Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Stubborn Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 Leonard Joosten

Leonard Joosten

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 13 September 2007 - 05:26 PM

One of my customers has a trojan on her machine.
Etrust identified it as vmalum.jpg
AVG says its Trojan horse Downloader.small.

they both seem like generic names for an unknown trojan.
neither program was successful in killing it
Spybot S&D was also unsuccessful

the trojan has the feature of persistantly creating c:\windows\explore.exe and c:\windows\system32\systems.txt

The AV programs see it when I startup IE
windows update does not appear under tools in IE and when I manually go to the page I get "Network policy settings prevent you from using this website to get updates for your computer" and there is no such policy on any other computer on this domain.

Here is the hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 6:12:25 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com...ptX/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://inotes.crman...com/iNotes6.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185473023130
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185472977160
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/...tz.cab58570.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zon...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agc-gm.org
O17 - HKLM\Software\..\Telephony: DomainName = agc-gm.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agc-gm.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agc-gm.org
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OPHE DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)

    Advertisements

Register to Remove


#2 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 15 September 2007 - 05:46 PM

Hello Leonard Joosten

Copy and Paste this post into a new text document or print it for reference

1. Can you please disable your Real-time when doing this or any fix on your system, to Disable Tea-Timer

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click Exit to exit Spybot Search & Destroy.


2. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

Close any Explorer windows which may be open and click the "Fix Checked" button.


3. Please download the OTMoveIt from here:
http://download.blee...er/OTMoveIt.exe
Save it to your desktop.
Do not run it yet!

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\systems.txt


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


4. Please download and install SUPERAntiSpyware Home Edition (free)
  • Once installed, update the program definitions when prompted.
  • Click the "Preferences" button and then the "Scanning Control" tab.
  • Under "Scanner Options" make sure the following are checked/selected:
  • 1>> Close browsers before scanning.
  • 2>> Scan for tracking cookies.
  • 3>> Terminate memory threats before quarantining.
  • 4>> Ignore System Restore/Volume Information on ME and XP.
  • Deselect all other scanning options.
  • Close SUPERAntiSpyware for use later.
Please Reboot your System into Safe Mode
Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode

Open SUPERAntiSpyware and click the "Scan your computer" button.
  • On the left, select "C:\Fixed Drive".
  • On the right, under "Complete Scan", choose "Perform Complete Scan".
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click "OK".
  • Make sure everything in the white box has a check next to it, then click "Next".
  • After quarantining anything found, you may be prompted to reboot, click "Yes".
Reboot back into Normal Mode.

In your next reply please post a new HijackThis log, the SUPERAntiSpyware Scan Log and the OTMoveIt log

Thank you.
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Leonard Joosten

Leonard Joosten

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 17 September 2007 - 12:32 PM

Ok I had also submitted the infested explore.exe and systems.txt to CA and they have updated their definitions to include Win32/SillyDl.DFS as of today. I updated etrust and ran a scan to remove it. I then followed the instructions you wrote.

Hijack this still saw those 2 entries so I fixed those.

otmoveit did not see that file again

Superantispyware found and fixed a number of problems

Logfile of HijackThis v1.99.1
Scan saved at 1:09:23 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com...ptX/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185473023130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agc-gm.org
O17 - HKLM\Software\..\Telephony: DomainName = agc-gm.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agc-gm.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agc-gm.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OPHE DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2007 at 01:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:19:58

Memory items scanned : 167
Memory threats detected : 0
Registry items scanned : 5915
Registry threats detected : 3
File items scanned : 39661
File threats detected : 13

Adware.MediaMotor
C:\WINDOWS\mm06y.ini

Adware.DeluxeCommunications
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications#UninstallString

Adware.Tracking Cookie
C:\Documents and Settings\Administrator.PRIMARY\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator.PRIMARY\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator.PRIMARY\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@2o7[2].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@ads.pointroll[1].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@anat.tacoda[2].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@atdmt[2].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@imrworldwide[2].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@msnportal.112.2o7[1].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@tacoda[2].txt
C:\Documents and Settings\cwoychik.PRIMARY\Cookies\cwoychik@www.googleadservices[1].txt

#4 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 17 September 2007 - 12:56 PM

Hello Leonard Joosten

"Ok" Thank you for doing that for me

Copy and Paste this post into a new text document or print it for reference

1. Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


2. Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HijackThis log.

Thank you
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 ourwilly

ourwilly

    Authentic Member

  • Authentic Member
  • PipPip
  • 96 posts

Posted 29 September 2007 - 01:36 AM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
A Cooperative Effort with WhatTheTech

Please do not PM me asking for support. Post on the forums instead
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users