system, I tend to air on the side of caution than and random naming guestimate percentage. The fact that this is ‘no’ randomly named function, it hasn’t been named at all, splitting hairs perhaps; but even the automatic analysis reports it as Very Safe, just that it might be deactivated.

I don’t think it is of-topic as the original poster gains information about actions which they have carried out.