Member Panel

sorcerer

i have a problem. i think i have a trojan/backdoor on my com, but i still dont know how to eliminate them. this is a cybernetic one, but i am not sure.

here are reports of ewado, hjt, trojan hunter (it reports some processes that are not reported by HJT!), and unhackme.

pls help.

joe5

Hya Sorcerer , welcome to PCHF.

You indeed have some pretty nasty unwanted guests on there , lets see if we can get rid of them.

Please Download RKFiles.zip
Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Download Pocket Killbox:
http://www.atribune.org/downloads/KillBox.exe

Restart to safe mode. (tap f8 key during bootup)

Click Start>Run and type in: services.msc
Click OK
In the Services window find: ALV
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: ALV
Click OK.

Then fix these entry's with hjt:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ixuen.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ssbixxc. exe
O2 - BHO: (no name) - {1BB11EDE-D73E-449D-B72A-DA2EB9EB76F0} - (no file)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O23 - Service: ALV - Unknown owner - C:\DOCUME~1\Boris\LOCALS~1\Temp\ALV.exe (file missing)

Run ATF-cleaner again , and manually search for this file and delete all you find:

ssbixxc.exe

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:

C:\WINDOWS\system32\dmonwv.dll
C\WINDOWS\SYSTEM32\IXUEN.EXE
C\WINDOWS\SYSTEM32\RNDANR.EXE
C:\Documents and Settings\Boris\Local Settings\Temp\ALV.exe
C:\windows\system32\crss.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.
Exit Killbox and restart your PC. (in safemode immediatly again.)

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT
Give it time to run. this may take a while.
Save the text file it creates.

It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it in a reply to your thread when done here.

It'll take a while to run a full scan so please be patient.

Restart into regular Windows mode and post the contents of C:\log.txt , and the find-qoologic results. Also please post a new hjt log and a new Unhackme log.

Also it seems you have no firewall , have a look in our download section for severall free ones.

sorcerer

Tnx for that.

I started Services and do what you said, but ALV was not running, and I could not click the Stop button. I did the rest.

Note that after deleting NT service in hjt, it promted for restart machine. I restarted in safe mode.

Next, in hjt I do not found 023 - Service: ALV ... \ALV.exe (file missing)
I fixed other. I runed hjt report again, ixuen.exe and ssbixxc.exe appears again.

I runned ATF, but I could not find any ssbxxc.exe. What do you meant with this?

I did how you said, but Killbox deleted only IXUEN.EXE and RNDANR.EXE.

In attached log of rkfiles, qoologic and hjt. In UnHackMe nothing changed. There are rndanr.exe and 3x ixuen.exe.

I have bit defender, but I am not satisfied with this one. I'll look for another.

and sorry for my english.

joe5 · 04:45 PM

Originally Posted by sorcerer

Tnx for that.

I started Services and do what you said, but ALV was not running, and I could not click the Stop button. I did the rest.

Thats ok , that only made it easier.

Note that after deleting NT service in hjt, it promted for restart machine. I restarted in safe mode.

Next, in hjt I do not found 023 - Service: ALV ... \ALV.exe (file missing)

Thats also ok , it has been removed by the previous steps and its gone now.
So it went alright.

I fixed other. I runed hjt report again, ixuen.exe and ssbixxc.exe appears again.

Im afraid that will happen severall more times , that is normal with an Qoologic infection. But we'll get it.

I runned ATF, but I could not find any ssbxxc.exe. What do you meant with this?

That where two separete instructions , after running ATF , manually search for that file on youre pc with the windows search , and delete it when found.

I did how you said, but Killbox deleted only IXUEN.EXE and RNDANR.EXE.

In attached log of rkfiles, qoologic and hjt. In UnHackMe nothing changed. There are rndanr.exe and 3x ixuen.exe.

Those files are part of Qoologic and pretty stubborn but we'll get them in the end.

I have bit defender, but I am not satisfied with this one. I'll look for another.

and sorry for my english.

No need for that , looks very good to me.

Boot in safe mode again and fix these with hjt:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ixuen.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ssbixxc. exe

Then manually search for and delete ssbixxc.exe.

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:

C:\WINDOWS\System32\ACRYPT32.OCX
C:\Documents and Settings\All Users\Start Menu\programs\startup\KVPBT.EXE
C:\WINDOWS\SYSTEM32\XPSP3RES.DLL
C\WINDOWS\SYSTEM32\RNDANR.EXE
C:\WINDOWS\system32\ixuen.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.
Exit Killbox and restart your PC.

Then re-run find-qoologic and hijackthis , and post a new log from both of them please.

sorcerer

Boot in safe mode again and fix these with hjt:

Quote:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ixuen.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ssbixxc. exe

its done, but they appeared again.

Then manually search for and delete ssbixxc.exe.

I found only a file "ssbixxc.exe [some numbers].pf". I deleted it.

now i hope you made a mistake, because I wrote C:\ instead your C\

C\WINDOWS\SYSTEM32\RNDANR.EXE

Killbox deleted all files you specified.

and here are the logs

joe5

Originally Posted by sorcerer

now i hope you made a mistake, because I wrote C:\ instead your C\

Yup , i made a mistake there. Good spot.

Boot in safe mode again and fix these with hjt:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1:8082;http://www.neobee.net;;neobee.net;;*...microsoft.com; *windowsupdate.com;download.microsoft.com;codecs.m icrosoft.com;activex.microsoft .com;liveupdate.symantecliveupdate.com;liveupdate. symantec.com;localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ixuen.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ssbixxc. exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webma...rtload185a.exe

Then manually search for and delete ssbixxc.exe. Delete the file from the prefetch folder , but there should be an other one aswell , make sure to also search in hidden files , and system files.

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kvpbt.exe
C:\WINDOWS\SYSTEM32\RNDANR.EXE
C:\WINDOWS\SYSTEM32\IXUEN.EXE

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.
Exit Killbox and restart your PC.

Then re-run find-qoologic , RK-Files and hijackthis , and post a new log from them again please.

Member Panel

Sponsors and Ads

Noticeboard