 Virus Trigger to Trojan.Downloader, Got several, can't clean this last one! |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  Nov 20 2008, 05:11 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 5 Joined: 20-November 08 Member No.: 258,861  |
And now I have a new one...er, had. Wanted to show the family the SNL parody with Beyonce and Timberlake. Downloaded a video codex, and well, you know. Thanks to fine posts here, I found out about Malwarebyte's Anti-malware. I followed the instructions. First time around, it cleaned off 36. Second time around (immediately following) it cleaned off 38. Then 7, then 1, then 1, and then 1 that just keeps replicating! Those scans from 38 and down all required reboots for removal. I used Msconfig to boot to safe mode (F8 doesn't work, I think because I have multiple user setup). Last night I ran ATFCleaner (it found nothing); and then SuperAnti-spyware. Still nothing. Still in Safe Mode I started to run Malwarebyte's program. After 5 hours it had only check 53k files, and it would have to check 350k. I turned it off and registered here. After using MsConfig to return to normal boot, I did try to run F-Secure. It did not like something, and stopped shortly after starting. So here it are some of the logs. I use XP pro, ver 3; IE 7, and McAfee. I don't use HiJack This because it messed up my computer when I installed it years ago (although I loved TrendMicro's housecall!). ~~~~~~~ Malwarebyte's first one: Malwarebytes' Anti-Malware 1.30 Database version: 1406 Windows 5.1.2600 Service Pack 3 11/17/2008 8:54:01 PM mbam-log-2008-11-17 (20-54-01).txt Scan type: Full Scan (C:\|) Objects scanned: 68102 Time elapsed: 56 minute(s), 21 second(s) Memory Processes Infected: 2 Memory Modules Infected: 4 Registry Keys Infected: 18 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Unloaded process successfully. C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Unloaded process successfully. Memory Modules Infected: C:\Program Files\WebMediaViewer\browseul.dll (Trojan.Zlob) -> Delete on reboot. C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll (Trojan.FakeAlert) -> Delete on reboot. C:\Program Files\WebMediaViewer\hpmun.dll (Trojan.Zlob) -> Delete on reboot. C:\WINDOWS\system32\gowqug.dll (Trojan.Zlob) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{1f3dd9bf-1472-4a8b-b295-b596a597149b} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\virustriggerbinwarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\virustriggerbinwarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{EE8A3F7B-E4AB-5C41-4926-3FAED82759F5} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1f3dd9bf-1472-4a8b-b295-b596a597149b} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vmware hptray (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virustriggerbin (Rogue.VirusHeat) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) ** Files Infected: C:\WINDOWS\system32\gowqug.dll (Trojan.Zlob.H) -> Delete on reboot. C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\browseul.dll (Trojan.Zlob) -> Delete on reboot. C:\Program Files\VirusTriggerBin\VirusTriggerBinWarning.dll (Trojan.FakeAlert) -> Delete on reboot. C:\Program Files\WebMediaViewer\hpmun.dll (Trojan.Zlob) -> Delete on reboot. C:\Program Files\VirusTriggerBin\VirusTriggerBin.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully. ~~~~~~~ Here's Malwarebyte's last one Malwarebytes' Anti-Malware 1.30 Database version: 1411 Windows 5.1.2600 Service Pack 3 11/19/2008 4:27:45 PM mbam-log-2008-11-19 (16-27-45).txt Scan type: Full Scan (C:\|) Objects scanned: 217966 Time elapsed: 2 hour(s), 34 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{E3005BAF-8D8E-496D-9B3E-9A3EDC3B6FFB}\RP6\A0002152.sys (Trojan.Downloader) -> Quarantined and deleted successfully. DON'T BELIEVE IT...EVERY LOG WITH "1" FOUND SAYS IT IS SUCCESSULLY DELETED. YET UPON SUBSEQUENT SCANS I FIND IT REPLICATED INTO ANOTHER FILE!" ~~~~~ SUPERAnti-Spyware's Log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/20/2008 at 04:33 AM Application Version : 4.22.1014 Core Rules Database Version : 3644 Trace Rules Database Version: 1627 Scan type : Complete Scan Total Scan Time : 04:37:24 Memory items scanned : 256 Memory threats detected : 0 Registry items scanned : 8107 Registry threats detected : 0 File items scanned : 43535 File threats detected : 0 ~~~~~ Granted, I have not run Malwarebyte's program to see that it is the trojan.downloader has replicated and is still there. After days of the repeated exercise, I didn't see much good in it. Advise away...I'm listening! MotherLode |
 |
 
|
 |
Replies
(1 - 6)
|
Nov 20 2008, 05:47 PM
Post
#2
|
|
 Distinguished Member Group: Members Posts: 848 Joined: 6-August 08 From: Canada Member No.: 228,067 |
The trojan is in the System Restore folder so it can't be touched by anything except System Restore, not even Malwarebytes Anti-Malware.
Try this: 1. On the desktop, right-click on My Computer. 2. Click Properties on the menu that appears. 3. On the window that appears, click on the System Restore tab. 4. Select Turn off System Restore on all drives. 5. Click on Apply. Then, click on Yes on the window that appears. 6. When the box with the list of drives turns gray, select Turn off System Restore on all drives again to remove the checkmark. 7. Click on Apply. 8. Click on OK to close the window. 9. Run Malwarebytes Anti-Malware again. Post the log back here. Does the file still appear on scans? Please do not use System Restore until the log file shows no infections. Feel free to post if you don't understand my instructions. This post has been edited by Lloyd T: Nov 20 2008, 05:49 PM -------------------- Avira AntiVir Personal | COMODO Firewall | Malwarebytes' Anti-Malware | SpywareBlaster | WOT "There is a saying: yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called present." |
|
|
|
|
Nov 20 2008, 10:04 PM
Post
#3
|
|
|
New Member Group: Members Posts: 5 Joined: 20-November 08 Member No.: 258,861 |
Hi Lloyd. Thanks for the prompt reply.
When I right-click the My Computer icon, I have a two tabs, General and Shortcut. Neither tab has an option for System Restore on it, even under 'advanced' settings. What's another way to trap the mouse? I did btw, run Spybot after I posted. It found one hijacker, and removed it. Sys Restore is not something I use unless absolutely necessary. I know using it will set off this cheeky bugger. I promise I won't! ML |
|
|
|
|
Nov 20 2008, 10:08 PM
Post
#4
|
|
|
New Member Group: Members Posts: 5 Joined: 20-November 08 Member No.: 258,861 |
New thought...as you probably know, that was a shortcut for "my computer" that I examined for properties.
So I opened it, when "up" to My Desktop, and right clicked the real 'My Computer.' Inside were 7 tabs, one of which was called "system restore" and had the ability to turn it off. Applied and okayed. I'll run Malwarebyte's and let you know! ML |
|
|
|
|
Nov 21 2008, 12:54 AM
Post
#5
|
|
|
New Member Group: Members Posts: 5 Joined: 20-November 08 Member No.: 258,861 |
You're not going to believe this...or maybe you will.
Malwarebytes's just finished running (in just over two hours...got to love it!). It found one bad boy, with a new name, and it wasn't in the SysRes file. It was...wait for it...in a shortcut link on my desktop! And of course, the name was Virus Trigger! I DO have a subdirector in my 'computers & tech' directory of 'my docs' called 'virus trigger.' It holds a copy of the logs with the naming sequence I use for files, as well as PDFs I've made from this site on how to get rid of it. I first saw the link after rebooted from Safe Mode. I didn't use it, kind of wondered why it was there, but didn't think much of it. As soon as it cleaned it off, the link was gone. Here's the log, and I'm re-running Malwarebyte 'thorough scan' again. ML ~~~~ Malwarebytes' Anti-Malware 1.30 Database version: 1411 Windows 5.1.2600 Service Pack 3 11/20/2008 9:43:03 PM mbam-log-2008-11-20 (21-43-03).txt Scan type: Full Scan (C:\|) Objects scanned: 189043 Time elapsed: 2 hour(s), 19 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\The McClintock's\Desktop\Virus Trigger.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully. |
|
|
|
|
Nov 21 2008, 03:11 AM
Post
#6
|
|
|
New Member Group: Members Posts: 5 Joined: 20-November 08 Member No.: 258,861 |
The last scan came up clean.
I'll only post it if you want. Thank you Lloyd!!!! ML |
|
|
|
|
Nov 21 2008, 03:36 PM
Post
#7
|
|
|
Distinguished Member Group: Members Posts: 848 Joined: 6-August 08 From: Canada Member No.: 228,067 |
Glad to help!
-------------------- Avira AntiVir Personal | COMODO Firewall | Malwarebytes' Anti-Malware | SpywareBlaster | WOT "There is a saying: yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called present." |
|
|
|
 |
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 26th November 2009 - 11:57 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.