Malicious software or Trojan

system · March 5, 2013, 12:24pm

I attached my sister-in-law’s portable drive to my pc to transfer some files to my portable drive and all the files on her drive were shown as shortcucts.
When I attempted to open a shortcut,auto run flashed on the screen.
I cancelled it as fast as I could,however Malwarebytes Pro is now disabled including protection mode and my control panel has been disabled.
Running Malwarebytes in safemode detects a possible trojan horse (Trojan.Agent.Ck) as well as a number of malicious registry entries.
Avast now continually notifies me of two malicious URL’s
//nnh42.name/a/
//jsh37.net/a/
One of the malicious registry entries contains the phrase “don’t steal our software”
All attempts to rectify the problem have failed
My system is running Windows XP with Service pack 3.
I have attached theRogue killer logs.
Any help you can give me would be greatly appreciated

Pondus · March 5, 2013, 12:33pm

One of the malicious registry entries contains the phrase "don't steal our software"

so, you have a key genrator for cracking malwarebytes license..... noughty boy

Pondus · March 5, 2013, 12:37pm

attach the following logs. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes. and malwarebytes should be run from normal mode unless it has a problem
OTL
aswMBR

system · March 5, 2013, 1:04pm

To be honest the PC was part of an inheritance from a deceased estate with the software preloaded and I never bothered to check if it was genuine.
Looks like an uninstall is warranted.
I have attempted to run the programs you have listed but what ever has infected me is blocking them from running.

Pondus · March 5, 2013, 1:39pm

OK…malware removers are notified, it may take hours before they arrive so be patient

you may try run from safe mode

system · March 5, 2013, 1:50pm

I managed to run Adw cleaner from safe mode,the log,if it is any use,is attached,together with the MBAM log.
Thanks for assistance and patience,this a whole new experience to me.
Kym

essexboy · March 5, 2013, 3:16pm

Hi I will need the OTL log please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

system · March 6, 2013, 9:10am

Sorry for the late reply,the "bug is now interfering with my internet access.
Log’s attached as requested.
Kym

essexboy · March 6, 2013, 2:57pm

OK I think I can see the problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O4 - HKU\S-1-5-21-682003330-764733703-1177238915-1004..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\2a2a.js ()
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:46 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[]Report IE Proxy Settings
[]Reset IE Proxy Settings
[]Report FF Proxy Settings
[]Reset FF Proxy Settings
[]List content of Hosts
[]List IP configuration
[]List Winsock Entries
[]List last 10 Event Viewer log
[]List Installed Programs
[]List Devices
[]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

system · March 6, 2013, 6:50pm

Hi i am facing the same issue.
I addition there are multiple windows update icon in system tray and disappearing with mouse roll on

CraigB · March 6, 2013, 7:33pm

Please start your own topic and supply/attach the following logs

http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

system · March 6, 2013, 9:15pm

Hi essexboy,
Thanks for that,I may have to run the fix in safe mode,will that still work.
Will try it in normal mode first.
Kym

essexboy · March 6, 2013, 9:17pm

If you need to run it in safe mode then so be it, but allow the reboot to normal mode so that we can determine the effectiveness, or whether I need to look deeper

system · March 6, 2013, 9:19pm

Will do
Kym

system · March 7, 2013, 4:22am

Quick fix log and Mini Toolbox log attached as requested.
As a side note,the only way I could get OTL to run in normal mode was to rename the desk top icon as “safe file”.
The system now runs better but the malicious URL pop ups are still appearing and control panel is disabled.
Regard’s,
Kym

essexboy · March 7, 2013, 2:02pm

OK the JS files returned so we will need to go deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · March 10, 2013, 9:34am

Between work and other things,finally managed to run ComboFix,log attached as requested.
The control panel now appears to be accessable via the start menu,have not tried to open it as yet,the “malicious URL blocked” pop ups appear to have ceased,still unable to open malwarebytes,got a pop up stating “files waiting to be written to cd” .overall seems to be running better.
Kym

essexboy · March 10, 2013, 11:30am

One more run to finish it off then try MBAM again

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\documents and settings\Administrator\Start Menu\Programs\Startup\21.js c:\documents and settings\Bronwyn and Kym\Start Menu\Programs\Startup\21.js c:\documents and settings\All Users\Start Menu\Programs\Startup\21.js c:\documents and settings\Default User\Start Menu\Programs\Startup\21.js
Folder::
c:\documents and settings\Bronwyn and Kym\Application Data\6b6

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“7d7e7”=-

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

system · March 10, 2013, 8:54pm

Thanks essexboy,will do this as soon as I get home after work tonight.
Many thanks and kindest regard’s,
Kym

system · March 11, 2013, 10:04am

OK,
Turned on the pc to run the file as requested.
Control panel had again been disabled,opened an internet connection and immediately got the malicious url blocked pop up again as well as "files waiting to be written to cd"notification.
The ComboFix icon had gone from the desk top as well as the log file from the C drive.
Ran the CFScript.txt as advised,log file attached.
After running the txt file Control panel has returned and MalwareBytes is now accessable.
I thank you for your time so far.
Regard’s,
Kym

Malicious software or Trojan

Announcements