BleepingComputer.com: Virus Trigger to Trojan.Downloader

Hey there...this is the best computer board I've seen. I first found this wonderful place in 2007 when I had a trojan. Conventional wisdom was to clean everything off and reload. That's WAY too much time! Thanks to y'all, I discovered the instructions I needed to clean off the trojan and get on with my life!

And now I have a new one...er, had.

Wanted to show the family the SNL parody with Beyonce and Timberlake. Downloaded a video codex, and well, you know.

Thanks to fine posts here, I found out about Malwarebyte's Anti-malware. I followed the instructions. First time around, it cleaned off 36. Second time around (immediately following) it cleaned off 38. Then 7, then 1, then 1, and then 1 that just keeps replicating! Those scans from 38 and down all required reboots for removal.

I used Msconfig to boot to safe mode (F8 doesn't work, I think because I have multiple user setup). Last night I ran ATFCleaner (it found nothing); and then SuperAnti-spyware. Still nothing. Still in Safe Mode I started to run Malwarebyte's program. After 5 hours it had only check 53k files, and it would have to check 350k. I turned it off and registered here.

After using MsConfig to return to normal boot, I did try to run F-Secure. It did not like something, and stopped shortly after starting.

So here it are some of the logs. I use XP pro, ver 3; IE 7, and McAfee. I don't use HiJack This because it messed up my computer when I installed it years ago (although I loved TrendMicro's housecall!).

~~~~~~~
Malwarebyte's first one:

Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/17/2008 8:54:01 PM
mbam-log-2008-11-17 (20-54-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 68102
Time elapsed: 56 minute(s), 21 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 18
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\WebMediaViewer\browseul.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\WebMediaViewer\hpmun.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\system32\gowqug.dll (Trojan.Zlob) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1f3dd9bf-1472-4a8b-b295-b596a597149b} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\virustriggerbinwarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\virustriggerbinwarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{EE8A3F7B-E4AB-5C41-4926-3FAED82759F5} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1f3dd9bf-1472-4a8b-b295-b596a597149b} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vmware hptray (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virustriggerbin (Rogue.VirusHeat) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

**
Files Infected:
C:\WINDOWS\system32\gowqug.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\browseul.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\WebMediaViewer\hpmun.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.

~~~~~~~

Here's Malwarebyte's last one

Malwarebytes' Anti-Malware 1.30
Database version: 1411
Windows 5.1.2600 Service Pack 3

11/19/2008 4:27:45 PM
mbam-log-2008-11-19 (16-27-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217966
Time elapsed: 2 hour(s), 34 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E3005BAF-8D8E-496D-9B3E-9A3EDC3B6FFB}\RP6\A0002152.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

DON'T BELIEVE IT...EVERY LOG WITH "1" FOUND SAYS IT IS SUCCESSULLY DELETED. YET UPON SUBSEQUENT SCANS I FIND IT REPLICATED INTO ANOTHER FILE!"
~~~~~
SUPERAnti-Spyware's Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/20/2008 at 04:33 AM

Application Version : 4.22.1014

Core Rules Database Version : 3644
Trace Rules Database Version: 1627

Scan type : Complete Scan
Total Scan Time : 04:37:24

Memory items scanned : 256
Memory threats detected : 0
Registry items scanned : 8107
Registry threats detected : 0
File items scanned : 43535
File threats detected : 0

~~~~~
Granted, I have not run Malwarebyte's program to see that it is the trojan.downloader has replicated and is still there. After days of the repeated exercise, I didn't see much good in it.

Advise away...I'm listening!

MotherLode

The trojan is in the System Restore folder so it can't be touched by anything except System Restore, not even Malwarebytes Anti-Malware.

Try this:

1. On the desktop, right-click on My Computer.
2. Click Properties on the menu that appears.
3. On the window that appears, click on the System Restore tab.
4. Select Turn off System Restore on all drives.
5. Click on Apply. Then, click on Yes on the window that appears.
6. When the box with the list of drives turns gray, select Turn off System Restore on all drives again to remove the checkmark.
7. Click on Apply.
8. Click on OK to close the window.
9. Run Malwarebytes Anti-Malware again. Post the log back here.

Does the file still appear on scans?

Please do not use System Restore until the log file shows no infections.

Feel free to post if you don't understand my instructions.

Hi Lloyd. Thanks for the prompt reply.

When I right-click the My Computer icon, I have a two tabs, General and Shortcut.

Neither tab has an option for System Restore on it, even under 'advanced' settings.

What's another way to trap the mouse?

I did btw, run Spybot after I posted. It found one hijacker, and removed it.

Sys Restore is not something I use unless absolutely necessary. I know using it will set off this cheeky bugger. I promise I won't!

ML

New thought...as you probably know, that was a shortcut for "my computer" that I examined for properties.

So I opened it, when "up" to My Desktop, and right clicked the real 'My Computer.' Inside were 7 tabs, one of which was called "system restore" and had the ability to turn it off.

Applied and okayed. I'll run Malwarebyte's and let you know!

ML

You're not going to believe this...or maybe you will.

Malwarebytes's just finished running (in just over two hours...got to love it!). It found one bad boy, with a new name, and it wasn't in the SysRes file. It was...wait for it...in a shortcut link on my desktop! And of course, the name was Virus Trigger! I DO have a subdirector in my 'computers & tech' directory of 'my docs' called 'virus trigger.' It holds a copy of the logs with the naming sequence I use for files, as well as PDFs I've made from this site on how to get rid of it.

I first saw the link after rebooted from Safe Mode. I didn't use it, kind of wondered why it was there, but didn't think much of it. As soon as it cleaned it off, the link was gone.

Here's the log, and I'm re-running Malwarebyte 'thorough scan' again.

ML

~~~~

Malwarebytes' Anti-Malware 1.30
Database version: 1411
Windows 5.1.2600 Service Pack 3

11/20/2008 9:43:03 PM
mbam-log-2008-11-20 (21-43-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 189043
Time elapsed: 2 hour(s), 19 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\The McClintock's\Desktop\Virus Trigger.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

The last scan came up clean.

I'll only post it if you want.

Thank you Lloyd!!!!

ML

Glad to help!