Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need The Name Of My Infection


  • Please log in to reply
9 replies to this topic

#1 CreamSoda

CreamSoda

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 October 2007 - 12:55 AM

last month I got a "trojan downloader" infection after going to a certain website. it installed a bunch of spywares and viruses onto my computer (including WinAntiSpyware & cmdService). I was able to remove MOST of them, but there's still one left that I can't seem to get rid of.

I'm going to describe this worm as best as I can, and I need u guys to give me the name of it so I can search on google for a manual removal.

1. it consists of a bunch of (8 random letters).dll and just 1 (8 random letter).exe
2. the .dll files are 32kb in size each, while the .exe file is only 4kb in size.
3. the worm can run in Safe Mode. (I tried to delete it in safemode and it didn't let me)
4. the worm creates this string in Hijackthis log: reg:win.ini load=(8 random letter).exe
5. in Safe Mode, i can rename the infection files, then restart in safe mode again to delete them. BUT, as soon as I start up in Normal Mode, the files respawn.
6. each time the worm respawns, the 8 random letters change.
7. NO ANTIVIRUS SOFTWARES CAN DETECT/REMOVE IT.
8. I've tried a dozen already, including McAfee 2007 and Norton AntiVirus 2007. I also used SuperAntiSpyware and Spysweeper. I've also used online scanners, like Kaspersky and Panda. I've used the LATEST versions of these scanners. None of them were able to remove this.

please, don't tell me to run virus scanners or HJT logs. those won't help me at all. I just need the name of this infection. with the name, I can search for a manual removal process EASILY.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 16 October 2007 - 08:26 AM

Follow the the instructions for using Vundofix in BC's self-help tutorial "How To Remove Vundo/Winfixer Infection".

Please download SDFix by AndyManchesta and save it to your desktop.
alternate download
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply.
Note: If this error message is displayed when running SDFix:
The command prompt has been disabled by your administrator.
Press any key to continue...

Please go to Start Menu > Run > and type (copy/paste) the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK and then run SDFix again.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CreamSoda

CreamSoda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 October 2007 - 08:54 AM

hello ^_^

I've already done a scan with SDFix last month and it did not remove this infection. I don't see how VundoFix will do me any good, considering I already removed WinAntiSpyware with another antivirus program last month.

but just for the sake of HOPE, I'm going to try this one more time.. although I highly doubt any of this would help.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 16 October 2007 - 09:10 AM

SDFix is frequently updated so remove your old copy, redownload it and scan again.

Even though you may have removed WinAntiSpyware with other tools, you probably did not get all the related files which sometimes accompanies this infection. Further, some variants of vundo may not be detected by vundofix so the "Add More Files" option is another way of ridding this malware. These files need to be identified and posting a hijackthis log will enable an expert to advise you which files to add if you continue to have problems. If the infection remains after following the steps in the self-help guide, then we will advise you how and where to post a hijackthis log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CreamSoda

CreamSoda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 October 2007 - 09:32 AM

The infection is still there. SDFix, Vundofix and vundobegone did not detect ANYTHING at all.


SDFix: Version 1.109

Run by Tony on Tue 10/16/2007 at 07:24 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 28 Sep 2007 607,544 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2dde58e204c4be402ccbbcd0b600650e\BITCA.tmp"
Fri 4 May 2007 2,914,116 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac710e26280aa85aa00e9d33be0a616b\BITCD.tmp"
Tue 8 Nov 2005 230,018 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b074c03eb7c87f255e9b252f385926ee\BITCE.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f64ffd4a35318809fe0647c05269687\BITCF.tmp"
Thu 5 Oct 2006 1,394,761 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fdb2639a4ef8dc629633737529406452\BITD0.tmp"
Thu 8 Feb 2007 606,442 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c8f7f9a67d0e7ecfae7432f808c60ffb\BITD1.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7e6d3b71ce289c954255678645d11495\BITD2.tmp"
Thu 3 Aug 2006 2,963,318 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\588988b4adf8618a09dd4c15caf134af\BITD3.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\837271ce1872cf96f41815006c6bdec1\BITD4.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4fdfce6be6024690f19fcbae39f5ebc6\BITD5.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\466f82a4346fa42a35e5505fe8752428\BITD6.tmp"
Wed 5 Jul 2006 220,361 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6c4ee2a6dfac4935df9e24a9e0d4564a\BITD7.tmp"
Thu 9 Aug 2007 1,066,425 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7e98304794d11e8128641bb5cbd922c\BITD8.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\723d12ccbc22f288fb53cd47a25782f9\BITD9.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\be8e9693509166b5182778c5c16956c3\BITDA.tmp"
Wed 29 Mar 2006 1,307,376 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\785bc23a82784977fa64552e9bb4a6ab\BITDB.tmp"
Wed 19 Apr 2006 4,659,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac3f490121f580bfb62d9d495aa2b215\BITDC.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dc6733dab87a46fa9320681df7d8d3c5\BITDD.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5330da089196b346d1ee0676e21afcc\BITDE.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97a9b4183ee83502797f62c2c0b429cf\BITDF.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f66ac0b7ccd71faf6da904f29228240\BITE0.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e2306f0216dfc9822a8553f09db95f71\BITE1.tmp"
Fri 3 Nov 2006 685,368 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\70a4fbe7217488f673cf5d20367dabc9\BITE2.tmp"
Fri 1 Dec 2006 739,640 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c810b29b22044bd72df654fd63ee0af2\BITE3.tmp"
Fri 1 Dec 2006 896,312 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0d45ac61d8a7a5b7faa78852c46bf15\BITE4.tmp"
Fri 22 Sep 2006 4,237,624 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1410961c7f4f5684c30d6b41322b3e42\BITE5.tmp"
Fri 30 Mar 2007 575,880 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37e5b122079a0c7ba85fcc8ce8310ad8\BITE6.tmp"
Fri 2 Jun 2006 788,792 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c4989c7d9cfedbbe50931f1ce8778e69\BITE7.tmp"
Fri 2 Jun 2006 1,018,168 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f800fb87a28ec4ca869706531385e23a\BITE8.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0030edf27ee9d030b5e38566d2514790\BITE9.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\794fe6c4497072d6b676dff316f341a2\BITEA.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5cc724b3995f72ef3222dddf08658056\BITEB.tmp"
Fri 1 Dec 2006 536,888 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab3ff7345e588ae6b96775dfd8c062ed\BITEC.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0ccf8841b771ea8d63bc0e1179a4b5c7\BITED.tmp"
Fri 28 Jul 2006 523,576 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\354472c20c6e7a38bfd2b1b859e56276\BITEE.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\BITEF.tmp"
Sat 31 Mar 2007 1,823,624 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6e49db26b225c64ffbbd852b587ab944\BITF0.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e6c9dee06442f495611ce67dc17f407e\BITF1.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94ba036bb5fca2ae81a35216d14fcffa\BITF2.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4ce0edaf0becf811dda5cbccda731ad4\BITF3.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ca5637d04d95ed9d000d812508931a7b\BITF4.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2a2715f6180c3bfa2a58178525f24c67\BITF5.tmp"
Wed 29 Mar 2006 574,192 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7fc5ec3022b99fe3f9ce777d81a0a5f6\BITF6.tmp"
Fri 29 Jun 2007 910,728 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\77fb6133f53c27d91d3cee36a1c7aca3\BITF7.tmp"
Thu 22 Jun 2006 1,093,432 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5217f632c60d0e2abd68621d2a7b05b9\BITF8.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19abb7aa3cd1fb365336bb1970f8bcac\BITF9.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a99eb7d5ff79aed3ff0979cb81b4434b\BITFA.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e21fd56f1f5bfc33771c50bc8a68808a\BITFB.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dbb0845a5e7327f0f30f61e848a77bc6\BITFC.tmp"
Tue 26 Sep 2006 725,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8acee4cccf4e1ce6f8a46469c2a643b4\BITFD.tmp"
Fri 22 Sep 2006 856,376 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d93c6fe2b6cc193e7a147625a68fd031\BITFE.tmp"
Sun 4 Feb 2007 608,056 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4c3676a8145aee7e1ea794fa1e50e6bf\BITFF.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f4012d60daff369f73873817164328b\BIT100.tmp"

Finished!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 16 October 2007 - 10:03 AM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 CreamSoda

CreamSoda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 17 October 2007 - 09:16 AM

once again i find myself to be the only person able to fix stubborn viruses without reformatting. after going to various forums to seek for help, no one was able to help me. everyone just tells me to run a bunch of antivirus applications, which proved to be useless.

so I decided to fix the problem myself. my idea was genius. NO ONE could have thought of it except for me. the infection is gone now, it no longer respawns, and the original worm that was causing it to respawn is also gone too.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 17 October 2007 - 10:03 AM

We are glad to hear the issue has been resolved.

Would you care to share your solution so others may benefit?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 CreamSoda

CreamSoda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 17 October 2007 - 11:36 AM

the secret trick I can't tell because it can be used to remove ANY virus infections easily. I don't want anyone to know the trick. I WILL hint that it has to do with notepad. (microsoft word and wordpad works too).

but I WILL tell u what was causing the problem. the infection was hold together by an infected file named hpztsb06.exe.

after using my secret trick, I realized hpztsb06.exe was loading up those random 8-letter .dll and .exe files. so I did a search on my computer (using microsoft's search companion), to look for hpztsb06.exe.

I found 2 of them, in 2 different directories:
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb\hpztsb06.exe size: 188 kb original file
C:\Documents and Settings\Tony\Local Settings\Temp\hpztsb06.exe size: 512 kb infected file

I checked the file sizes for each of them, and found out they were different. so basically, the virus duplicated the original program, infected the duplicate, then placed it in a different location. the infected file carried the same filename and same icon picture, but the file size and directory were different.

the original non-infected file is a printer software by Hewlett Packard.

so I uninstalled my printer and deleted the infected file. I restarted my computer in Safe Mode, and deleted the 8-random-letter files in my System32 folder, then restarted into Normal Mode. This time NONE of the files respawned.

then I reinstalled my printer drivers (of course), and restarted to see if any infections respawn, and none of them did, so now I'm happy ^_^. I'm surprised no antivirus programs were able to detect/recognize the infected hpztsb06.exe in the Temp folder though..

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 17 October 2007 - 12:07 PM

I don't want anyone to know the trick.

I'm sorry that you feel that way. That's a selfish attitude to take. Our forums (and others) are open to the public where folks come to ask questions and/or share common solutions to resolve problems affecting others.

Isn't that why you can here and sought assistance elsewhere? You were expecting others to share their knowledge with you in expectation of a resolution.

after going to various forums to seek for help, no one was able to help me.


...everyone just tells me to run a bunch of antivirus applications, which proved to be useless.

That's generally where you start and then proceed from there. In some cases, it takes considerable time to investigate the issue at hand and develop a solution. Your comments indicate that you have little appreciation for those who have attempted to assist you. Staff members are all volunteers and they try to be as helpful as possible but there is not always an immediate fix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users