53 replies to this topic

[Maurice Naggar]

Much better report. Very good result from TDSSKILLER --- nothing detected.

We 'may" have turned the corner on this long-lasting-hunt. But need a few more checks.

A Full scan with MBAM may take an hour or two, perhaps more, depending on yur system ---- but is well worth it.
Turn OFF your antivirus program, so that it does not interfere.

Save and close any work documents, close any apps that you started.
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post (Copy and Paste) the MBAM scan log.

NEXT:
A online scan at ESET Online may take several hours --- but once more, well worth it.

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.
Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/

• Accept the Terms of Use and press Start button;
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
• Enable (check) the Remove found threats option, and run the scan.
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  
  • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://go.eset.com/u...ine-scanner/faq
  
  
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    
  • Do not use the system while the scan is running. Once the full scan is underway, go take a long break

Re-enable the antivirus program.

Reply with copy of the Eset scan log for review, AND
tell me, How is the system (generally) now

[madara]

Bad news, I still can't run MBAM in normal mode so I'm currently running the scan in safe mode with networking. The same goes for the ESET Online Scanner; I can't access the website in normal mode of the infected computer. I will try ESET in safe mode once MBAM is finished.

Also, when I turned my computer on this morning (in normal mode), the Windows Command Processor popup appeared again.

[madara]

MBAM ran in safe mode with networking.


Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.29.12
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Patrick Fong :: PATRICKFONG-PC [administrator]
Protection: Disabled
30/06/2012 10:46:25 AM
mbam-log-2012-06-30 (10-46-25).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 420748
Time elapsed: 1 hour(s), 1 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

[madara]

Also ran ESET online scanner in safe mode with networking. Here is the log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9fe70c67ed45ca4ea6b5006bb84e666c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-30 03:11:32
# local_time=2012-06-30 01:11:32 (+1000, AUS Eastern Standard Time)
# country="Australia"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1608473 1608473 0 0
# compatibility_mode=5892 16776574 100 100 1652098 178551185 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=211431
# found=6
# cleaned=6
# scan_time=3961
C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Patrick Fong\AppData\Local\temp\lhfujcbahkhdwheq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Patrick Fong\Desktop\Programs\Startup\tchahayq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Patrick Fong\Desktop\RK_Quarantine\lhfujcbahkhdwheq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Patrick Fong\Desktop\RK_Quarantine\tchahayq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maurice Naggar]

This system has a very persistent and self-replicating trojan. We have been at it for two weeks. It is past time for a frank and very serious realization.

The ESET online scan shows that the Win32-kryptic.AHES trojan has re-appeared. And as you reported, the "Windows Command Processor" rogue has re-appeared (again).

Please answer each of the following questions in a correspondingly-numbered list in your very next reply (no need to quote this post):

1a. Does the computer-in-question belong to your company or does it belong to you, or a friend/relative?

1b. Did Vista come preinstalled on the computer when you bought it, did you do a clean install of Vista, or did you upgrade from XP to Vista?

2a. Was TrendMicro pre-installed on this system or did you intentionally choose to install it?

2b. In Windows Explorer [WinKey+E], navigate to &

• right-click on C:\Program Files\trend micro <<---this folder
  
• Select Properties: What is the Created date displayed on the resulting General tab?

2c. What anti-virus application was installed before you got TrendMicro, was your subscription still current, and did you uninstall it before you installed TrendMicro?

3. Has a Norton application or other antivirus application EVER been installed on the computer?

4. Did a Norton free-trial or a McAfee free-trial come preinstalled on the computer when you bought it? (Doesn't matter if you never used or Activated it.)

5. Has this system ever been without antivirus program installed & active ?

6. Do you have the Windows Vista operating system DVD?

7. Do you have a full image backup of this system from before the trojan infection getting in ?

Warning on trojans
This system has some serious backdoor trojans, spyware, and likely, a rookit.
This is a point where you need to decide about whether to make a clean start.
According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.
* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.
I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.
Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451
Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx
Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx
Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx
Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Please answer my questions from above, and let me know what you decide.
A complete wipe (nuke) and pave followed by a clean re-install is the safest thing to do.

Should you still decide on trying to cure this infection, I must put a timecap of 2 days before calling a total halt.
We have already been at it for a week. It would have been faster to wipe & re-install earlier.

Only if you still want to keep trying with this saga:
Run the Microsoft Windows Defender Offline. This is an "offline" tool that you boot the pc with and scan your system for malware.
To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space and then download and run the tool—the tool will help you create the removable media.

The basic sequence of steps are
a) Download and SAVE the tool to a unique folder/location on your pc
b) Create the CD/DVD/USB-flash drive with tool
c) Set pc to boot from the offline media
d) Place media in & restart system
e) Run the tool. Have infinite patience & have it scan the entire system. Remove any malware that is found.

Download & info link http://windows.micro...efender-offline

The frequently asked questions for this tool
http://windows.micro...der-offline-faq

Another How-to article on WDO http://www.sevenforu...er-offline.html

[madara]

1a) The computer belongs to me.

1b) Vista came pre-installed on our computer.

2a) We chose to install it, in early-mid June after our Norton 360 subscription ran out.

2b) June 11, 2012

2c) Norton 360. No, Norton expired for ~3 days before TrendMicro was activated. Yes I uninstalled Norton before installing Trend.
3) Yes, we've only had Norton installed on this computer.

4) A Norton free-trial came pre-installed.

5) Yes, only the ~3 days between Norton expiring and Trend being activated in June, 2012.

6) No, I don't think so. I will have a look around but I don't remember ever seeing one.

7) We only ever backed up to a HP SimpleSave external hard drive. That was also a long time ago. We haven't used this computer for important things as much recently as we have two new computers for our work-related stuff.

We've decided to follow your advice and do a full reformat. If I can't find a disc with the Vista operating system, is there any other way to get it back? Or will I have to go and buy the disc? Also, in the past we did use this computer for internet banking, university sites, emails and entered other personal information. How far back can this virus go in terms of gathering personal information? I will still be changing all my passwords and alerting my bank.

Can you help us through the reformatting process, please?

Thank you for all your help.

Pat

[madara]

PS. When I turned the computer on to check the "created date" for Trend, I noticed that Windows Command Processor didn't pop up and we started the computer in normal mode.

[Maurice Naggar]

Sure, I can refer you to some reference article on clean install.
Have you changed your mind, now?

Only 'you' can judge how far back the trojan got onboard.
As I mentioned, it is safest to use a clean computer to change all your passwords.

[madara]

Nope, I'm still going with the clean install. I was just surprised when I turned the computer on today.

[Maurice Naggar]

OK. Tell me who is the manufacturer of this pc?

You indicated you did not have the Vista DVD. Let's take a peek to see if the OEM manufacturer has a recovery partition on the HDD.
Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.

[madara]

The manufacturer is Hewlett-Packard. Here is the log.

ListParts by Farbar Version: 23-06-2012
Ran by Patrick Fong (administrator) on 01-07-2012 at 02:14:57
Windows Vista (X86)
Running From: C:\Users\Patrick Fong\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 60%
Total physical RAM: 2046.57 MB
Available physical RAM: 802.93 MB
Total Pagefile: 4332.16 MB
Available Pagefile: 2870.92 MB
Total Virtual: 2047.88 MB
Available Virtual: 1964.57 MB
======================= Partitions =========================
1 Drive c: (HP) (Fixed) (Total:289.41 GB) (Free:74.19 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:8.68 GB) (Free:1.01 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 289 GB 32 KB
Partition 2 Primary 9 GB 289 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 289 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 9 GB Healthy
======================================================================================================
Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {b646ad0b-2031-11dc-83db-001bfc5eda91}
resumeobject {b646ad0c-2031-11dc-83db-001bfc5eda91}
displayorder {b646ad0b-2031-11dc-83db-001bfc5eda91}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
resume No
Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
device ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
path \windows\system32\boot\winload.exe
description HP Recovery Manager
osdevice ramdisk=[D:]\sources\boot.wim,{ae5534e0-a924-466c-b836-758539a3ee3a}
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes
Windows Boot Loader
-------------------
identifier {b646ad0b-2031-11dc-83db-001bfc5eda91}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {b646ad0c-2031-11dc-83db-001bfc5eda91}
nx OptIn
Resume from Hibernate
---------------------
identifier {b646ad0c-2031-11dc-83db-001bfc5eda91}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No
Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes
Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device partition=C:
path \ntldr
description Earlier Version of Windows
EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes
Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200
RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}
Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}
Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
Device options
--------------
identifier {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
description Ramdisk Device Options
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi
Setup Ramdisk Options
---------------------
identifier {ae5534e0-a924-466c-b836-758539a3ee3a}
description RAM Disk Settings
ramdisksdidevice partition=D:
ramdisksdipath \boot\boot.sdi

****** End Of Log ******

[Maurice Naggar]

You indicated that you do not have the Windows Vista CD/DVD for this HP system.
It looks like the HP factory restore patition is on the 2nd partition of your hard-disk-drive.

I would suggest you contact HP support, see http://www8.hp.com/u...hp/contact.html
Ask them if they can provide the Vista CD or if they can provide a recovery CD/DVD.
For sure, they can guide you to document/reference for putting back your system to "factory state" from the "factory restore partition".

Meantime, backup your personal files, documents, etc. to offline media (USB external drive, or USB-flash-thumb drive, oc CD/DVD).
A reset to factory state will result in your losing all personal files/documents, and any programs you added on after getting the new pc.
A rest to factory state (from the HP recovery partition) will put back the pc to the same state as when the pc shipped out from factory.

IF they included any antivirus package (from factory) you would need to de-install it.....before re-installing 'your' antivirus.
Note also, if Vista service pack 2 was not included when you got the pc, you will have to get & apply Service pack 2 from Microsoft (after the system restore). Plus all subsequent MS updates.

[madara]

If I transfer files to USBs/External harddrives, will I have a chance of transferring the virus to another PC? If there is a risk I'd prefer to lose the files than the other PC.

Also, in your personal opinion, which AV protection do you prefer? I'm not sure if we should stick with TrendMicro or change back to Norton

[Maurice Naggar]

As regards the saved personal files, The proviso is that you would scan them with antivirus app and MBAM before copying them back onto the system.
imho, my preferences are for MS Security Essentials or Avira. If cost is not an issue, then ESET antivirus.
I would discourage use of Norton/Symantec unless you refer to Symantec business-class antivirus.