Notebook infected by trojan ? Getting massive popup actions

Hello together,

I got new laptop approx. 2 months ago. I was using it often in connection with my subwoofer to do some party music and unfortunately lot of people that I trusted had access to the laptop. I guess someone will have clicked a simple "yes" or something within one of the thousands of internet traps and I got infected.

I'm experienced popups the whole day. Most of the commercials that "popup" are german - but this may depend on my location
I'm using firefox with the NOSCRIPT addon but these popups seems to be started from somewhere else..

Due to the fact its company notebook we're not using the windows internal firewall and I noticed that Black Death is installed as well as Trend Micro Office Virus Scan engine.

I'll post hijackthis and dss logfile.

Thanks for any help folks !

EDIT : Firewalls Name is Blackice not Blackdeath .. sorry !

HiJackThis

 

continued..

DSS

and here log from DSS

 

Welcome to WindowsBBS Eledris

First, I recommend that since this is a company machine, you have the company IT department check and clean this PC. They will be better equipped to handle any configuration changes if needed.

That said, we'll see if we can at least stop the popups and positively identify any malware. Scan again with HijackThis and place a check next to the following entry.

O4 - HKCU\..\Run: [aowoacy] c:\documents and settings\spoe2303\local settings\application data\aowoacy.exe aowoacy
Click Fix Checked and close HijackThis when done.


Now open the Task Manager, select the Processes tab and locate the aowoacy.exe process. Select it then click End Process.


Now highlight and copy the bolded line of text below.

"%userprofile%\Local Settings\Application Data "


Click Start>Run and paste the text into the Run dialog, then hit Enter.
On the Menu, click Tools>Folder Options.
Select the View tab.
Locate Hide extensions for known file types and make sure the checkbox is cleared, then OK out.
Locate the file aowoacy.exe, right click it and select Rename.
Add an old extension, making it aowoacy.exe.old
If you don't see the file, go back to the View tab in Folder Options and select Show hidden files, then click OK
Once renamed, please right click the file and select Copy
Open My Computer, then Local Dick C: and right click>Paste to place a copy of the file there.


Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Now, please upload the c:\aowoacy.exe.old file to my submission channel for analysis. Leave a link back to this topic.


Let me know if the popups have stopped.

 

Hi noahdfear,

first of all thanks for the quick reply.

I followed your instructions and here are my results :

1. I could not stop the running process "aowoacy.exe" - because it seems that it was not running at this time.
2. Beside I could not terminate the process I was able to rename the file - what tells me that process could not be running at this moment ?
3. I cleaned up all the mentioned files with the ATF cleaner
4. I rebooted.
5. I Uploaded the aowoacy.exe.old to your channel and linked to this topic.

The following I can report right now :

1. Boot sequence was much quicker than before
2. I visited sites where the popups showed up normally very often - and had no popup action right now.

Seems this was the crappy file ?
I'll keep an eye on the popups and if they are still there I will let you know.

One additional question / remark :

Within my App'data folder there are also the following files :

• aowoacy.dat
• aowoacy_nav.dat
• aowoacy_navps.dat

And now- the aowoacy.exe.old.

May I remove all of them or should I better keep waiting ? Should I upload them anywhere else as they may help your investigations ?

Again - thanks a lot !!!

Eledris

 

Thanks for the upload! Yes, please do upload those dat files.

Sit on them for now .... jury's still out.

 

Heyho..,

uploaded them right now.

Would be glad to hear if you figured something out with those files ..

And lot of thanks again - no popups anymore till now !!!

Eledris

 

Are you saying you're getting popups again? If so, post a fresh dss log.

Thanks for the uploads!

Please download Navilog1 by IL-MAFIOSO:

• Double click on navilog1.exe to install it on your computer.
• When the installation is complete, the tool will start automatically.
• If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
• Press E for English from the language Menu.
• Type 1 in the next Menu to select Search and press Enter.
• Wait for the Scan to finish (It may take a reasonable amount of time)
• Press any key as requested .
• A new document will be produced: fixnavi.txt.
• Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt ". (usually C:\fixnavi.txt)

 

Hi Dave, I have just had a read of this post and not that I understand much of it, but I can read German and as Eledris was concerned about German stuff popping up I had a read of it and it appears to me that this Laptop has German Networking stuff on it.
S3 Cwbrxd refers to Remote Control IBM and then the other part further down it mentions Domain control name could not be established, and then it refers to that further attempts to establish will not be granted for 30 minutes.
Just thought I mention it as it is a company computer.
cheers
hawk22

 

Hi Hawk,

thanks for your concerns - but the popups always openend german advertising pages..

Now - that the error seems to be fixed.. there are no popups anymore ! Neither in german *lol*

Noadhfear - should I still process your inquiry with navilog ?

Thanks again folks !

Eledris

 

Thanks hawk

Yes, please proceed with Navilog. Those files belong to an infection known for rootkit like behavior, and there may be more (certainly some registry stuff left too).

 

Trend Micro Office Scan was telling me about positive virus/malware finding when I was installing.

Also it alarmed while the scan proceeded.

Heres the logfile which was created :

Rgds,

Eledris

 

First, delete all 4 of those awoacy files then empty the recycle bin.

Double click on Navilog1 shortcut icon on your desktop to run it.

• Press E for English from the language Menu.
• Type 2 in the next Menu and press Enter.
• The tool will then advise you that it will restart your computer.
• Close all open windows and save personnal documents, if open, too.
• If your computer doesn't restart automatically, restart it manually.
• Choose your usual session.
• Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
• A new document will be produced.
• Your desktop will now appear.

Please copy/paste the contents of this report in your next reply.

Note : In the event your desktop does not appear after the tool completes, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)