Request for Help with Trojan Virus Removal

[abluewhale07]

Hi there an infuriating DOS window (DOS window flashed) keeps popping up but (99% of the time) it disappears. By some luck it froze and I was able to read it. The DOS window itself was empty but in the program title bar it read

C:\PROGRA~1\PDFCOM~1\pdfupd.exe

which Bill Richardson identified as a Trojan Virus.

However I'm running an up to date version of Norton Internet Security and Ad-aware (Lavasoft) as well as Malwarebyte's Anti-Malware.

I've run scans, quick and full, on all three programs to no avail. (I also used the microsoft online scan as Bill suggested, however the virus scanner would/could not download - possibly due to the virus?)

Bill proposed I take my issue up (DOS window flashed) with you to see if you could help me.

I would very much appreciate any help

[harry 48]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

go to above and complete and post the 3 logs an expert will look at them

[abluewhale07]

Ok taken several hours but followed the steps given.

A more detailed account of my problem can be seen here

http://www.computerhope.com/forum/index.php/topic,98496.0.html

hope that helps.

Anyway the steps...

Step 1.

In the Add/Remove Programs directory I found a few that I don't recognise/didn't know were there:

ABBYY FineReader 6.0 Sprint
DNA (Bittorrent??)
GameSpyArcade

I'm guessing the following are updates to service pack 2 for vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)

PDF Complete

Sonic CinePlayer Decoder Pack

Thats that.

Step 2.

Done

Step 3.

Done.

Step 4.

Done.

Step 5.

Updated to latest version of Java and run the cleaner again

Step 6

Run HiJackThis

Really hope you can help me, this DOS window is infuriating and I have a feeling the virus is the cause of my computer slowing immensly over the last few months.

Logs attached

Many thanks :)


[Saving space, attachment deleted by admin]

[harry 48]

http://en.wikipedia.org/wiki/BitTorrent_DNA


 This section may contain original research. Please improve it by verifying the claims made and adding references. Statements consisting only of original research may be removed. More details may be available on the talk page. (March 2009)

WeFixedTheGlitch cited concerns shortly after the launch of BitTorrent DNA about possible exploits of the software, rating it as a "high" level risk and recommending the software to be avoided.[8]. BitTorrent replied that DNA only "accelerates" authorized URLs, but the possible exploit remains untested.

Other criticism includes the fact that DNA automatically starts with Windows and is installed with the official BitTorrent client, making it hard to be noticed by some users. BitTorrent claims that this will be fixed when DNA is fully integrated into their client. Also, DNA can only be temporarily disabled and has no other method to control bandwidth usage, relying entirely on autodetection of acceptable transfer speeds[9].

Like most peer-to-peer applications, DNA might cause poor performance when running alongside other peer-to-peer delivery systems; unfortunately, due to DNA's subtleness, often the user is unaware that their content is being delivered in a manner that requires both numerous connections and utilization of their upload bandwidth, and may be surprised at a sudden drop in performance of unrelated transfers.

----------------------------------------------------------------------------------------

http://en.wikipedia.org/wiki/GameSpy_Arcade

a lot of the sites have a warning as Dangerous Downloads

--------------------------------------------------------------------------------
Please use caution before downloading anything at this site. Downloads may contain a virus or other undesirable software.
More details
SearchScanBETA powered by McAfee
Site owner support

[harry 48]

You're not running the latest version of Trend Micro HijackThis (v2.0.2) and not all threats may be found. Latest version found here.http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

We did not detect any antivirus on this computer. We suggest installing a free Antivirus


the above is from your hjt log

up-date hjt and post a new log please

-----------------------------------------------------------------------
free a/v download and run 1 only

http://www.free-av.com/

http://www.avast.com/en-gb/index

[abluewhale07]

ok downloaded the latest version of HJT and avast. made sure avast was up to date and ran both full and quick system scans. no threats were found.

i've attached the log from HJT.

many thanks

[Saving space, attachment deleted by admin]

[lonar23]

try system restore, or if you want to make it all clean..then reformat your disk much better...

[abluewhale07]

system restore keeps generating an error and won't complete. i'm not sure i know how to do a disk format or what it involves?

[harry 48]

try system restore, or if you want to make it all clean..then reformat your disk much better...

please do not give advice you are not a malware expert

[harry 48]

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039/

please go to above to remove any traces of norton , do it twice

[abluewhale07]

done it

[harry 48]

ok , run hjt and post a fresh log please

[abluewhale07]

log attached

[Saving space, attachment deleted by admin]

[harry 48]

ok , it is now a matter of waiting for a malware expert to help you , harry

[SuperDave]

Hello abluewhale07 and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

------------------------------------------------------------------------------------------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Common Files\Java\Java Update\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

---------------------------------------------------------------------------------------------

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[abluewhale07]

Hi Super Dave, I've followed and completed the first two steps you wrote. ComboFix doesn't seem to be working though, I've downloaded it fine. But whether I run it as an administrator or not all that happens on opening it is a small box opens titled 'combofix' and the green (installation?) bar fills up and the program doesn't get any further...

[SuperDave]

Could you please delete ComboFix, download again and try running again. This is a very stable program and shouldn't be causing problems.

[abluewhale07]

ok sorry if i'm being insanely stupid here, but downloaded combofix fine. Opened it and it went straight into scan mode. No log was produced and several things (such as half my desktop shortcuts) were deleted by combofix at the end of it's scan... the system restore function being one of them...

i've attached a HJT log but cannot find a combofix log anywhere on my computer.



[Saving space, attachment deleted by admin]

[evilfantasy]

Hello abluewhale07.

Let's see what we can do here. Please bear with me. You are one of the few who ran ComboFix with this bug.

Please get the C:\QooBox\ComboFix-quarantined-files.txt and attach it here so we can attempt to work up a fix to restore everything.

[abluewhale07]

ah right. everything that got deleted has gone into Qoobox - there's a folder called 'C' with all my stuff in. I think I've got the log you need although it's not got the same title. It's the only log I can find in the folder.

Thanks

Lj

[Saving space, attachment deleted by admin]

[evilfantasy]

No that's not it.

Try this please.

Look for the quarantined files text file located in C:\QooBox\ComboFix-quarantined-files.txt <- There may be some numbers mixed in representing the date and other data.

[abluewhale07]

hmmm I honestly cannot find it. I've tried searching for just 'combofix' 'quarantined' 'files' and '.txt' as well as the whole thing in the QooBox folder.

The '.txt' came back with a list of '.txt.vir' files, but not a single '.txt' file. Interestingly I keep getting messages saying that my Recycling Bin is corrupt and would I like to empty it. I haven't emptied it yet but is it possible the combofix-quarantine file is on there?

I've tried changing my search settings to include hidden folders and those critical to windows running. But still no luck.

When I go into the QooBox folder I'm met with 5 folders: BackEnv, Last Run, Quarantine, Test & CTest.

Last Run, Test & CTest are all empty. Quarantine holds the lost folders and BackEnv holds '.dat' files. There is also a file called 'SetPath.bat'

No 'ComboFix-quarantined-files.txt' though...

No crucial files from my OS drive have been quarantined, just from my hard drive on C.

Is there anyway to manually restore the quarantined files??

Lj

[evilfantasy]

Work the instructions in this link. http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/455388-combofix-issue-resolution.html

[abluewhale07]

thanks evilfantasy, CFDQ-UsrPrf.exe seems to be working as desktop icons and folders are reappearing. It's got about 50gig to do so looks like it's gonna take a while. will let you know when it's done.

thanks for being so patient

[evilfantasy]

Sounds good. I'll be away for a while but will be back to continue later.

[abluewhale07]

ok restore worked great everything's back that went when combofix went crazy. The Qoobox folder still has the 50gigs in that was quarantined (even though this has all been restored) is it safe to delete this?? Also my recycling bin is still strangely corrupt...

[abluewhale07]

ok recycling bin is no longer being strange

[evilfantasy]

Did you download and run combofix as described in the instructions?

I need the new log.

[evilfantasy]

Sorry the instructions changed and they removed the ComboFix links.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[abluewhale07]

many thanks evilfantasy

Lj

[Saving space, attachment deleted by admin]

[evilfantasy]

Okay. Here we go.


Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

----------

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\found.000

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

----------

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

[abluewhale07]

ok am just on the panda scan, but it's gonna take a while.

Is there anyway a virus could get from my computer onto my reuter and slow down the internet speed in my house? only my housemates and me are all experiencing really slow internet. They say it's happened in the last few days since I've known there's been a problem... our area is well known for having slow internet though so it might not be connected.

thanks

Lj

will post the logs as soon as the scan completes

[abluewhale07]

here are the logs

[Saving space, attachment deleted by admin]

[evilfantasy]

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
c:\$recycle.bin\s-1-5-21-2848911874-2998251934-89243116-1006\$r9jybkn\catchme.cfxxe

Folders to delete:
C:\found.000

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.


Also let me know how the computer is running now.

[abluewhale07]

Here's the avenger script

My computer's running a *censored* of a lot faster now. Start up times were getting ridiculously lengthy and now it's just a few seconds! Plus the DOS window's gone away! Thankyou very much

Lj

[Saving space, attachment deleted by admin]

[abluewhale07]

also my internet speed has gone back to normal! not sure if this was ever connected to the virus/malware issue but thank you once again!

[SuperDave]

Please hang around so Evilfantasy can do some clean-up. Thanks

[abluewhale07]

sure, no worries

[evilfantasy]

If there are no more malware issues we can finish up now.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[abluewhale07]

thankyou very much for all your help EvilFantasy! My computer is running much faster now and i know now that the slow internet connection is nothing to do with it.

Anyway, thanks!

[evilfantasy]

Your welcome.

Safe surfing...