Trojan activity

[Felix123]

As many others I have got yesterday evening this virus which spreads infected file here and there, I have tried to follow some of the indications found on this matter but no help. I have disabled the restore configuration and reboot but again avast screens.
My system is Win XP Pro SP2 up to date, what I notice is IE7 poping up with some fishing site and then a pop-up inviting to install some sort of software to clean infections (I just close the pop-up), I notice also the volume slider to be not smooth anymore.
Tried also the Avast Cleaner tool, nothing detected.

I have installed only the "avast! v.4.7 Home Edition" for protection.
Attached are the warning log to see the infected files and the cleaner log.

It seems the virus regenerate after booting but avast can find only the files the virus creates.
Please any help will be appreciated.

Thank you

[essexboy]

Hi there first I will need to see the current state of play

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Felix123]

Attached are the main and extra files.

[essexboy]

OK lots of nasty critters there :

First tool

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Attach the replies as it is easier for me to play with them

[essexboy]

I will be offline for a few hours but should be back before the end of the day 

[Felix123]

It was some problem with ComboFix, the first download was corrupted, the other one was ok but it showed some sort of error before starting, anyway it seems it quarantined few files (I had a suspicion already about the first two) but the problem is still there.

Attached are the requested files

[Felix123]

In the mean time I have done some investigation myself on the system, after ComboFix removed the BHO files it creates a new one after reboot in system32 with the name mllmk.dll (which I can't remove manually). I have noticed that looking at the IE7 add-ons, if I try to disable it it will be enabled after booting.

[essexboy]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

File::
C:\WINDOWS\system32\WinPrint.exe
C:\WINDOWS\system32\tuvwttu.dll
C:\WINDOWS\system32\NTSpool.exe
C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwttu]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"=-
"NTSpool"=-
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[Felix123]

Files attached

[essexboy]

OK there is one that does not want to play - Yet -

Download WinPFind35u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Reg - BotCheck
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and attach the log. I will review it when it comes in.

[Felix123]

Here it is

[essexboy]

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {E0EA1F31-B58F-47E8-A185-20C52DF9F168} [HKEY_LOCAL_MACHINE] -> %System32%\tuvwttu.dll []
[Files/Folders - Created Within 30 days]
YY -> sed.exe -> %System32%\sed.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[Felix123]

Well at the moment everything looks quite and I see the volume slider working again smooth. Please tell me if the all malware was removed. I think you have done a great job.

[Spiritsongs]

   Hi :

     It appear your ONLY security is Avast; not a wise decision . You complain
     of trojan activity, yet you do NOT have any antiSPYWARE/antiTROJAN
     programs . At a minimum, you should use the FREE version of
    "SUPERAntiSpyware" from www.superantispyware.com .
     
     And the "built-in" firewall that comes with the Win XP SP2 Operating
     System is not that good. You should seriously consider installing a
     firewall, and I recommend choosing between Zone Alarm, Sunbelt Kerio,
     or Sygate, all FREE and available at www.filehippo.com/software/firewalls .

[essexboy]

Looks good - now for a bit of house keeping - I would concur on SAS and a firewall

Now the best part of the day ----- Your log now appears clean  :thumbsup:

Double click Winpfind35 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

• SpywareBlaster to help prevent spyware from installing in the first place.
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe  :wave: