World first!! Truly unknown trojan assault or virus?? Please help

Dear Members,

I have been under attack for the past 2 weeks by an as of yet completely unknown trojan or virus.

Usually I can type in the exe file names and come up with some information on the malicious files in question…not so with these pests.

Hoping somebody can assist.

My system:

Windows XP Professional - full updated
Antivirus: Avast Free Anti Virus 7.0.1426 fully updated
Firewall: Zone Alarm ZoneAlarm Free Firewall version: 10.1.065.000
vsmon version: 10.1.065.000
Driver version: 10.1.065.000
ZoneAlarm Browser Security: 1.5.350.0
ZoneAlarm ForceField Spyware Scanner: 1.5.53.235
ZoneAlarm ForceField Anti-Phishing Database: 1.2.104.0
ZoneAlarm ForceField Spyware Sites Database: 04.155

Spybot: I have Ad-aware running, however as of yesterday I went back to Spybot S&D with the hopes it could be more successful.

The problem seems to work in the follow order:

AVAST message will popup with the indication that a trojan has been stopped, this will usually be something like D001.exe, H001.exe, c001.exe, A10.exe ect. Avast seems to be able to protect my system from the assault fortunately.

I then notice that in windows task manager, either one or both of the following processess will open ftp.exe and cmd.exe, if I dont shut these processess down, Avast will deliver popups at an unbelievable rate!!! It could not be unusual to get upwards of 40 popups within a few minutes, the popups indicating as mentioned above.

In the C:\windows\system32\ folder numerous folders will propagate with names like i7472, i6533, i4504 ect (these numbers seem to be random), I will then also get exe files forming in the same folder with names lik D001.exe, H001.exe ect ect.

Over the past few days, I have run full system scans with Avast, and bootscans, I have run housecall trend micro and spybot s&d as well as Ad-aware.

To resolve the situation I have attempted to stop the ftp.exe and the cmd.exe from actually opening in the first place, since this seems to be the way that the trojan attempts to download and install virus or whatever is going on. However Zonealarm doesn’t seem to be able to stop this process.

I have done exstensive searches on the web for any information regarding the existence of any of these files but with absolutely no luck, I can therefore only assume this is a world first

I have a hijack this report if this might assist anyone: I have to attach it since it exceeds the 1000 word limit on postings

Kind regards and thanks for any assistance you might be able to provide

follow this guide and attach (not copy and past) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Monitoring… :slight_smile:

Hi guys, busy with the final scan and will post logs…thanks for the assistance

No hurry. :slight_smile:

Logs as requested

I noticed some request for an alternate format for uploading the files in, however I found no way of doing this

Kind thanks

further attachments due to file size

Hi,

Do your recognize what this is? >>> C:\gz <---------

No idea Jeffce,

I see it has no file extension and was created this morning.

Hi,

Ok thanks. :slight_smile:

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66019
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66019
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66019
IE - HKCU\..\SearchScopes,DefaultScope = {38724ABE-6863-4493-808C-33DF1E2AD376}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}: "URL" = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw={searchTerms}&tbid=66019
IE - HKCU\..\SearchScopes\{38724ABE-6863-4493-808C-33DF1E2AD376}: "URL" = http://www.google.co.za/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLG_en
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ndf-cache1.saix.net:8080
[2012/01/29 15:36:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O33 - MountPoints2\{1a291a8c-4ed7-11da-8481-0011098e0c0e}\Shell\AutoRun\command - "" = E:\
O33 - MountPoints2\{1a291a8c-4ed7-11da-8481-0011098e0c0e}\Shell\explore\Command - "" = RECYCLER\INFO.exe
O33 - MountPoints2\{1a291a8c-4ed7-11da-8481-0011098e0c0e}\Shell\open\Command - "" = RECYCLER\INFO.exe
O33 - MountPoints2\{3ac3aa11-c81b-11dc-a7bf-0011098e0c0f}\Shell\AutoRun\command - "" = E:\QUICKTIME\Q-43234FDHJ-0234567123-887321236-432\FEB2.exe
O33 - MountPoints2\{3ac3aa11-c81b-11dc-a7bf-0011098e0c0f}\Shell\open\command - "" = E:\QUICKTIME\Q-43234FDHJ-0234567123-887321236-432\FEB2.exe
O33 - MountPoints2\{44164cba-0f8c-11de-961e-0011098e0c0f}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
O33 - MountPoints2\{44164cba-0f8c-11de-961e-0011098e0c0f}\Shell\open\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
O33 - MountPoints2\{6318e8f8-720c-11db-86ed-001060d01131}\Shell\Auto\command - "" = sal.xls.exe
O33 - MountPoints2\{6318e8f8-720c-11db-86ed-001060d01131}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6318e8f8-720c-11db-86ed-001060d01131}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
O33 - MountPoints2\{922ac6be-f582-11dc-aef6-0011098e0c0f}\Shell\AutoRun\command - "" = E:\setupSNK.exe
O33 - MountPoints2\{935db3fa-0656-11df-80f6-0011098e0c0f}\Shell\AutoRun\command - "" = E:\Boha\Elsabah\boh.exe
O33 - MountPoints2\{935db3fa-0656-11df-80f6-0011098e0c0f}\Shell\open\command - "" = E:\Boha\Elsabah\boh.exe
O33 - MountPoints2\{9d5f271c-eb7d-11dc-bfee-0011098e0c0f}\Shell\Auto\command - "" = RavMonE.exe e
O33 - MountPoints2\{9d5f271c-eb7d-11dc-bfee-0011098e0c0f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9d5f271c-eb7d-11dc-bfee-0011098e0c0f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{bbff3f02-a1d3-11de-8057-0011098e0c0f}\Shell - "" = AutoRun
O33 - MountPoints2\{bbff3f02-a1d3-11de-8057-0011098e0c0f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bbff3f02-a1d3-11de-8057-0011098e0c0f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{d4301320-c615-11df-8218-0011098e0c0f}\Shell\AutoRun\command - "" = E:\NYzoPz.Exe
O33 - MountPoints2\{d4301320-c615-11df-8218-0011098e0c0f}\Shell\oPEn\ComManD - "" = E:\NYzOPz.eXe
O33 - MountPoints2\{f24287da-f794-11df-826e-0011098e0c0f}\Shell - "" = AutoRun
O33 - MountPoints2\{f24287da-f794-11df-826e-0011098e0c0f}\Shell\Auto\command - "" = sachost.exe
O33 - MountPoints2\{f24287da-f794-11df-826e-0011098e0c0f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f24287da-f794-11df-826e-0011098e0c0f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sachost.exe
O33 - MountPoints2\{fb8726a6-a313-11dd-98c6-0011098e0c0f}\Shell\AutoRun\command - "" = RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
O33 - MountPoints2\{fb8726a6-a313-11dd-98c6-0011098e0c0f}\Shell\open\command - "" = RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2012/05/09 11:41:42 | 000,144,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Dear Jeffce,

Problems :frowning:

I run OTL as discribed, however when I select “Run Fix”, the program indicates “dont interrupt: shutting down processes” or something to that effect, it then freezes on this, I tried twice giving it over 30 mins to shutdown the programs and nothing happened.

It appears to have shutdown windows explorer, since the taskbar disappears, but then cannot get any further.

Hoping you can still assist

Kind regards

Hi,

Boot into Safe Mode and attempt to run the instructions I provided from there. :slight_smile:

Dear Jeffce,

Many thanks for the advice, it worked 100%

Attached please find the two log reports:

The 05172012_072756.log is the log generated after the first run, the second one OTL.Txt is after running OTL again once rebooted.

Further my problem,

Avast again stopped a process this morning at 11:13am, exactly the same time as yesterdays one if I recall, the process was again via cmd.exe, which led to Avast deleteing a file call ff.bat and run.vbs, with the creation of two files under the c: directory, namely a.bat file and a file called “gz”, which you will recall you brought into question yesterday.

It is therefore evident from your dectection of this “gz” file and the intrusion attempt at the same time as the creation, that they are liked in some way to my problem.

I am going to delete this files from the c: directory to avoid an entire day of attempted intrusions.

Hi,

Ok…

Let’s get the big boy out. :slight_smile:

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Dear Jeffce,

Would it be in order if I ran Combofix in safe mode?

Also the link provided namely:

How to Disable your Security Programs

Doesn’t seem to be active anymore

I have download Combofix and await your go ahead on running it in safemode

Regards

Hi,

It would be best if you ran ComboFix in Normal Mode but if you are not able go ahead and run it in Safe Mode.

Hi Jeffce,

I have successfully run Combofix in normal mode and attach the combofix.txt

I note that in one line the following appears:

S4 ioTPnMFE;JDEaKF kTomiyAEL;c:\windows\system32\i1893\D001.exe → c:\windows\system32\i1893\D001.exe [?]

This is one of those files that keep activating, the D001.exe

Kind regards

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uStart Page = hxxp://www.google.co.za/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = ndf-cache1.saix.net:8080

Firefox::
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1xdchiaz.default\
FF - prefs.js: browser.startup.homepage - hxxps://secure.sarsefiling.co.za/DefaultLogin.asp
FF - prefs.js: network.proxy.ftp - ndf-cache1.saix.net
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - ndf-cache1.saix.net
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - ndf-cache1.saix.net
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - ndf-cache1.saix.net
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1

File::
c:\windows\system32\i1893\D001.exe
c:\docume~1\user\LOCALS~1\Temp\MHMKILA.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\7k7kÓÎÏ·ºÐ.exe

DirLook::
c:\windows\system32\i9849

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12670:TCP"=-
"12670:UDP"=-
"26675:TCP"=-
"9420:TCP"=-
"5000:UDP"=-

Driver::
ioTPnMFE
MHMKILA

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Dear Jeffce,

Everything went smoothly.

I attach the log sheet as requested.

Regards