Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Swizzor, Obfuscated Or Other Lop.com Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Leviathan666

Leviathan666

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 01 January 2008 - 02:40 AM

My Windows XP SP2 laptop has been infected with a trojan and I'm using my desktop to post this right now. My laptop stops responding after 30 seconds into startup and when I try to run HijackThis it gets locked up after 30 seconds as well. Basically I think it locks up every application that I run. I can't even update my numerous virus and spyware scanners and I can't install any new scanners.

It all started when I downloaded a torrent for the movie Hitman. When I tried to play the exactly 700mb .avi file, none of my players (Windows Media, DivX, Media Player Classic etc.) could recognize the file. However the torrent contained a readme that said the movies were encoded with a new codec and I had to visit this website to download either 3wPlayer or Divocodec in order to play the movie. I should have done a search on these two suspicious programs first, but it was too late. I installed Divocodec first, but I could not play the movie. Then the website told me to download 3wPlayer if Divocodec did not work, so I installed it as well. When I still could not play the movie, it was only then that I realized these two programs were malware when I searched their names on Yahoo!.

I immediately did a scan using my five or six spyware scanners at once, and Spybot S&D picked up 3wPlayer but was unable to remove it without a reboot. I think it picked up Divocodec as well. After that I went on holiday for a week and when I came back that was when the damage really started. I started getting CiD help ad popups at regular intervals even when I was using Firefox instead of IE. I updated all my spyware scanners and did another scan and removed some stuff, after which the CiD help popups seem to have disappeared.

However, that was not the end of the trouble. My laptop started locking up at certain intervals while I was running some programs, and would start responding again a few minutes later. I ran all my spyware scanners again and picked up more unwanted stuff, but this time not as many as the last scan. Therefore I did not think much about it and continued using my laptop, until my whole laptop suddenly stopped responding and every program I tried to run got locked up.

That was when I cut off the internet connection and did a search on how to remove 3wPlayer manually. I found that some of the listed files were already deleted, so I deleted the rest of the files and the registry keys in the command prompt of safe mode. I also searched for any keys with '3wplayer' in their name and deleted them.

It still did not solve the problem. I suspected Adware.Lop next, as Symantec.com said that 3wPlayer may download the adware. I did not try to remove the files or registry keys as they were randomly named and were too hard to find. However, in safe mode I did find some strangely named folders in C:\Program Files, C:\Documents and Settings\Administrator\Application Data and C:\Documents , in particular one folder called 'WEB DUMP CAMP' in Program Files with a couple of adware programs inside. I deleted the folder, cleaned up any other suspicious files I could find and rebooted my laptop in normal mode. Still no improvement, every program I tried to run locked up and only resumed about 10 minutes later. When I tried using these programs they locked up again. HijackThis locked up after about 10 seconds of scanning.

After that I suspected one of the Swizzor Trojan variants, in particular Swizzor.FG, which was the most recent version (27 Dec 2007), or Trojan.Win32.Obfuscated.en. This time I downloaded SysInternals Autoruns and it listed many suspicious drivers that said 'file not found'. I deleted all the drivers and their associated registry keys, except for one whose name started with an 'a' followed by random numbers and letters. I was able to delete the registry key but not the driver, which gave an error message saying 'Error deleting start entry: The specified device does not exist as an installed service'. On the next reboot a new driver with the same naming method appeared. The lastest example is 'aab8tyl3'. My guess is that this is the root cause of all the trouble and it is the last thing I have to remove.

I have disabled System Restore ever since I discovered that manually removing 3wPlayer did not solve the problem. Currently I have Avast! Antivirus, Avira Antivirus, AVG Antivirus, AVG Antispyware, PC Tools Antivirus, Lavasoft Ad-Aware, Spybot S&D, Super Antispyware and Spyware Terminator. It is hard to get a HijackThis log and takes time but if anyone needs it I will post it in my second post.

BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:52 PM

Posted 01 January 2008 - 02:57 AM

Please post your HijackThis Log in HijackThis Logs and Malware Removal and wait for a HJT member to help you.

Good luck.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:52 AM

Posted 01 January 2008 - 10:04 AM

I have disabled System Restore

That was a mistake. See "System Restore and malware removal - what is best practice?".

Your hijackthis log is posted here.

There were some things we could have done to resolve this but after posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users