Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help Needed Getting Rid Of Win32.tiny.abk

  • Please log in to reply
5 replies to this topic

#1 Dafunk


  • Members
  • 4 posts
  • Local time:06:20 AM

Posted 11 March 2008 - 04:24 PM

A big thank you up front to anyone that can walk me through getting rid of what seems to be the last of a whole pile malware and trojans. (I HOPE) I've always thought I'd be able to get my computer clean on my own but I this Win32.tiny.abk seems to have some deep or well hidden root. I got blasted with a whole pile of infections from some software from a third party and now I think this is all that is left. I'm running XP home and use several programs for maintenace and cleaning. CCleaner, AVG anitrootkit, Spybot S&D, Superanitspyware, Hijackthis and have downloaded combofix ready to use. I used to use Clamwin for a Virus scan but have since deleted it. Any help with anylising log files and finishing the job is much appreciated!

BC AdBot (Login to Remove)


#2 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:07:20 AM

Posted 11 March 2008 - 05:05 PM

Welcome to Bleeping Computer.

Win32.tiny.abk is a trojan downloader; it will try, without your consent, to download more malware onto your computer. It most likely runs under services.exe.

To confirm this, please open up HJT. Select Misc Tools>Process manager. Select Services.exe. Check the show .dlls. Click the suitcase thing to copy the list onto clipboard. Paste the list of processes, and the dlls running under services.exe back here.

Do not post a log or use other functions of HJT without being instructed by a mod.

Edited by PropagandaPanda, 11 March 2008 - 05:06 PM.

#3 Dafunk

  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:20 AM

Posted 11 March 2008 - 09:32 PM

This is the list here:
Process list saved on 9:26:44 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
524 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
616 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
660 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
672 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
824 C:\WINDOWS\system32\Ati2evxx.exe ATI Technologies Inc.
836 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1012 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1212 C:\WINDOWS\system32\Ati2evxx.exe ATI Technologies Inc.
1468 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1652 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
1680 C:\WINDOWS\system32\HPZipm12.exe HP
1732 C:\WINDOWS\system32\PnkBstrA.exe
1744 C:\WINDOWS\system32\PnkBstrB.exe
1792 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1860 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe Ulead Systems, Inc.
1124 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1392 C:\Program Files\Analog Devices\Core\smax4pnp.exe Analog Devices, Inc.
1344 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe Analog Devices, Inc.
1712 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe Cyberlink Corp.
1768 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Hewlett-Packard Co.
1804 C:\Program Files\Common Files\Real\Update_OB\realsched.exe RealNetworks, Inc.
1824 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe Sun Microsystems, Inc.
1580 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
248 C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE ATI Technologies Inc.
2284 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe ATI Technologies Inc.
4092 C:\WINDOWS\system32\wuauclt.exe 7.0.6000.381 Microsoft Corporation
3372 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20080.20121 Mozilla Corporation
3604 C:\Documents and Settings\Admin\Desktop\HiJackThis_v2.exe Trend Micro Inc.

DLLs loaded by process C:\WINDOWS\system32\services.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SCESRV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\umpnpmgr.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NCObjAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSVCP60.dll 6.2.3104.0 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\eventlog.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\wtsapi32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\URLMON.DLL 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\cryptdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\dnsapi.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 Microsoft Corporation
C:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation

What will looking at the .dll list help you in this instance? don't worry about answering that...more or less just thinking out loud. You may not find what you looking for...I just cleaned it out for the moment with Sbybot s&d. Thanks again for the help!!

#4 Dafunk

  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:20 AM

Posted 11 March 2008 - 09:40 PM

I noticed that the win32.tiny.abk doesn't seem to get reseeded in the temp folder until I start browsing the web or at least not until I make the internet connection if that helps any. I use Firefox and not explorer ever.

#5 Dafunk

  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:20 AM

Posted 12 March 2008 - 08:47 PM

I think the trojan downloader win32.tiny.abk is the only thing left infecting my computer, but I can't find its true source. Any help is greatly appreciated! I'm not sure what info you might need so just ask... Internet takes forever every time it shows up in the temp folder. Spybot gets it for a moment but it comes back again and again!

Edited by Orange Blossom, 12 March 2008 - 10:50 PM.
Merged topics removed redundant material ~ OB

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:20 AM

Posted 15 March 2008 - 10:12 PM

Hello DaFunk,

I would like you to run a scan with SUPERAntiSpyare in Safe Mode. Please be sure it is updated.

Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users