Major Virus Problem

[bluecountry]

I was watching a hockey game on my PC, when my anti-virus (symnatec) alerted me to a trojan!

I have run several scans, tried to delete, but it still seems to be stuck in quarantine.

I have gone through and run Spyware scan/MBAM/HiJack this and posted those logs.

I cannot post my symnatec logs because they are .csv files....let me know if you need them PM/emailed.
Please, please let me know what is wrong, and what I can do to be cured.
Thanks!

[recovering disk space - old attachment deleted by admin]

[bluecountry]

Anybody?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

[bluecountry]

Geez!   All I did was go to myP2P.com and click to watch a hockey game from one of the feeds, then this happens moments after!

Look, is my PC really infected at severe risk?  I do not want to reformat unless it absolutely has to be done, I do not know how to and it would just be a major, major, hassles, but if it is what has to be done, I will.
My preference is simply to clean up the PC and use it as I always did.
Are we even sure I have RAT?

Thanks for your post, please let me know the next step.
Again, I want to fix the PC and not reformat unless it absolutely must be done.

Is there anyway I can tell if my ID has/will be compromised and/or if RAT is currently on my PC, so I can rest easy?

[bluecountry]

Read the articles you linked, reformatting would be a royal pain which I do not want to do unless I have to.
So, how high a risk is it should I decide I do not reformat?
How likely is it that I have ID theft?

I mean, can we just fix this and get on, or just how at risk am with no reformat and how likely is it I have ID theft/what should I do in that regard?
I think my PC alerted and stopped the RAT within minutes.

[SuperDave]

I am required to inform the user any time I see evidence that your computer is/was infected by a backdoor trojan. If you use your computer for financial transactions, it can never be trusted again. The only way to restore it to where it can be safe again is a complete re-format and re-install. The choice is yours to make. Please let me know what course of action you want to take.

[bluecountry]

I want to go ahead and fix the PC.
I don't want to go through the hassle of backing up all my files, my music, then having to re-install everything.
Sounds like a pain in the *censored*.
I used my PC today to look at my bank statement, and it was fine.
I don't see why it can't be trusted, everything was quarantined, this just seems to be being over protecting.

I would like to go ahead and clean this PC up forget this ever happened.  What next?
Thanks!

[SuperDave]

I don't see why it can't be trusted, everything was quarantined, this just seems to be being over protecting.

As I stated before, I'm required to inform you. Now that you have made a decision, let's continue.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

[bluecountry]

I have attached screen317

I ran TDSSKiller, did a scan.
It said:
" duration: 00:01:33
Processed: 270 objects.
Infections: not found"

I do not have a log from it.
Thanks for the advice man, what now?

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[bluecountry]

Thought I would update you as well on this.

About 3-4 times a day I get a pop up message from my anti-virus, symantec.
It says:

Updated virus protection files have been delivered and installed on your computer.

Symantec Endpoint Protection may now be able to repair the infected files in quarantine. 
The easiest way to check and eliminate viruses is to let Symantec Endpoint Protection do it automatically.

You can process the Quarantine items now, or scan them at a later time.  Do you want to continue?

Yes (recommended)
No

I click yes and next.

Then is says:

The following viral threats are quarantined

Name:                                                                                                           Virus Name
C:\Users\Trent\Appdata\Local\Temp\aesxrwnmoc.exe                                 Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\setup631134912.exe                          Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\setup22562224256.exe                      Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\setup2172912384.exe                        Trojan.Gen2

C:\Users\Trent\Appdata\Local\Temp\wmoearcsxn.exe                                  Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP2001202560.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\OERWNMCASX.EXE                               Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP2891177728.EXE                        Trojan.Gen2


C:\Users\Trent\Appdata\Local\Temp\SETUP1660496000.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP2307131200.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP2602375296.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP3432212800.EXE                        Trojan.Gen2


C:\Users\Trent\Appdata\Local\Temp\SETUP3826254848.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP4007217856.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP4093952512.EXE                        Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP4109405312.EXE                        Trojan.Gen2


C:\Users\Trent\Appdata\Local\Temp\SETUP609629184.EXE                          Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP73829120.EXE                            Trojan.Gen2
C:\Users\Trent\Appdata\Local\Temp\SETUP806497344.EXE                          Trojan.Gen2
C:\Users\Trent\Appdata\Local\uniyovuzi.dll                                                    Trojan.Zefarch

Click next to see if items can be repaired

I click next and a few minutes later I get this read:

Items in quarantine can not be repaired using the Virus Definition files that have just been delivered.

Leave the infected files in quarantine.  They are isolated from the rest of your system and can do no further damage.

As a safety precaution, scan all the disks you use, including floppies, to make sure you have found the source of the infection.

Then it offers me the choice of

Finish or Close.


This happens to me at least 3-4 times, everyday, and it is getting very annoying.
1)  Am I going to have to deal with this now through forever on my PC?
2)  Anyway I can clear all of these files?
3)  Is the files listed benign for the moment?

[bluecountry]

OK...I went and updated to Java update 24.

Problem?

I downloaded as told JavaRa 1.16.
I then went to remove older versions.
This is what I am told:

Finished searching for older versions of the JRE that were found on this system.
A logfile has been created on your system.
It is called JavaRa.log, and can be found on the main hard drive folder (C: for example).

JavaRa will now open it's logfile.

I click ok, nothing happens.

I search c drive, find nothing.

I rerun this 3 times, same thing.

So uh are the old javas gone and can I delete javara?

[SuperDave]

Anyway I can clear all of these files?

You should be able to go into Symantec and empty the quarantined folder

Is the files listed benign for the moment?

Yes. As long as they remain in the quarantined folder. You should contact Symantec for more help on this.

So uh are the old javas gone and can I delete javara?

Go ahead and go into Control Panel, Programs and Features and see if there are any old version below 24 there. If there are, uninstall them.
Don't forget to download and run ComboFix and post the log.

[bluecountry]

1) You should be able to go into Symantec and empty the quarantined folder
->So what should I do?  When I go into the quarantine log, it lists all these files.  All of them read "infected" as a status.
Should I just do nothing, and continue to receive this pop up daily?
OR should I restore/delete/rescan/export/add/submit/purge options (these are all my options)?

2) Go ahead and go into Control Panel, Programs and Features and see if there are any old version below 24 there. If there are, uninstall them.
Don't forget to download and run ComboFix and post the log.
Done, the old javas if they are here, I can not see or find them in control panel/programs/features.

HOWEVER, I cannot disable symantec.
I clicked the link you said.
When I right click on the symantec icon...I only have three options:
"open symantec endpoint protection, update policy, enable symantec endpoint protection (and that last option is shaded gray)"

There is NO option when right clicking to disable.

I went a step further, I went to "Status".
Here it has antivirus and antispyware protection AND proactive threat protection.
Both had green lights.
I clicked options for both, there it had a "Disable anti-virus and anti-spyware protection" choice but again it was shaded gray and I could not click.
It also had a "Disable threat protection" also in gray and unable to be clicked.

Why?
What now?

[SuperDave]

So what should I do?  When I go into the quarantine log, it lists all these files.  All of them read "infected" as a status.
Should I just do nothing, and continue to receive this pop up daily?
OR should I restore/delete/rescan/export/add/submit/purge options (these are all my options)?

I would say delete or purge.
Please run ComboFix even if you can't disable the AV.