Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed Getting Rid Of Win32.tiny.abk


  • Please log in to reply
5 replies to this topic

#1 Dafunk

Dafunk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 11 March 2008 - 04:24 PM

A big thank you up front to anyone that can walk me through getting rid of what seems to be the last of a whole pile malware and trojans. (I HOPE) I've always thought I'd be able to get my computer clean on my own but I this Win32.tiny.abk seems to have some deep or well hidden root. I got blasted with a whole pile of infections from some software from a third party and now I think this is all that is left. I'm running XP home and use several programs for maintenace and cleaning. CCleaner, AVG anitrootkit, Spybot S&D, Superanitspyware, Hijackthis and have downloaded combofix ready to use. I used to use Clamwin for a Virus scan but have since deleted it. Any help with anylising log files and finishing the job is much appreciated!

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 11 March 2008 - 05:05 PM

Welcome to Bleeping Computer.

Win32.tiny.abk is a trojan downloader; it will try, without your consent, to download more malware onto your computer. It most likely runs under services.exe.

To confirm this, please open up HJT. Select Misc Tools>Process manager. Select Services.exe. Check the show .dlls. Click the suitcase thing to copy the list onto clipboard. Paste the list of processes, and the dlls running under services.exe back here.

Do not post a log or use other functions of HJT without being instructed by a mod.

Edited by PropagandaPanda, 11 March 2008 - 05:06 PM.


#3 Dafunk

Dafunk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 11 March 2008 - 09:32 PM

This is the list here:
Process list saved on 9:26:44 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
524 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
616 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
660 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
672 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
824 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4142 ATI Technologies Inc.
836 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1012 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1212 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4142 ATI Technologies Inc.
1468 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1592 C:\WINDOWS\ATKKBService.exe 1.0.0.0 ASUSTeK COMPUTER INC.
1652 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
1680 C:\WINDOWS\system32\HPZipm12.exe 10.1.1.6 HP
1732 C:\WINDOWS\system32\PnkBstrA.exe
1744 C:\WINDOWS\system32\PnkBstrB.exe
1792 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1860 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe 1.0.0.5 Ulead Systems, Inc.
1124 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1392 C:\Program Files\Analog Devices\Core\smax4pnp.exe 6.0.0.20 Analog Devices, Inc.
1344 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe 5.2.0.12 Analog Devices, Inc.
1712 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe 5.0.0.0 Cyberlink Corp.
1768 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe 53.0.13.0 Hewlett-Packard Co.
1804 C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3510 RealNetworks, Inc.
1824 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 6.0.50.13 Sun Microsystems, Inc.
1580 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
248 C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE 1.11.0.0 ATI Technologies Inc.
2284 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe 1.11.0.0 ATI Technologies Inc.
4092 C:\WINDOWS\system32\wuauclt.exe 7.0.6000.381 Microsoft Corporation
3372 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20080.20121 Mozilla Corporation
3604 C:\Documents and Settings\Admin\Desktop\HiJackThis_v2.exe 2.0.0.0 Trend Micro Inc.


DLLs loaded by process C:\WINDOWS\system32\services.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SCESRV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\umpnpmgr.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NCObjAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSVCP60.dll 6.2.3104.0 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\eventlog.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\wtsapi32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\URLMON.DLL 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\cryptdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\dnsapi.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 Microsoft Corporation
C:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation


What will looking at the .dll list help you in this instance? don't worry about answering that...more or less just thinking out loud. You may not find what you looking for...I just cleaned it out for the moment with Sbybot s&d. Thanks again for the help!!

#4 Dafunk

Dafunk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 11 March 2008 - 09:40 PM

I noticed that the win32.tiny.abk doesn't seem to get reseeded in the temp folder until I start browsing the web or at least not until I make the internet connection if that helps any. I use Firefox and not explorer ever.

#5 Dafunk

Dafunk
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 12 March 2008 - 08:47 PM

I think the trojan downloader win32.tiny.abk is the only thing left infecting my computer, but I can't find its true source. Any help is greatly appreciated! I'm not sure what info you might need so just ask... Internet takes forever every time it shows up in the temp folder. Spybot gets it for a moment but it comes back again and again!

Edited by Orange Blossom, 12 March 2008 - 10:50 PM.
Merged topics removed redundant material ~ OB


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:31 PM

Posted 15 March 2008 - 10:12 PM

Hello DaFunk,

I would like you to run a scan with SUPERAntiSpyare in Safe Mode. Please be sure it is updated.

Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users