Computer Hope

Software => Computer viruses and spyware => Topic started by: katheryne on May 06, 2008, 11:26:00 AM

Title: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attached
Post by: katheryne on May 06, 2008, 11:26:00 AM

Heavens know what my husband clicked on to get this on his computer, but now he has the much-feared "Trojan.Win32.Blackbird" icon on his desktop, as well as what seems to be a bunch of other Trojans on his computer. 

I followed Step 1 through 6 listed in this forum to try and fix the problem (don't think it is fixed yet), and have posted the requested log files from SuperAntispyware, Malwarebytes and Hijackthis to this message.

Any help would be appreciated.  I've kicked my hubby's computer off the internet until this is resolved.

Thanks!

- katheryne


[recovering space - attachment deleted by admin]

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 06, 2008, 11:40:45 AM

Welcome to CH.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
  
• Link #2 (http://subs.geekstogo.com/ComboFix.exe)
  
• Link #3 (http://www.forospyware.com/sUBs/ComboFix.exe)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click  this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this  Combofix tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) with screenshots that will detail the downloading and running of combofix more thoroughly.

----------

Next post add
Combofix log

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: katheryne on May 07, 2008, 08:45:20 PM

Attached with this reply is the combofix log.

Also, now the computer is v e r y slow to start up... meaning the desktop comes up, but I can't really click on anything for a few minutes. The SuperAntiSpyware seems to be the culprit since its logo hangs on the computer... possibly not though.  Causality vs correlation and all that.  It could just be the complete FUBARedness (inventing a word here) of the computer.

Thank you, thank you, thank you, for your help.

- katheryne




[recovering space - attachment deleted by admin]

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 07, 2008, 09:37:30 PM

After we get all of the malware gone lets see if things get back to normal.


Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\Documents and Settings\All Users\Application Data\wrefyhov

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BB324F49-82D8-4778-9E25-267724F65061}"=-
[HKEY_CLASSES_ROOT\clsid\{bb324f49-82d8-4778-9e25-267724f65061}]
[HKEY_CLASSES_ROOT\mkrndofl.1]
[HKEY_CLASSES_ROOT\TypeLib\{F0F2A7EE-1699-40E7-934F-03C3A3F8F42D}]
[HKEY_CLASSES_ROOT\mkrndofl]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mbJotgwLG7"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Download and install CleanUp!.exe (http://stevengould.org/downloads/cleanup/CleanUp452.exe)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

----------

Next post add
Combofix log

Let me know how everything is now.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: katheryne on May 08, 2008, 08:51:46 PM

Hi there,
Attached is the most recent ComboFix log.
- katheryne


[recovering space - attachment deleted by admin]

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 08, 2008, 11:52:19 PM

Looks much better as far as the malware is concerned. Now lets work on the performance issues.

I see indications of 3 antivirus software installed. Do you primarily use AVG?

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

.
Also let me know how things are now.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attached
Post by: Jackimo on May 09, 2008, 08:08:25 PM

To be almost certain that youve nuked the Virus you should create a restore point first then back up your data and do a complete Reinsall of your whole Operating System by firstly Re formatting your whole hardrive...this is just so that you dont leave any backdoor connections open to this Trojan/Virus. This is a security must seeing that any data or passwords typed via the interent can still possibly be logged and sent to the hacker. :)

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 09, 2008, 08:15:13 PM

Are you saying we don't know what we are doing?

Quote

If you receive advice from someone other than the approved Malware Removal Specialists, you do so at your own risk.  We are not responsible if you take potentially inaccurate/harmful advice from someone who is not a designated helper.

 Guidlines (http://www.computerhope.com/forum/index.php/topic,46313.0.html)

Jackimo, while a clean install is always the only way to be 100% sure no infection is left, we use tools that analyze every file on a PC to determine if it is clean. Users can be confident in the advice we give. A reinstall isn't necessary in 99.99% of the infected PCs we see. Nor is it as practical as it sounds.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attached
Post by: Erik the Red on May 10, 2008, 11:16:47 AM

excuse me, but I also have fallen victim to this same situation.

and though I have searched the forums and followed advice given to others on the blackbird thing, I don't think my laptop is completely clean and was wondering if you could help me?

I downloaded everything that katheryne was advised to use and can post the logs for any of them if you'd like me too.

right now though, my laptop cannot access the internet, and I know for a fact that it is my laptop and not the internet connection itself. also, I have recently downloaded AVG but cannot update it because of that. neither my laptop's wired nor wireless internet work and simply end up as limited or no connection.

I'd really appreciate the help and thank you in advanced.

also, I cannot access system restore at all.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attached
Post by: evilfantasy on May 10, 2008, 11:21:41 AM

Please start a new topic and post the logs there.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: katheryne on May 10, 2008, 03:57:33 PM

Hi again,

  Here is the uninstall list from HijackThis.  I'm really wondering if the problem with the EXTREMELY slow initial response time of the computer is SuperAntiSpyware.  It seems like the program is trying to update.  But when I click on "install new updates", it does not find any.  When I exit the program, the computer seems to snap out of its lethargy.

  Possibly a re-install of SuperAntiSpyware would work?  Do I really need to run SuperAntiSpyware in the background anyway if I have AVG installed?    (Would either of those programs, btw, have found this trojan and warned me?)

  I'd be perfectly happy to run just one anti-virus program.  Whatever you'd recommend would be fine with me.

- katheryne


Adobe Flash Player ActiveX
Adobe Reader 7.0.8
AOLIcon
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Blue's 123 Time Activities
CCleaner (remove only)
CleanUp!
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Digital Content Portal
Digital Line Detect
DivX Content Uploader
DivX Web Player
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
Games, Music, & Photos Launcher
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Care Pack Core
HP LaserJet P2015 Series 1.0
HP Update
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
iTunes
J2SE Runtime Environment 5.0 Update 6
Java DB 10.3.1.4
Java(TM) 6 Update 6
Java(TM) SE Development Kit 6 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (2.0.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
My Sirius Studio
NetWaiting
NetZeroInstallers
Norton Ghost 10.0
PCFriendly
QuickTime
RealPlayer
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
SearchAssist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic Activation Module
Sonic Update Manager
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Driver Package - SIRIUS (zsi_fw) SIRIUS  (07/28/2006 1.00.0003)
Windows Driver Package - SIRIUS (zsi_zap) SIRIUS  (07/28/2006 1.02.0006)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
Yahoo! Music Jukebox
Yahoo! Widgets

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 10, 2008, 04:16:00 PM

Uninstall Super... and the reinstall the new  SUPERAntiSpyware 4.1.1040 Prerelease (http://www.majorgeeks.com/SUPERAntiSpyware_d5116.html). It has some speed enhancements. You can turn off any monitoring with it. The free version doesn't have any real time protection anyway so it needs to be set to off.

Go to add/remove programs and uninstall:
J2SE Runtime Environment 5.0 Update 6
Java DB 10.3.1.4 <unless you use it.
Java(TM) SE Development Kit 6 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
SearchAssist
URL Assistant
Viewpoint Media Player

Now run CCleaner.

----------

Use  StartUpLite (http://www.majorgeeks.com/StartUpLite_d5583.html) to get rid of any un-necessary startups. You can uninstall startuplite when it is finished if you choose, or keep it. Your choice.

----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector)

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Suggestion:

Defrag the drive with a third party defrag program. This will give improved performance. Pick only one. I have used both of these and am now using IOBit because it has an automatic defrag feature.

Iobit SmartDefrag (http://www.majorgeeks.com/IObit_SmartDefrag_d5318.html) 
Defraggler (http://www.majorgeeks.com/Defraggler_d5777.html)

----------

Let me know how things are now.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: katheryne on May 10, 2008, 05:52:26 PM

I'll do what you recommend later tonight.  In the meantime, I just got a "Resident Shield alert" saying:
Accessed file is infected.
Threat detected!
File name: C:\System Volume Information _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP534\A0033727.dll
Threat name: Trojan horse Downloader.Zlob.SE
Detected on open

Is that from a Restore Point?  I wouldn't mind deleting all my previous Restore Points.  The data on this computer is all backed up.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 10, 2008, 05:58:47 PM

Yes it is a restore point. We would clear the restore points in the final steps, but we can do it now in order to keep any warnings from coming up.

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: katheryne on May 11, 2008, 05:02:28 PM

Hello again,

  Uninstalling the version of SuperAntiSpyware, installing the new version, and then setting it to NOT run at startup fixed much of the delay when starting up the computer.  It does take AVG a little bit to get its *censored* in gear, but my husband calls the wait "not a problem".  I'm just thinking he wants his computer back after my kicking him off it for almost a week.  ;)  But he's right, the little bit of extra wait for the virus scan to start up isn't that bad.

  Thanks again for all of your help.  Hopefully this thread can help others who have experienced the same problem, or at least help point them to some of the best tools to use out there.

- katheryne

Title: Re: Computer infected with Trojan.Win32.Blackbird (among others!) - logs attache
Post by: evilfantasy on May 11, 2008, 05:18:33 PM

Hehe, your not getting away that easy ;D Still need to do final steps and suggestions ;)

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Here are some great tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)

Another thing I would suggest installing SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com[/b]]http://www.windowsupdate.com (http://[b) regularly. This will ensure your computer has always the latest security updates available installed on your computer.
*  Help with Windows updates (http://support.microsoft.com/?scid=ph;en-us;6527)

Learn more about how to protect yourself while on the internet read this article by Tony Klien:  So how did I get infected in the first place? (http://www.castlecops.com/postlite7736-.html)

Let us know if you have any questions or if anything else comes up.