KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True

[St.Anger_561_]

Error - 4/25/2009 8:38:07 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:39:04 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:41:38 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:46:10 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 4/25/2009 9:10:11 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 9:11:12 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
 < End of report >

Wow what alot of information...I am going to attempt to run the rescue disk next on the infected cpu.

[micky77]

It appears you run the OT scan in safe mode. This is the first time I've examined a log  in detail. So hopefully some others may help.I would do another scan in normal mode.Only this time do not copy/paste the log,but post it as an attatchment

Can you go to C:\WINDOWS\System32\sys_dll.dll  and copy/paste sys_dll.dll to desktop, then send to virustotal

http://www.virustotal.com/

and  RMAgentOutput.dll     in C:\WINDOWS\RMAgentOutput.dll    RMAgentOutput.dll
and twain_16.dll  in   C:\WINDOWS\twain_16.dll
and qt-mt331.dll in   C:\WINDOWS\System32\qt-mt331.dll
and Welsof32.dll  in  C:\WINDOWS\System32\Welsof32.dll
and zwpshex.dll in  C:\WINDOWS\zwpshex.dll

[St.Anger_561_]

Thanks for the tip Micky77, I am on the case again and running the scan now.  I will post as an attachment this time, also good news, in a sense.  The silly spyhunt program that I d/l from that shady website was on the infected cpu, not my clean one!! So hopefully my 2nd cpu is still clean.  THanks again for the advice and help.

[micky77]

Have you made any progress ?
What happened with DrWeb, that was finding lots of things ?
Did you run the Avira disc ?
Did you analyse those 6 files at Virustotal ?

[St.Anger_561_]

Update time again.  Here is what I have found thus far:

I tried sending the 6 files to virus total but here is what I get:

sys_dll.dll  0 byte file , apparently there is no data in this file?  I double check in my system32 file for properties and it tells me this file is 0 bytes and it has a size on the disk of 4 kb, so this was not scanned by the website.

RMAAgentoutput.dll  - esafe = suspicious, VBA32 = Trojan.win32.Agent.avfi - is this my trojan?

Qt-mt331.dll = 3.22 mb file =  I tried to upload this with both ie8.0 and firefox.  THe website told me at first that it was already analyzed, but then it would not let me click on analyze again or show last report.  Instead both of these options were grayed out and the bottom of my web browsers says done, but with error on page.   I could try to put this file on a jump drive and try to upload from my clean cpu, but I am worried about infecting that one.

Welsof32.dll = clear 0/40

zwpshex.dll = clear 0/40

twain_16.dll = clear 0/40

dr. web somehow seems to have disappeared from my infected cpu, which is rather odd b/c I do not remember uninstalling it.

I will run the avira disc next after I try drweb once again.  Thanks again for all your help!

[St.Anger_561_]

I ran Dr. Web under "express scan", which I did under normal windows operation, however this did not turn up anything yet, so I am running a complete scan now, will update you on that asap.

I am going to give the rescue disk a shot next, but I will upload my ot2list scan firstly, which I have done.

Thanks again for all of your help.  I think I am seeing the light near the end of the tunnel.

[St.Anger_561_]

OK I ran a thorough scan w/the most recent Dr. web updated program and here is what it told me:

inst.#xe  in a folder for aoldownloads/triton_suite_instal6.0.28.3, probable back door trojan - was renamed

sdcmon.#ll in a folder for C:programfiles/support.com/bin, probable Dloader.trojan - was renamed.

I am runing the rescue disc now *fingers crossed*  will update again very soon.

[St.Anger_561_]

I tried several times, but apparently I cannot boot from theAvira rescue cd, arrgh!!   Maybe I am missing something?

I went into my system BIOS, as below, but here is what happened:

I tried going into the boot sequence by hitting f12 and I hit 4 for the IDE Cd-rom device, but it booted into windows.

I then tried to reboot and hit f2 for the system setup, then I went into the boot sequece and moved the IDE - CD rom Device into spot 1, but it booted into windows.

I then rebooted, hit f2 for system setup, this time I moved the hard disk to slot 3, and it booted into  windows again.

I rebooted again, f2 for system setup, then I chose to disable the diskettte drive and the hard disk drive C, so I only had the IDE Cd-Rom device chosen for the boot.

this time I just kept getting the following message : strike f1 to retry boot, F2 for setup utility

I hit f1 a few times, but I just got the same message.  I then tried putting the rescue cd into my 2nd cd drive, but I got same message about striking f 1 to rety boot, f2 for setup utility

eh should I try to mess around with the boot sequence option 7 : boot to Utility Partition? 

I tried the IDE Drive Diagnostics under the boot device menu and it says the following info:

My primary IDE: Drive 0 : ste with some numbers - Pass, drive 1: no IDE device
My secondary IDE : Drive 0 - Lite-on combo - diagnostics not supported, drive 1: no IDE device

I don't know what else to try....I was thinking a different rescue disk but I fear it will have the same outcome. 

I am certainly willing to try a different rescue disk and open to any other suggestions, I feel like I hit a brick wall at this point.

Thanks for all your time and suggestions and expertise thus far. 

[micky77]

I don't think you should mess too much with your settings.Try another disc ( different batch ). try a dvd, and try a different download link
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

[micky77]

Ok, I have looked at the log again.( and again and again  ) There are two more files I would like you to send to virustotal.They are

 npf.sys in C:\WINDOWS\system32\drivers\npf.sys  and

 winsusrm.dll in C:\WINDOWS\System32\winsusrm.dll

http://www.virustotal.com/
If it says they have already been analysed, re-analyse them please.
If you cannot get the rescue disc to work,and scans from MBAM, SAS, and Avast are clean,There are only two more options I can think of, one is SDfix and Combofix.We will wait to see what progress you have made first,with the disc and file results.If you have to run Combofix, I will need to ask someone more experienced to help you.( if I can findsomeone willing  )

I take it you are still being redirected, and Avast still not updating,browser crashing, no online scanners work ?

I won't look at the log again,so if you could report back with

1 Progress with Rescue disc
2 Results of file analysis
3 Current problems with pc
Thanks
 

[micky77]

 Hi St.Anger_561_, as we are not making as much progress, as I hoped.I have asked for any advice.Thankfully a very senior member offered some ( many thanks )

Update Java

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
  
• Click the "Download" button to the right.
  
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  
• Click on Continue.
  
• Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")
  

Clean FF with gored

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
  
• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Run OTLI
Run OTList2.exe

 Under the Custom Scans/Fixes box at the bottom, paste in the following ( not the word quote )

:OTLI
[2009/04/19 23:03:00 | 00,356,352 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll
[2009/04/19 23:03:00 | 00,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll

:Commands
[purity]
[emptytemp]
[Reboot]

# Then click the Run Fix button at the top
# Let the program run unhindered, reboot when it is done
#  Then post a new OTL2 log

Also reset the trusted domains

Right-Click Here and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Finally remove Adobe, and replace with Foxit

http://filehippo.com/download_foxit/

[St.Anger_561_]

Hello Micky, I wanted to post here in regards to a status update.  Unfortunately my job has me working like a slave, again, and I am not one of the employees priveleged enough to work from home.  Therefore I have not been able to put much work into my cpu at home over the past several days.  However I do plan on performing what I can that you have advised me to during my lunch break, particularly the downloading of the programs which I can do and then transfer via a jump drive to my monster of a cpu at home.  I truly appreciate all of your help!  I am confident this this can be solved and I will not give up easily.  I am a soldier, like my father before me was.  Thank you for your direction and expertise and time.

[St.Anger_561_]

ok I finally have a status update!  Thanks for your patience Micky.   here it goes: 

Firstly I downloaded a second copy of the Avira rescue disk from the new link.  This time the disc seems to be working, however the problem that I am having is with the display.  When it loads I cannot see the entire screen, therefore I cannot click on the flag to change it to English and I cannot click on the option to run the virus scanner.  I have attempted to reboot my cpu after changing the graphic properties, specifically the screen area, hoping one would allow me to see the entire screen, but this is not working the way I had hoped.

Secondly I sent those 2 files to virus total, they both came back with 0/40 hits.

Thirdly I ran the Java as you instructed and removed all of the previous Java's from my system, then I ran the gooredfix program, then I reset the trusted domains and removed adobe and installed fox it.

Finally I have ran the otlist and the fix as you instructed, I am attaching the logs now.  Thank you again for your time, expertise, and assistance.

[St.Anger_561_]

I wasn't sure which log to post, that last log showed the removed files.   I am now posting the log for the scan that I ran immediately after the fix. 

I will wait to hear from you regarding using a different rescue disk or if you can advise about what to do with the Avira rescue disk. 

Thanks again for your time and patience and expertise.

[micky77]

Hi St.Anger_561_, can you state exactly what problems you still have, eg redirections,avast not updating etc

The logs you posted are all scrambled,can you still see eSellerateEngine.dll in C:\WINDOWS\eSellerateEngine.dll  ?