|
30 Dec 08 - 12:41 PM (#2527539) Subject: Tech: Trojan infection From: Bernard Two of my PCs have been hit by an as yet unidentified trojan infection, which seems to be similar to Zlob, but not as intense. So far I've not lost any Start Menu icons or suchlike...! So far the only symptoms are denial of some network connectivity, and odd Internet behaviour, part of which was down to the cookie setup being messed up. The main inconvenience is denial of access to my Network Attached Storage - the dirves can be seen, but report as 'not formatted' if I try to access them. They are fine, because my other machines can still access them normally. One infected machine is running XP Home SP3, the other XP Pro SP3, and both have AVG v8 and Windows Defender installed. Since the trojan arrived, neither can connect to its server to update, and Windows Update diverts to the MSN homepage. Google behaves strangely, too - if I click on a search link it goes anywhere but where the link says it should, but if I copy and paste the link into the address bar it takes me to the correct page...! Occasional pop-up adverts are appearing, but not to nuisance level yet. If I reboot into Safe Mode and try to use System Restore, everything seems normal until I press the 'next' button to initiate the chosen restore point. The button simply does not do anything! There do not seem to be any abnormal services running, and HiJackThis v1.99 hasn't found anything out of the ordinary. Clearly this trojan is quite cleverly cloaked, and I've turned off all other PCs on my network until I can get to the bottom of it, as this thing may propagate itself through the rest of my system. I do have Webroot's SpySweeper (up-to-date licence), which I'd had trouble with and unistalled a few months back. If I try to install that on the XP Home machine it causes a cold reboot about 90% into the install, and on the XP Pro machine it gives a fatal error message after about 60%, but doesn't cause a reboot. This happens whether I install normally or in Safe Mode... A few web searches come up with little or no information, other than the usual registry fixes for some of the symptoms - which are all very well, but not applicable in this instance. Sooooo... has anyone any suggestions I may not have already tried? |
|
30 Dec 08 - 12:43 PM (#2527541) Subject: RE: Tech: Trojan infection From: Bernard Incidentally, Mudcat seems to work normally... I couldn't mention that in my opening post because I hadn't been able to test it...! |
|
30 Dec 08 - 01:42 PM (#2527593) Subject: RE: Tech: Trojan infection From: Nick Have a look at Spybot forums and perhaps post a HiJack this log. I have twice used them to sort out problems I was struggling with and both times they were fantastic. The first time my son had managed to install a rootkit onto the machine amongst other things, the second my wife managed to break it rather badly. |
|
30 Dec 08 - 02:08 PM (#2527626) Subject: RE: Tech: Trojan infection From: Bernard The HiJackThis log will do no good... I'm experienced in these matters, and puzzled as to why nothing is showing... I know what to look for, and there's nothing unusual at all. Likewise there are no services running that look abnormal. Worse still, a third machine (Studio Control Room) has now gone down with it, which suggests it's creeping through the network. There's only my laptop and the Studio Live Room PC to go - so they're staying switched off for now. I'm having difficulty accessing the tech forums, as the browser is being hijacked somehow. Mudcat is, oddly enough, behaving almost normally, though I tried to reply to a PM and it didn't happen. |
|
30 Dec 08 - 02:15 PM (#2527635) Subject: RE: Tech: Trojan infection From: Acorn4 Have you just recently installed Service Pack 3 - I've had to stop my son's PC from downloading it, because when it does it stops being able to connect to the internet and reverts to the MSN page you've described -that machine is actually running the multimedia edition of XP and we've assumed it's a problem with the service pack - it might be worth restoring to pre-SP3 and see if the problem persists. |
|
30 Dec 08 - 02:35 PM (#2527658) Subject: RE: Tech: Trojan infection From: Bernard Nope - SP3 has been running happily for many months. This is definitely some sort of trojan activity. Hate to say this, but maybe you're seeing this trojan too... I'm not running the multimedia edition on any of mine, either. |
|
30 Dec 08 - 02:38 PM (#2527666) Subject: RE: Tech: Trojan infection From: Bernard SP3 wouldn't cause the adware popups, either... |
|
30 Dec 08 - 02:49 PM (#2527676) Subject: RE: Tech: Trojan infection From: Acorn4 Odd that it's only happening on one machine on our network -admittedly we don't use it for internet that much - if it's a trojan, why doesn't our Kaspersky pick it up, as we do regularly update that.? |
|
30 Dec 08 - 03:17 PM (#2527690) Subject: RE: Tech: Trojan infection From: JohnInKansas The only thing receiving a lot of notice recently was the Internet Explorer vulnerability that Microsoft supposedly patched, out of sequence, last week. Of course any vulnerability that can be exploited can deliver just about any trojan, but I believe that "Zlob variants" were mentioned in some of the reports. Even if it's not the browser you use, IE needs to be patched because IE and Windows Explorer are one and the same so you do use it locally. I haven't seen much on whether the AV makers had the details to develop detections, or if Microsoft kept some of it quiet until their patch was delivered. Countermeasures might be included in the Microsoft Malware Remover that haven't gotten into distribution by all the regular Anti-malware programs as yet, although usually the sharing of problem details is pretty rapid. The Malware Remover should download and run every time you get an automatic update, unless you've turned it off; but you can update it separately and do a "forced run" from the Windows update site. No AV picks up everything, so remote scans by other providers might pick up something your regular protection missed, especially if it's something new. John |
|
30 Dec 08 - 03:29 PM (#2527695) Subject: RE: Tech: Trojan infection From: Bernard I knew about that one, John, and all my updates were up to date. I'm pretty vigilant about updates... I'm fairly sure that the infection came in a piece of software masquerading as an MP3 add-in for an old version of SoundForge. Okay, I know... I know...! What is really worrying is the way it seems to be spreading through my network. Fortunately, my laptop (not yet infected) only has a small C: drive, so is fairly quick to restore from a backup. The desktops all have big C: drives, so I'd rather fix them if I can. |
|
01 Jan 09 - 06:32 AM (#2528904) Subject: RE: Tech: Trojan infection From: Bernard Refresh... |
|
01 Jan 09 - 08:36 AM (#2528945) Subject: RE: Tech: Trojan infection From: Nick I'm loathe to make another suggestion as you seem to have tried everything anyone has tried to suggest but I presume you've tried Malwarebytes Anti-Malware? |
|
01 Jan 09 - 08:42 AM (#2528949) Subject: RE: Tech: Trojan infection From: Nick The other one is Combofix - but I wouldn't have a clue how to use it or interpret it's results. I just know it was a tool that was used before in helping me resolve some problems - but I would beware of using it unless you know what you are doing. |
|
01 Jan 09 - 08:58 AM (#2528955) Subject: RE: Tech: Trojan infection From: JohnInKansas A web page/site that an automated "problem solver" sent me to some time ago might be more helpful to you than it was to me on that occasion: http://blogs.technet.com/swi/default.aspx Microsoft Security Vulnerability Research and Defense. This page is a "Microsoft Blog" but differs from most other blog pages where Mickey sends you to look for help in that only "official" posts/posters participate. It's thus free from the "self-proclaimed genius" comments that you have to wade through and ignore on the more public ones, but it is addressed to "developers" and professional IT managers so it's probably "too tech" for most of us. Note that it's a very long page, so you have to scroll way down to see all of the subjects currently posted. There also are archive links in the right sidebar. I don't see anything at the current page that I recognize as helpful for the problem you've described, but you may be able to make a better connection to your problem. *** You mentioned that Windows Update is redirected to MSN and that Google links are redirected but you can type them in the addy bar and get to the site. In my Vista, update opens as a Control Panel section, so I can't easily tell what the connection is, but it might be of help that on Lin's WinXP pro SP3 machine, her WinXP Microsoft Update is at: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us If you can get to the update site and get Guardian up to date it might help.(would the Trojan have disabled the link if it wasn't helpful?). If clicking the link here doesn't work, you can copy the "display string" and paste it into the URL space, or type it in manually. One or the other may get you to a usable connection, or you may be able to read the URL you've been using from RtClick Properties for the link. If you can't read it from the Start Menu, right click and send a shortcut to desktop and try reading the URL from the shortcut properties(?). *** The very intimate connection between Windows Explorer and Internet Explorer is visible in the ability to open a location on your own computer or on an internal network in Internet Explorer. At Start | Programs | Accessories | System Tools there's a "maintenance link" to open "Internet Explorer (no add ins)." If you use this link to open IE, it should open a blank page without even a home page showing, and the IE instance will have NO ADD-INS loaded. If you put a drive letter ( e.g. X: or X:\ ) in the address box, it will (or should) display the drive in Windows Explorer. You should get a warning that it will connect in "unprotected mode," but this mainly means, in this case, that the target drive doesn't show a "security certificate" and/or isn't a "normal page." You should be able to use whatever "identity" you normally use for a network drive, but it may be more convenient to map one (Windows Explorer | Tools | Map Network Drive) to give it a drive letter on your local machine. If (????) the network drive opens and is visible using the "no add-in" IE route, it would strongly suggest that your problem is embedded (or is executing through) an IE add-in. *** Perhaps a last resort is to ask for help from Microsoft. At microsoft.com, on some support link or another (it moves around) you should find a "support using web chat" link, sometimes on a "contact us" page. In most cases, they'll refer you to "phone support" if you present your case as a problem that appeared with a Microsoft Update. (Asking for help with an update at web chat is the simplest way I've found to get the current phone support number for your location, but if you find a direct link to the number you can use the one it gives you.) Support is free for problems with updates; but the vmail choices at the phone support numbers don't let you tell them that's why you called. The key to getting in is that when they ask if the software was installed on your computer by a manufacturer you must say NO. (You are calling about the patch software installed by Microsoft, and not about the OS installed by your OEM.) If you can get past the recorded choices, you should reach an actual person, where you can complain that "since the update on (date) my machine is all crappy." If/when they decide it's not a patch problem they'll probably ask for a credit card number, at which time you can just say no and hang up, but sometimes you'll glean quite a bit of helpful assistance without having to yield to the extortion. (A good tech support person really hates to quit without a solution; but they're not all that dedicated.) *** I don't really know if any of this will help, and I don't know if you know that I know that you probably already know about all of it. Just some thinking out loud. John |
|
01 Jan 09 - 10:26 AM (#2528991) Subject: RE: Tech: Trojan infection From: Simon G From a search, does this help. Run hijackthis and click on "scan system only" button and put checks next to these: O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdkis.exe] C:\WINDOWS\system32\kdkis.exe O4 - HKCU\..\Run: [LDM] \Program\ O17 - HKLM\System\CCS\Services\Tcpip\..\{0B57B443-2B41-4966-83A1-B156011CCAA3}: NameServer = 85.255.112.126;85.255.112.131 O17 - HKLM\System\CCS\Services\Tcpip\..\{D852A8A8-3D49-42FF-B36C-649B808A2D30}: NameServer = 85.255.112.126;85.255.112.131 Please close ALL browser windows (including this one). Everything closed out but hijackthis and click on "fix checked" Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter. Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present): DELETE FILES: C:\WINDOWS\system32\kdkis.exe Reboot and... Please download and install the latest version of HijackThis v2.0.2:Delete the old version you have CLICK HERE to download the HijackThis Installer:TrendSecure | Download TrendMicro HijackThis 1. Save HJTInstall.exe to your desktop. 2. Double-click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log. 8. Come back here to this thread and paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. |
|
02 Jan 09 - 04:48 PM (#2529965) Subject: RE: Tech: Trojan infection From: Bernard Thanks for everyone's attempts at pinpointing the culprit... I'm still getting nowhere, mainly because of the specific blocking of update sites. Malwarebytes Anti-Malware cannot update, so isn't finding anything. Copy-and-pasting the link to Microsoft Updates just brings up a 404 server error, which is probably erroneous. I've run the SmitFraudFix, which has only served to eliminate that as a possibility. I'm convinced that getting to the bottom of the site blocking will allow me to sort the other problems, but I haven't found anything so far. There may be a spyware equivalent of a firewall installed... nothing I do with the Windows firewall (including switching it off) makes any difference. I've already left an HJT log and details of the problem on the TechGuy forum, but that's been there for a few days and nobody has come up with an answer - though there are increasing numbers of similar posts appearing. I've not had a reply back from Webroot to explain why SpySweeper isn't installing (this problem dates back months) and I'm running out of patience... The popups are not so much of a nuisance (yet), but whatever is causing them may well be what is interfering with links on websites (I can only get them to work by using copy-and-paste). Unfortunately I don't have a lot of time to spend sorting this out, so I may well resort to reinstalling this machine from scratch on a new drive on Sunday, leaving the other two until I've more time. The new drive is simply so I don't lose anything I may need and haven't backed up... but will also ensure there are no hidden partitions or boot sector infections. Alternatively, I've a spare machine I could use for the time being - though I'm concerned at not being able to identify the problem... I've always ben able to sort out my customers' machines, but can't seem to track down the problem on my own system!! Back later... |
|
02 Jan 09 - 07:04 PM (#2530070) Subject: RE: Tech: Trojan infection From: Mick Pearce (MCP) Bernard - in addition to HJT, you might like to try a scan with ComboFix - here's a link to the documentation with details of download/install: ComboFix. It also includes installation of the MS Recovery Console. You might post the ComboFix log along with the HJT one. Best of luck! Mick |
|
02 Jan 09 - 08:28 PM (#2530122) Subject: RE: Tech: Trojan infection From: JohnInKansas As a last resort, it should be possible to download and save Microsoft patches and the current Guardian version (which should include the current definitions) on one machine, for transfer and use on another. This capability has been available for IT masters who want to control when the runs happen on machines on their networks and so that they could deploy via "scripts" on a network. I would expect that you could do the same for AV definitions updates from most providers, but haven't looked at how many offer that capability accessibly. Just another generic thought, in lieu of one that might really be useful. ... John |
|
02 Jan 09 - 09:35 PM (#2530156) Subject: RE: Tech: Trojan infection From: Nick If it's any help it would be easy to email - or put on a bit of webspace - the installer and latest rules.ref file for malwarebytes which you could then just copy into C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware which would update it I believe. The files are only about 4mb |
|
03 Jan 09 - 06:23 AM (#2530316) Subject: RE: Tech: Trojan infection From: Bernard Okay, I'm about to give ComboFix a try - had to download it on this laptop, though, because the links all came up error 404 on an infected machine... The Malwarebytes files could be useful - mudcat_at_bernardcromarty.co.uk - thanks, Nick. John - I'll have a go at the downloadable updates if the above two fail to find anything, thanks. It's possible everything I need will already be in the WSUS folder on the server at work, with any luck. Off to try ComboFix now... |
|
03 Jan 09 - 06:49 AM (#2530324) Subject: RE: Tech: Trojan infection From: Nick Other thing that crossed my mind - you haven't got anything weird in your HOSTS file that is stopping you doing anything? |
|
03 Jan 09 - 08:51 AM (#2530381) Subject: RE: Tech: Trojan infection From: Bernard Whoopee! Thanks, Mick, ComboFix sorted it! It took a while to get everything ready (including finding a download of the XP boot file to allow installation of the Recovery Console as this machine came with recovery CDs instead of XP), and a while for it to run... it will take even longer wading through the logfile to see what the problem actually was, but everything seems back to normal on this machine. It found a couple of 'robust processes' running, and I'll let you know what they were when I find out. No, there wasn't anything abnormal in the hosts file... Now to try and sort the other two... back later! For the record, Mudcat got there before the Tech Forums and Webroot's helpdesk... I'm eternally indebted to you lot! |
|
03 Jan 09 - 09:26 AM (#2530393) Subject: RE: Tech: Trojan infection From: Midchuck This may constitute intentional thread creep, but has anyone noticed the change in the language? When I was young, the idea of Trojans was to PREVENT infection. Peter |
|
03 Jan 09 - 12:56 PM (#2530553) Subject: RE: Tech: Trojan infection From: Bernard They call it 'progress'!! For the record, it was a rootkit that invaded my space...! Everything is now back to what passes for 'normal', and I'm feeling a little hungry! |
|
03 Jan 09 - 05:02 PM (#2530747) Subject: RE: Tech: Trojan infection From: Mick Pearce (MCP) Bernard - glad it's getting sorted. These things are a real nuisance - I think over the last few years I've had to clean about 3 machines a year of serious problems (not my machine thankfully, and never a rootkit problem). HJT has been my faithful friend! Mick |
|
03 Jan 09 - 06:48 PM (#2530831) Subject: RE: Tech: Trojan infection From: John J Thanks for helping Bernard folks - I know how brassed off he was feeling with this problem. Well done all! JJ |
|
02 Mar 09 - 09:48 AM (#2579235) Subject: RE: Tech: Trojan infection - update From: Bernard Just thought I'd better share this in case anyone is tearing their hair out over a similar problem! I've recently cleaned up a laptop (mercifully not my own) with a similar rootkit infection... Problem... ComboFix would not run on this machine, which made me wonder if rootkits are becoming 'aware' of it and blocking its use. Well... renaming COMBOFIX.EXE to FRED.EXE did the trick, and all's well. Practically any 8.3 name will work, I'd guess, as long as .EXE or .COM is the extension. |
|
02 Mar 09 - 01:46 PM (#2579459) Subject: RE: Tech: Trojan infection From: Sawzaw It is hard to tell which of those "free" virus removal programs are legit and which just install more viruses. Malwarebytes is legit and free. The last time I got a Trojan, it blocked access to http://malwarebytes.org with DNSchanger but it did not block access to http://www.malwarebytes.org Once I got it Malwarebytes installed, it cleared up the infection. Malwarebytes' Anti-Malware 1.31 Database version: 1571 Windows 5.1.2600 Service Pack 3 12/29/2008 11:19:30 PM mbam-log-2008-12-29 (23-19-30).txt Scan type: Quick Scan Objects scanned: 51526 Time elapsed: 2 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\msqpdxehtabdur.dll (Trojan.TDSS) -> Delete on reboot. C:\WINDOWS\system32\drivers\msqpdxxjnrwblt.sys (Trojan.Agent) -> Quarantined and deleted successfully. The problem is that the infected keys and files are sometimes hidden and you can't find them to rename or delete. |
|
02 Mar 09 - 01:54 PM (#2579469) Subject: RE: Tech: Trojan infection From: olddude Microsofts free online scanner will normally do the trick, then buy Mcafee (I find it to be the best to fully protect the machine. You can get a free scan and repair by visiting microsoft's one care microsoft onecare |
|
02 Mar 09 - 04:56 PM (#2579663) Subject: RE: Tech: Trojan infection From: Bernard Rootkit infections are far more difficult to shift than simple trojans... they block all access to any software solutions (including Microsoft's free online scanner), and prevent access to update websites - even in Safe Mode. The great thing about ComboFix is it uses the Windows Recovery Console where necessary, which means it can fix problems you can't get at through Safe Mode... |
|
03 Mar 09 - 12:31 AM (#2579998) Subject: RE: Tech: Trojan infection From: Sawzaw The rootkit scanner did nothing for me. Only Malwarebyte fixed anything. I even tried a bootable cd named BART. Nothing resulted. |
|
04 Mar 09 - 12:30 AM (#2580820) Subject: RE: Tech: Trojan infection From: Gurney Glad you are sorted, Bernard. I suspect that you had something similar to what I was fighting a couple of weeks ago (Thread [Another Another Problem])but the contrast in your obvious experience to mine made the difference. Mick Pearce made several suggestions in PMs to me (thanks, Mick) but wisely didn't suggest ComboFix because it needs more experience than I can muster, judging from the warnings on the website. I used a hardware solution; this is the same computer but I'm running a different harddrive, with the power plug pulled on the original. I'll format-and-load the original HD when I get around to it. There's nothing on there now that I can't afford to lose. Maybe try ComboFix first? Both HDs are jumpered 'master' so they can't cross-pollinate each other. Well, I THINK not. And my business records and software are on an old Gateway that works perfectly well and is NEVER going on the web! |
|
04 Mar 09 - 06:26 AM (#2580928) Subject: RE: Tech: Trojan infection From: GUEST,.gargoyle Gurney - Just a quick - "heads up"
NEVER going on the web might not keep you old Gateway records intact. A music CD, a floppy, a kid's game, even a shared printer could be enough avenue for a malicious program to infect.
This thread has been very informative....and Gurney's. Thank you all.
Sincerely, |
|
04 Mar 09 - 05:10 PM (#2581346) Subject: RE: Tech: Trojan infection From: Gurney Shared printer. Ah. Ah. Time to see if I can find my old parallel switch. Thank you, Gargoyle. I put the speakers away, and kids are unlikely to want the small VDU... The Amigas that NASA used had a power-switch on the front with a lock on them! I remember reading about that. |
|
04 Mar 09 - 07:31 PM (#2581441) Subject: RE: Tech: Trojan infection From: Peace I thought that Trojans were meant to prevent infections . . . . |
|
04 Mar 09 - 11:52 PM (#2581546) Subject: RE: Tech: Trojan infection From: Gurney Yes, Peace, and according to Wikipaedia they used to. LOTS of suggestions there, but it seems to be a reversal of the old adage about gamekeepers and poachers, in that the virus writers are using the techiques of the virus killers to escape detection. The inference on Wiki seems to be that if you aren't VERY experienced or have an IT man who is, use my solution! Wouldn't it be nice if someone published information about virus writers on the web. You know, like name, address, photo..... |
|
05 Mar 09 - 01:10 AM (#2581567) Subject: RE: Tech: Trojan infection From: Peace Indeed, Gurney, indeed. |