Startup Issues: Suspected Trojan & Help Required

Greetings everybody; please read my account, as I think all the details I can give will be useful.

I’m an average computer user who like many despise malware, viruses, trojans, and infections of any kind. When I browse the internet, I typically use Mozilla Firefox, but last night Internet Explorer launched by accident. (It was still pinned on the start menu when I wanted Word. Almost immediately, a trojan was detected by avast! Not too concerned, I allowed avast! to perform a boot scan, but my battery died.

Upon resuming on startup, Windows 7 declared the system needed repair - and I knew exactly why system was rendered unstable. After a system restore, as the computer did not know what was wrong, everything booted up and seemed to work fine. However, I noticed I could not freely access the internet and the system wasn’t performing well. Opening avast!, I saw it said the service had been stopped or is in an inconsistent state. Re-installation has the scanners working, but that won’t go away.

If I can count my blessings, if anything in this situation, it is the fact I am able to operate through Safe Mode w/ Networking at the moment and inform you of my problem. I have full access to the internet now, along with the command prompt, regedit, and potentially any other tools that can help me. Please help! I’m not sure what has infected me, but occurred at around 11:40 P.M. last night (July 31st, 2011) GMT -5.

Thanks in advance for your help. I’m performing a scan and so far I see nothing. ???

Hi all, hate to double post, but avast! managed to complete a scan. As much as I do believe I’m decent with computers, I’d like guidance on my next course of action. Sometimes deleting viruses/trojans isn’t always the best move, as you may not be able to repair the damage it has caused. Here is what it found:

C:\ProgramData\api-ms-win-core-misc-l1-1-032.exe. Win32 Downloader-IQO
C:\Users\Wing Ho\AppData\Local\Temp\jucheck.exe. Win32 Downloader-IQO

EDIT:

Upon navigating to these locations on My Computer, both were installed simultaneously at the time I specified - I guess it was 10:20, not 11:40. I guess I have a poor sense of time. ::slight_smile:

are you able to download install and update Malwarebytes ? http://filehippo.com/download_malwarebytes_anti_malware/

if so run a quick scan…in normal mode if possible
click the remove selected button to quarantine anything found

Hi Pondus, thanks for the response!

I do have Malwarebytes already installed, but I receive an error when trying to update it. My version is out of date - and I encounter error 732 when updating. I’d do it in normal mode, but I think it will not run. Should I go for a reinstall?

I think I can quarantine it with it avast! though right now running in safe mode. Any pointers?

have you tried to update it in safe mode ?
you may also run it with no update…if lucky it may remove something

Thanks for your continued support,

I have tried updating it in safe mode, and I receive the error I mentioned in my previous post. Performing a quick scan yielded nothing, along with the full scan which took about one hour to complete. avast! detected 2 files, however, during its scan.

Awaiting orders!

the removal Expert essexboy will enter the forum in 2-3 hours… so have a budweiser, relax and wait :wink:

That can be managed, my friend. Glad to have received your replies - I haven’t been in this situation since 2009.

Superantispyware have portable version you may try while waiting http://superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE

Thank you - it is scanning as we speak. Any other recommendations? Do you have any suggestions as to what might be ailing my machine?

well there is always bunch of scanners you can try but i think the best is to wait for essexboy
you may post an OTS log if able to, essexboy will then see what and where and choose the right tool for it

see how to here http://forum.avast.com/index.php?topic=53253.0

lower left corner > Additional Options > Attach (OTS log)

Here it is as requested, divided into two parts:

On completion of this run could you restart in normal mode and let me know what the current problems are

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\"XMLHTTP_UUID_Default" -> A7 C7 AC 01 6D 06 23 4B 9D C2 38 F6 0F B2 D6 40  [binary data]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\Wing Ho\AppData\Roaming\Mozilla\Firefox\Profiles\c46r8c3x.default\extensions\{199541eb-0fa6-4a0d-a475-00f7a3097e0d}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {01ACC7A7-066D-4B23-9DC2-38F60FB2D640} [HKLM] -> C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll
[Files/Folders - Modified Within 30 Days]
NY ->  2027058438 -> C:\Windows\SysWow64\2027058438
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll
NY ->  api-ms-win-core-misc-l1-1-032.exe -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.exe
[Files - No Company Name]
NY ->  api-ms-win-core-misc-l1-1-032.exe -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.exe
NY ->  2027058438 -> C:\Windows\SysWow64\2027058438
NY ->  tmpAVATAR.0 -> C:\Users\Wing Ho\AppData\Local\tmpAVATAR.0
NY ->  tmpAVATAR.JPG -> C:\Users\Wing Ho\AppData\Local\tmpAVATAR.JPG
NY ->  tmpSEXY.3 -> C:\Users\Wing Ho\AppData\Local\tmpSEXY.3
NY ->  tmpSEXY.2 -> C:\Users\Wing Ho\AppData\Local\tmpSEXY.2
NY ->  tmpSEXY.1 -> C:\Users\Wing Ho\AppData\Local\tmpSEXY.1
NY ->  tmpSEXY.0 -> C:\Users\Wing Ho\AppData\Local\tmpSEXY.0
NY ->  tmpSEXY.JPG -> C:\Users\Wing Ho\AppData\Local\tmpSEXY.JPG
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

All seems well; the fix was indeed quick! Programs and files that I recognize are intact as well. I don’t know what exactly was done, but I am now on the internet under normal circumstances and the speed seems fine. Anything else I should do? I’m always a little suspicious.

Also, here is the file it produced upon logging in:


All Processes Killed
[Registry - Safe List]
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
File C:\Users\Wing Ho\AppData\Roaming\Mozilla\Firefox\Profiles\c46r8c3x.default\extensions{199541eb-0fa6-4a0d-a475-00f7a3097e0d} not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{01ACC7A7-066D-4B23-9DC2-38F60FB2D640}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{01ACC7A7-066D-4B23-9DC2-38F60FB2D640}\ not found.
File C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
[Files/Folders - Created Within 30 Days]
File C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll not found!
[Files/Folders - Modified Within 30 Days]
File C:\Windows\SysWow64\2027058438 not found!
File C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll not found!
File C:\ProgramData\api-ms-win-core-misc-l1-1-032.exe not found!
[Files - No Company Name]
File C:\ProgramData\api-ms-win-core-misc-l1-1-032.exe not found!
File C:\Windows\SysWow64\2027058438 not found!
File C:\Users\Wing Ho\AppData\Local\tmpAVATAR.0 not found!
File C:\Users\Wing Ho\AppData\Local\tmpAVATAR.JPG not found!
File C:\Users\Wing Ho\AppData\Local\tmpSEXY.3 not found!
File C:\Users\Wing Ho\AppData\Local\tmpSEXY.2 not found!
File C:\Users\Wing Ho\AppData\Local\tmpSEXY.1 not found!
File C:\Users\Wing Ho\AppData\Local\tmpSEXY.0 not found!
File C:\Users\Wing Ho\AppData\Local\tmpSEXY.JPG not found!
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Wing Ho\Downloads\cmd.bat deleted successfully.
C:\Users\Wing Ho\Downloads\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: Anne

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Visitor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Wing Ho
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 46422657 bytes
->Java cache emptied: 58488592 bytes
->FireFox cache emptied: 43856816 bytes
->Google Chrome cache emptied: 8561745 bytes
->Flash cache emptied: 376843 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 2967040 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 38730514 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 190.00 mb

[EMPTYFLASH]

User: All Users

User: Anne

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest

User: Public

User: Visitor
->Flash cache emptied: 0 bytes

User: Wing Ho
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error creating restore point.
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 08012011_132504

Files\Folders moved on Reboot…
File\Folder C:\Users\Wing Ho\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot…


Could you run a fresh Malwarebytes scan please and confirm that there are no further problems

I can perform a scan, but before I do, I must state again that I am having trouble updating the database. I allowed it to pass through my firewall but still no luck.

In the meanwhile, I’m having avast! perform a scan.

What error does MBAM give

Download the mbam-clean.exe tool HERE http://www.malwarebytes.org/mbam-clean.exe
Then run
It will ask to restart your computer (please allow it to).
Then download and install a fresh copy

Error 732; the same I specified in an earlier post I believe.

avast! quickscan only detected the trojan at the following path; the second problem was gone:

C:_OTS\MovedFiles.…\api-ms-win-core-l1-1-032.exe ; Win32:Downloader-IQO - [Trj]

Is it safe to quarantine, or does that make a conflict of interest of sorts?

No it is quite safe there

Did you uninstall/reinstall MBAM ?

Yes, I have. Installation successful; it is now fully up to date. Quick or Full Scan?