Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan_downloader I Think. Can You Help Me?


  • This topic is locked This topic is locked
15 replies to this topic

#1 vitaminb

vitaminb

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 15 April 2008 - 07:43 PM

Hi, one day I logged onto my account cause I share this computer, I am the administrator though. I run windows xp. So I have Kapersky Anti-Virus 6.0, and I got a message saying I have some kinda trojan. I scanned my computer and I got this Trojan-Downloader.Win32.VB.axa, but than I "nuetralized" it, and Kapersky says it was gone. I googled Trojan-Downloader.Win32.VB.axa and it seems to me that it's a really bad thing. For the past couple days my computer got slower, and I have been getting more trojan alerts but they do not say Trojan-Downloader.Win32.VB.axa, they are other ones with various names. I don't recall what they are, I only know 100% sure that it Kapersky says I have a Trojan Downloader but Trojan-Downloader.Win32.VB.axa is just an example of what it said I have. There are others, but I don't write down all them in my notebook or anything.
My operating system is Windows XP Home Edition, service pack 2. Sorry if thats not enough info, I do not know enough about computers. But hey, thats why I am here :D.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:05 PM

Posted 15 April 2008 - 09:08 PM

Hello vitaminb
Please run these tools and post back 2 logs and see if we get it all.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
NEXT:

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 16 April 2008 - 08:53 AM

Did the Kaspersky scan provide specific file names associated with this malware threat and if so, where are they located (full file path) at on your system? If the scan saved a log file, it should show exactly what and where the malware was found so post that instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 16 April 2008 - 09:11 PM

First off I wanna say thank you for helping me.
With my problem,
Malwarebytes' Anti-Malware was a complete failure for me. I launched mbam-setup and got this error "Invalid floating point", so I could not do anything in the first part of the steps you gave me, sorry.
After "NEXT" I did get to run ATF Cleaner and SUPERAntiSpyware just as you said. The only problem is after the program asked me to reboot, and when I clicked "Yes", my computer was restarting but all of a sudden my screen turned completely black. I let it got for 20minutes, and my computer was frozen, I had to use emergency shut down. After that the most peculiar thing happened. I turned on my computer, but I kept getting some blue screen that I could not read because it came real quick but vanished quickly, and it transfered me to a screen as if I clicked F8, but I didn't. So I kept selecting "run normally", but the same thing kept repeating. So when it happened for the third time, I selected the option where it said something like this "restart back to when the last time your computer worked". SO thats what happened, exactly. Also, it seems to me that when I installed the SUPERAntiSpyware, it takes forever for my computer to start up, even slower than when I first reported.
I did get the report though:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2008 at 09:23 PM

Application Version : 4.0.1154

Core Rules Database Version : 3439
Trace Rules Database Version: 1431

Scan type : Complete Scan
Total Scan Time : 02:25:08

Memory items scanned : 180
Memory threats detected : 2
Registry items scanned : 4950
Registry threats detected : 12
File items scanned : 66496
File threats detected : 6

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\PMNMJKHH.DLL
C:\WINDOWS\SYSTEM32\PMNMJKHH.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnmjkhh
C:\WINDOWS\SYSTEM32\ESNSQBSB.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLJJIIJG.DLL
C:\WINDOWS\SYSTEM32\MLJJIIJG.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}

Trojan.Vundo-Variant/G
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CC6A045-8301-4819-B88D-CE5FCE3B368D}
HKCR\CLSID\{6CC6A045-8301-4819-B88D-CE5FCE3B368D}
HKCR\CLSID\{6CC6A045-8301-4819-B88D-CE5FCE3B368D}\InprocServer32
HKCR\CLSID\{6CC6A045-8301-4819-B88D-CE5FCE3B368D}\InprocServer32#ThreadingModel

Trojan.Unclassified/RasesNet
C:\DOCUMENTS AND SETTINGS\BART KIELCZEWSKI\LOCAL SETTINGS\TEMP\RASESNET.EXE

Trojan.Downloader-Gen/XRun-A
C:\DOCUMENTS AND SETTINGS\BART KIELCZEWSKI\LOCAL SETTINGS\TEMP\XPRE.EXE

Adware.Yazzle-Installer
C:\DOCUMENTS AND SETTINGS\BART KIELCZEWSKI\LOCAL SETTINGS\TEMP\YAZZSNET.EXE


And to answer quietman7:
I didn't save the scan, but I do have these in my memory

Infected: Trojan program Trojan-Downloader.Win32.Homles.bg C:\WINDOWS\mrofinu572.exe 37.5 KB
Infected: adware not-a-virus:AdWare.Win32.PurityScan.gp c:\system volume information\_restore{136f7703-21ad-4ebd-91a2-9827e5eda306}\rp359\a0073455.exe 40.7 KB
Possibly infected: riskware Hidden data sending C:\WINDOWS\Explorer.EXE 1009 KB 4/15/2008 9:41:55 PM
deleted: Trojan program Trojan-Downloader.Win32.VB.axa File: C:\System Volume Information\_restore{136F7703-21AD-4EBD-91A2-9827E5EDA306}\RP254\A0030998.exe//CryptFF//Shrinker
deleted: Trojan program Backdoor.Win32.Rbot.euu File: C:\WINDOWS\system32\MineSweep.exe
deleted: Trojan program Backdoor.Win32.Rbot.euu File: C:\System Volume Information\_restore{136F7703-21AD-4EBD-91A2-9827E5EDA306}\RP261\A0035608.exe
detected: Trojan program Trojan-Downloader.Win32.Zlob.ehr URL: http://ndcperformance.com/download.php?id=4154//data0007
detected: Trojan program Trojan-Clicker.HTML.IFrame.ab URL: http://www.klinika-kregoslupa.pl/
deleted: Trojan program Trojan-Clicker.HTML.IFrame.ab File: C:\Documents and Settings\Wesley Kielczewski\Local Settings\Temporary Internet Files\Content.IE5\43TREEBT\klinika-kregoslupa[1].htm
detected: Trojan program Trojan-Downloader.Win32.VB.bvj URL: http://erostyzz.com/src/winshow.exe//Shrinker
detected: riskware Hidden install Running process: C:\Documents and Settings\Bart Kielczewski\Local Settings\Temp\k11u88.exe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.azt URL: http://fuzestats.com/src/is68525.exe
detected: Trojan program Trojan-Downloader.Win32.Small.gzs URL: http://gridlouch.com/src/wr-1-77.exe//PE_P..._Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.chq URL: http://erostyzz.com/src/stany.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\Bart Kielczewski\Local Settings\Temp\YazzleBundle-1549.exe
not found: virus Worm.Win32.Huhk.c Running module: explorer.exe\Explorer.EXE
detected: riskware Hidden data sending Running process: C:\Program Files\Internet Explorer\iexplore.exe
detected: malware Exploit.HTML.IESlice.bz URL: http://www.chaai.org/amoria/bosgu.js
deleted: Trojan program Trojan-Downloader.Win32.VB.cho File: C:\System Volume Information\_restore{136F7703-21AD-4EBD-91A2-9827E5EDA306}\RP308\A0045628.exe
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gp File: C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe//data0001
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gp File: C:\System Volume Information\_restore{136F7703-21AD-4EBD-91A2-9827E5EDA306}\RP359\A0073455.exe//data0001
detected: Trojan program Trojan-Downloader.Win32.VB.axa URL: http://adxanet.net/xpre.exe//Execryptor//P...ndle//PECompact
detected: Trojan program Trojan-Downloader.Win32.VB.dsf URL: http://adxanet.net/snapsnet.exe//data0006
detected: Trojan program Trojan.Win32.Scapur.k URL: http://adxanet.net/yazzsnet.exe//data0003/...ndle//PECompact
detected: riskware Invader Running process: C:\Documents and Settings\Bart Kielczewski\Local Settings\Temp\rasesnet.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\rundll32.exe
detected: Trojan program Trojan.Win32.KillAV.rf URL: http://82.98.235.78/mmtt/zrt20080408.dll?u...6&rid=mmph1
detected: riskware Hidden data sending Running process: C:\WINDOWS\Explorer.EXE
deleted: Trojan program Trojan-Downloader.Win32.Homles.bg File: C:\WINDOWS\mrofinu572.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: riskware Hidden data sending Running process: C:\WINDOWS\explorer.exe

I hope this helps, sorry if my computer is beyond fixable.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:05 PM

Posted 16 April 2008 - 09:24 PM

I hope this helps, sorry if my computer is beyond fixable.


With a case like this it's best to have some last resort measures to fall back on if you can't boot, last known saved you this time.

What type of windows disk do you have?
Chewy

No. Try not. Do... or do not. There is no try.

#6 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 16 April 2008 - 09:31 PM

How do I find out?

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:05 PM

Posted 16 April 2008 - 09:37 PM

Are you sure you were in safe mode and ran atf cleaner and then SAS?

disks are usually labeled? Some say recovery?
Chewy

No. Try not. Do... or do not. There is no try.

#8 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 16 April 2008 - 09:41 PM

Are you sure you were in safe mode and ran atf cleaner and then SAS?

disks are usually labeled? Some say recovery?

100% sure, I didn't have my usual background and it said Safe Mode everywhere. I still don't understand what you are asking about the disk though, sorry.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:05 PM

Posted 16 April 2008 - 09:53 PM

If worse comes to worse(regarding your statement about unfixable) some windows disks allow you to run as a repair by booting to the cd, if a fix goes so bad the malware takes the OS down with it, then running the repair disk will reinstall the broken part and enable you to keep up the fight

Access to another working computer is essential as well as keeping the infected one off the internet
Chewy

No. Try not. Do... or do not. There is no try.

#10 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 17 April 2008 - 05:16 AM

Do you meen the reinstallation cd? I have one for service pack 2. What should I do?

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:05 PM

Posted 17 April 2008 - 05:19 AM

did you ever get the issue with MBAM not installing fixed?
Chewy

No. Try not. Do... or do not. There is no try.

#12 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 17 April 2008 - 05:22 AM

did you ever get the issue with MBAM not installing fixed?

No, I don't know how to fix it. I keep getting "Error: Invalid floating point"
Also, whenever I put on my computer I always have to select the option "last known working" option just so windows starts. I always get that blue screen and my computer doesn't boot normally after I did the spyware and atf scans.

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:05 PM

Posted 17 April 2008 - 05:54 AM

I had a similar problem a few weeks back, I couldn't even hardly install anything in normal mode, the computer would even lock up after a few minutes. I had to run windows as a repair disk, without the windows install disk I couldn't have even started to fix it. I don't think a sp2 disk will help, but if it's a full xp with sp2, does it say pro/home/oem/retail/upgrade?
Chewy

No. Try not. Do... or do not. There is no try.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 17 April 2008 - 06:54 AM

I thing at this point, your issues will require further investigation. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 vitaminb

vitaminb
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 17 April 2008 - 08:04 PM

Hey quietman7, DaChew, boopme thanks a lot. Hopefully I will get some answers there, thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users