1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Difficult Trojan

Discussion in 'Virus & Other Malware Removal' started by recall383, Oct 1, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. recall383

    recall383 Thread Starter

    Joined:
    Oct 1, 2008
    Messages:
    2
    Hi there,

    First, my apologies for a wall of text up front... Hopefully it's all useful information.

    I've currently got some virus on my machine that creates other Trojans. The ultimate (noticeable) effect is that IExplorer.exe will randomly start up and go to an advertisement. More often than not, the process name is kBrp0553.exe, if that's of any use. At this point, I've disabled the IE application through Control Panel -> Add/Remove Programs -> Windows Components. However, I still see the process pop up, in the process tree emanating from "services.exe". Additionally, it's opening TCP connections to many IP addresses, which I'd be happy to share if it would provide any use. Most seem fairly random though spanning from "unknown.nscnap.net" to yahoo IP's, and they're fairly dynamic changing relatively quickly. I'm using Process Explorer to determine this.

    After noticing this effect, I've begun trying to clean my system. I started using Trend Micro's Housecall, which found a Trojan and supposedly cleaned it. This had no effect, the popups continued. Next I moved to AdAware and a full (legal) installation of Symantec Antivirus. Symantec periodically finds new Win32.Agent.ahdb and Win32.BHO.pe (I've used the Kapersky names, the Symantec equivalent to Agent.ahdb is Trojan.Flush.G) viruses that didn't exist during the last scan, even while the computer's idle i.e. I leave the machine on overnight with nothing but background processes and then run a scan the next morning, boom new Trojan. Recently I've tried Kapersky Online Scan, which found my quarantined files from Symantec, but nothing else.

    I've tried using HJT, and haven't noticed anything outstanding in the log, but I'm not an expert by any means. I've also used SDFix, Microsoft Windows Malicious Softare Removal Tool, Look2Me-Destroyer, XoftSpySE, ComboFix, and SpyZooka, all to no avail. I also ran Malwarebytes which found some Weatherbug registry keys in addition to another set of Trojan.BHO and Trojan.Agent, which were probably just new instances of what Symantec AV has been removing periodically. At this point, I'm still getting the popup processes.

    I'm pretty frustrated and about to throw in the towl and just re-install Windows, but I was hoping maybe someone had an idea that might help save me that pain.

    I've attached my HJT, ComboFix, and SDFix logs, since those are the ones I'm not sure I fully understand.

    Sorry for the essay, but I figured most of this information might be useful.

    Thanks in advance for any help you can render!
     

    Attached Files:

  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,048
    Hiya and welcome to Tech Support Guy :)

    Are you still having this problem? If so, can you post a fresh HijackThis log as its been a few days :)

    Regards

    eddie
     
  3. recall383

    recall383 Thread Starter

    Joined:
    Oct 1, 2008
    Messages:
    2
    Hi Eddie, and thanks for your response. Fortunately I did manage to get it figured out. Turns out it was a TrojanDownloader.Firu which all of the tests mentioned in my first post somehow missed.

    I got it using http://www.eset.com/onlinescan/ which I found recommended to another user over on bleepingcomputer.com who was having similar issues.

    I was quite surprised to find that none of the other Malware/Virus scanners found it.

    Anyway, I'll mark this as solved. Thanks!
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,048
    Oki doki, glad its all working for you :)

    Any problems in the future, just post.

    eddie
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/755052

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice