Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help


  • Please log in to reply
11 replies to this topic

#1 toopay

toopay

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 26 January 2008 - 01:22 PM

Please help have been infected with this trojandownloader.xs.
have run spybot but when I click on fix problems say (failed to load C:\Program\spybot-search_destroy\ZIPDLL.DLL)
also have run Aware; AVG and Kaspersky and still cannot rid my self of this problem
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 26 January 2008 - 09:14 PM

Welcome to Bleeping Computer toopay.
Please follow the instructions in this BC Tutorial How to remove the Smitfraud . Scroll down to the removal instructions and start there. You may want to print vthose and the next instructions beforehand.

Now Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox or the Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 11:02 AM

I have ran ATF-Cleaner and Super AnitSpyware but I see no log. But there is a system and repair Item list.
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#4 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 11:49 AM

I went back into Safe Mode and found the Log so here it is.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2008 at 11:23 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:59:22

Memory items scanned : 188
Memory threats detected : 0
Registry items scanned : 6050
Registry threats detected : 10
File items scanned : 34580
File threats detected : 3

Adware.AdBreak
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}

411Ferret Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\ESHOPEE.EXE

Trojan.Fakespy-B
C:\WINDOWS\SYSTEM32\MSOLE32.EXE

Trojan.FakeDrop-764
C:\WINDOWS\764.EXE
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 27 January 2008 - 02:04 PM

And now how is the PC running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 02:30 PM

I still have the same problem trojandownloader.xs/ nothing has changed!
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 27 January 2008 - 03:01 PM

Hello please run SDFix ,by Andy Manchesta.
Double click SDFix.exe and choose Install,Save it to Desktop.
Next, reboot your computer in Safe Mode.
Select your usual account.
Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Upon the Reboot,the Fixtool will run again and complete the removal process then display Finished.
SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Please copy and paste the contents of that results file into your next reply.
Also tell us how the PC is doing now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 04:27 PM

here is the lastest log of SDFix

SDFix: Version 1.131

Run by Administrator on Sun 01/27/2008 at 03:10 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\COMBOFIX.EXE - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 15:21:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\Common Files\\Pure Networks Shared\\Platform\\NMSRVC.EXE"="C:\\Program Files\\Common Files\\Pure Networks Shared\\Platform\\NMSRVC.EXE:LocalSubNet:Enabled:Pure Networks Platform Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\WINDOWS\hotporn.exe Found
C:\WINDOWS\ie_32.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 1 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITBE.tmp"
Mon 28 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 27 January 2008 - 04:49 PM

It looks as if the SAS scan was run from normal mode, How is the PC running?
but I think you have some root kits
Run this Root Kit scanner
Panda Anti-Rootkit
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 05:11 PM

No SAS was run from Safe Mode
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#11 toopay

toopay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charenton,La.
  • Local time:09:42 PM

Posted 27 January 2008 - 06:21 PM

Have ran the scanner but still infected with trojandownloader.xs
HP-Pavilion
Windows Vista Ultimate Service Pack 2 (build 6002)
2.10 gigahertz AMD Phenom 8400 Triple-Core
128 kilobyte primary memory cache
512 kilobyte secondary memory cache
2942 Megabytes Installed Memory

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:42 PM

Posted 27 January 2008 - 10:59 PM

Well sorry it seems you'll have to have the HJT Team get inside and clean it up.
Please follow these instructions ..you can now just go to the section on Installing and posting HiJackThis
Preparation Guide for use before posting a HijackThis Log ..Post that log in this forum, HijackThis Logs and Malware Removal. Click on New Topic and give it a Title.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users