Win32-Pakes-AKM [trj] need help to remove (combofix+hijackthis attached)

[soaringorion]

Hello,

Avast has found a trojan om my daugther's laptop but it can not remove it.

The file name is : c:\windows\system\narrhoo.dll
the malware name is: Win32-Pakes-AKM [trj]

I have attached the combofix log and the hijackthis log
Please help!!!
thank you

[Lisandro]

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[DavidR]

Why can't it remove it, what errors, file in use, etc. what ?

If that is the case, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

You don't appear to have an active firewall (one that provides outbound protection), what is your firewall ?

Your version of JAVA is out of date. Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 4 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

You also aren't using the latest HJT version either, so it might be best to get that and runn it again before doing anything. FileHippo Download - HiJackThis
You are also running HJT from your desktop and really it should be in its own folder.

Fix:
O2 - BHO: (no name) - {DE6EA56B-BA31-42D3-ACCE-ADE27BB3F52C} - C:\WINDOWS\system32\narrhoo.dll
See http://www.prevx.com/filenames/3259908506949444273-0/NARRHOO.DLL.html, which comes from a google of narrhoo.dll.

Suspect:
Unknown
O2 - BHO: (no name) - {FED19B2F-B80F-4785-996B-9E4644A895A6} - \
No hits on a google search for the clsid {FED19B2F-B80F-4785-996B-9E4644A895A6} which if valid should really have some hits.

I don't see anything else that is obvious in your HJT log. 

[soaringorion]

Thanks for your help and I'll try these steps right away.

i meant that Avast could not move the file to chest or delete it during the scan at start-up. I was getting the following error message at start-up: error 0xc0000022 {access denied}

[Lisandro]

Follow step 3 I've posted before...

[oldman]

Looking at your combofix log, you have a bit of a rootkit happening.

 Copy the first part of these instructions into a note so you can refer to them while in safe mode.

Step #1

Start in Safe Mode Using the F8 method:


Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.

Use the arrow keys to select the Safe Mode menu item.

Press the Enter key.

Step #2

Now we will need to disable the driver for this thing. Please do the following:

Click Start, click Control Panel, click Performance and Maintenance, and then click System.

(Please note, that depending on how you have your computer set up, the path to the system icon may be

start, control panel, system.)

On the Hardware tab, click Device Manager.

Click the View menu and if there is no checkmark in front of Show hidden devices then click on it to activate it.

Scroll down the list of devices and double-click Non-Plug and Play Drivers.

Locate nepsqzaq and right click it and then click the Properties option.

Click the Driver tab.

In the Startup section select Disable from the drop-down list.

Click General tab.

In the Device Usage drop-down list select Do not use this device (disable).

Click the Ok button and you should be prompted to reboot. You can reboot normally.


Back in normal windows.

Please download The Avenger by Swandog46 to your Desktop.

1.
• Click on Avenger.zip to open the file
• Extract avenger2.exe to your desktop

Drivers to delete:
nepsqzaq
 
Files to delete:
C:\WINDOWS\system32\drivers\qlsduxqj.dat
C:\WINDOWS\system32\narrhoo.dll
C:\WINDOWS\system32\ppkifeml.ini2

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.[/b]

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Copy/Paste all the text  in the above quote box into the main window
• MAKE SURE THE TEXT MATCHES EXACTLY
  
• Click Execute
  
  The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
    
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
    
    Run combofix again
    
    
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  -----------------------------------------------------------
• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

[soaringorion]

Thank you very much for these steps.
I was wondering how did you notice this particular driver?

Anyway, i followed the steps and I have attached the new files from avenger, combofix and hjt.
thanks again

[oldman]

It was in the combofix log in the driver/sevices section. Wierd names always make me suspicious.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {DE6EA56B-BA31-42D3-ACCE-ADE27BB3F52C} - C:\WINDOWS\system32\narrhoo.dll (file missing) 

Close all other browsers/windows, click fix, close HJT.

I notice you have some open ports, any reason? Just curious.

"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020


Just to make sure that reg key is gone and the one file, I'd like you to run combofix one time. It will be started a bit differently this time.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\drivers\qlsduxqj.dat


Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\nepsqzaq]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE6EA56B-BA31-42D3-ACCE-ADE27BB3F52C}]

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .


note when doing the combofix fix

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File,  click Exit and answer 'Yes' to save changes.

Thanks

[Trojanhater666]

I HAVE THIS SAME TROJAN!

[oldman]

If you would have followed the instructions in your thread, it would probably be gone like soaringorion's problem. 

[soaringorion]

Sorry for the delay, but my daughter did not want to leave her computer alone.
Here is the last file from ComboFix.

Regarding the TCp/IP port, i don't know why they are open. How do i close them?

Thanks again for your help. In the future, do I need to install another software on top of avast to stop such malware or is avast sufficient?

[oldman]

Glad to hear your daughter is enjoying her computer. She should give you a big     for your time and effort. Didn't mean to alarm you about the ports, I was just curious. I did some research and they seem legitamate. Either network or program related. I will check it out more.

If everything seems to be fine, we'll clean up the tools we used.

* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u


* Please download
 OTMoveIt2 by OldTimer.


Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.

* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


Thanks for your perciverence and great work on your end.

Take care and keep safe.


edit: I almost forgot your other questions. You should have a resident antispyware program, such as spywareblaster. It won't remove anything but can prevent malware from entering. Also a good on demand antispyware program like superantispyware.

Both are free

http://www.javacoolsoftware.com/spywareblaster.html

Just get the home version, unless you want to trial the paid version.

http://www.superantispyware.com/

my recommended setting for on demand scans:

First update SAS Then boot into safe mode and set SAS up like this.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

[DavidR]

<snip>
I notice you have some open ports, any reason? Just curious.

"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

<snip>

I find it strange that any legitimate application would open a port and leave it open, rather than simple use it and close it in the normal way.

The 135 port is associated with DCOM and has been exploited in the past.

http://www.grc.com/port_135.htm

Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as "epdump" (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user's hosting computer and match them up with known exploits against those services.

Any machines placed behind a NAT router (any typical residential or small business broadband IP-sharing router) will be inherently safe. And any good personal software firewall should also be able to easily block port 135 from external exposure. That's what you want.

In addition, many security conscious ISPs are now blocking port 135 along with the notorious "NetBIOS Trio" of ports (137-139). So even without any of your own proactive security, you may find that port 135 has been blocked and stealthed on your behalf by your ISP.

The same is true for ports in the 5000 range I find that strange too that they would specifically be opened.

http://www.grc.com/port_5000.htm

The Universal Plug N' Play (UPnP) system operates over two ports: UDP/1900 and TCP/5000.

Most users don't even require the UPnP service running, but as Alan constantly reminds me some users do require it (though I can't recall the exact reason), but again they would use it and close it, there are a number of exploits associated with UPnP.

Checking some of the other 5000+ ports at GRC indicate trojan use for back doors, etc. so I feel it is suspicious to have these ports open as it leaves you exposed to the internet and not stealthed.

Perhaps alanrf (if he sees this) could comment on UPnP and the need to open the ports.

[oldman]

Thanks DavidR. I spent over an hour last night looking for why these ports would be open. This is the first log I've seen this in. Searching the internet shows this is quite common. But alas no reason could be found. This one I found, a highly reputable site, nothing was done to close them during the cleaning of the machine.

http://aumha.net/viewtopic.php?t=32058&start=0&postdays=0&postorder=asc&highlight=

I shared your thoughts also, to it being part of the infection. I tried to find similarities in the programs on these two systems, nothing jumps out. Elsewhere I did come across vague references to game playing, network access, but again no clear reason or which program would acount for it.

Your right, perhaps alanrf could shed some light on this. 

[DavidR]

Now you mention it, I think gaming might possibly be what alanrf mentioned using UPnP. If that is correct, even so I see no reason to leave a port open, when the connection should be established in the normal way and closed when the gaming session is over.