ipsec.dll, btkrnl.dll "Trojans"?

View previous topic View next topic Go down

ipsec.dll, btkrnl.dll "Trojans"?

Post by moreyag on 19th April 2012, 11:53 am

good morning all.
I appear to have picked up a few backdoor trojans that keep popping up every time in spite of being quarantined and removed by AVG and removed by Malewarebytes Pro.
My laptop is running Win XP Pro SP3, AVG free a/v , Malewarebytes (paid version), Spybot S&D.
I keep getting the message move to vault, i click on move to vault, and it keeps popping up again. My WiFi & wired LAN connections just keep seeking a network address and i have no network connectivity.
These are the 3 files indicated as viruses:
ipsec.dll
btkrnl.dll
mssql$microsoftbcm.dll

Thanks in advance for any and all help.
Best regards as always,
Morey G
Regards
Morey

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26889
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by Dr Jay on 19th April 2012, 1:21 pm

Let's do some diagnostics...

Save these instructions so you can have access to them while in Safe Mode.

Please click [You must be registered and logged in to see this link.] to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next.
  • It will, by default, install it to your desktop folder. Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)
Leave the rest of the settings as they appear as default.
  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be neutralized then choose the delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13757
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302262
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by moreyag on 19th April 2012, 9:44 pm

Status: Will be deleted when the computer is restarted (events: 2)
4/19/2012 4:37:17 PM Will be deleted when the computer is restarted Trojan program Backdoor.Win32.ZAccess.fln c:\WINDOWS\system32\pinnaclesys.mediaserver.dll High
4/19/2012 4:37:37 PM Will be deleted when the computer is restarted virus Virus.Win32.ZAccess.k c:\WINDOWS\system32\drivers\mrxsmb.sys High
Status: Deleted (events: 14)
4/19/2012 5:23:25 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP290\A0088566.sys High
4/19/2012 5:23:33 PM Deleted Trojan program Trojan.Win32.Scar.gfef C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP290\A0088573.exe High
4/19/2012 5:23:45 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP290\A0088593.sys High
4/19/2012 5:23:46 PM Deleted Trojan program Trojan.Win32.Scar.gfef C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP290\A0088601.exe High
4/19/2012 5:24:21 PM Deleted Trojan program Trojan.Win32.Scar.gfef C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088609.exe High
4/19/2012 5:25:22 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088720.sys High
4/19/2012 5:25:29 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088778.sys High
4/19/2012 5:25:28 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088806.sys High
4/19/2012 5:25:31 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088861.sys High
4/19/2012 5:25:39 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088907.sys High
4/19/2012 5:25:40 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088932.sys High
4/19/2012 5:25:40 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0088982.sys High
4/19/2012 5:25:46 PM Deleted virus Virus.Win32.ZAccess.k C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP291\A0089010.sys High
4/19/2012 5:36:37 PM Deleted Trojan program Backdoor.Win32.ZAccess.fln C:\WINDOWS\system32\pinnaclesys.mediaserver.dll High

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26889
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by Dr Jay on 19th April 2012, 9:51 pm

ESET Online Scan

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13757
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302262
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by moreyag on 19th April 2012, 11:03 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=5a8085470497fc479b9854b61708a2b6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-19 11:00:01
# local_time=2012-04-19 07:00:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 73924260 73924260 0 0
# compatibility_mode=1024 16777175 100 0 16561397 16561397 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=81082
# found=2
# cleaned=2
# scan_time=1961
C:\Documents and Settings\Morey G\Local Settings\Temporary Internet Files\Content.IE5\4W4X3OOV\mx_mainxu[1].htm HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26889
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by Dr Jay on 20th April 2012, 10:45 am

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13757
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302262
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by moreyag on 20th April 2012, 11:28 am

OK, here goes:
1 - CLEANED SYS RESTORE
2 - RAN OTC
3- COULD NOT RUN TFC- kept hanging for a long time and froze PC
4 - RAN SECURITY CHECK:
Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2012
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.6
Spybot - Search & Destroy
Windows Defender
HijackThis 2.0.2
Java(TM) 6 Update 24
Java version out of date!
Adobe Flash Player 11.2.202.233
Adobe Reader X (10.1.3)
Mozilla Firefox (3.6.23) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26889
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by Dr Jay on 21st April 2012, 3:12 pm

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

Update Java

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Please feel free to get a good review of antivirus software here: [You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13757
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302262
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by moreyag on 22nd April 2012, 12:26 pm

Thanks so much for all the asistance. I updated Mozilla and Java as instructed.
I would like to get TFC to work if possible...i'm wondering why it freezes, any thoughts?
Thanks
MG

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26889
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ipsec.dll, btkrnl.dll "Trojans"?

Post by Dr Jay on 22nd April 2012, 6:40 pm

It can do that on some PCs. Try this tool if you want to clean up, it works well:

Download [You must be registered and logged in to see this link.] and save it to your Desktop - [You must be registered and logged in to see this link.]

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13757
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302262
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum