Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Virii Trojan.OnlineGames and Trojan.Dropper etc


  • Please log in to reply
19 replies to this topic

#1 gah

gah

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 04:18 AM

Seems I have some nasty viruses on my machine (WinXP SP2).

I have run ClamWinPortable and it has generated a log of what it has found. Can I post that here?

In short I see:

Trojan.Dropper
Trojan.OnlineGames
Trojan.Agent
Trojan.Banker
Adware.Agent
Adware.WhenU

I think that's about it. I tried running HijackThis! but it closes within seconds of running. All the other stuff others have posted about AV websites not working etc apply here too. I immediately pulled the network cable, so it can't see the web. Every so often it runs an error complaint from "GoogleInstaller" but I suspect it's not google installer at all.

I have a thumbdrive it tried to infect with an autorun.inf and a file called m.exe which I have since removed from the thumbdrive.

Suggestions and help appreciated.

Thanks!

EDIT: I am currently running McAfee Stinger on the data drive, but don't hold out much hope as it found nothing on C:

Edited by gah, 08 December 2008 - 04:46 AM.


BC AdBot (Login to Remove)

 


#2 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 02:56 PM

As expected Stinger found nothing on the second drive.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 AM

Posted 08 December 2008 - 04:56 PM

Stinger is an older tool, the banker trojan(if that's what it is) is a very advanced and dangerous malware, I would suggest you consider a "clean install"

http://technet.microsoft.com/en-us/library/cc512587.aspx

If you decide to try and fight this I would suggest using another computer and downloading MBAM and the manual defintions and tansfering to the infected computer

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365
Chewy

No. Try not. Do... or do not. There is no try.

#4 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 05:42 PM

Thanks for the info. I pulled the machine off the network pretty much within a second of installing the malware. I feel so stupid. Like testing a landmine with my toe.

As the machine is off the network, I might have a go at removing the virus, but it is probably time for a rebuild to be safe.

I have a large secondary disk with most of my data and some apps installed on it. Would it be necessary to format that as well?

#5 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 06:05 PM

If you decide to try and fight this I would suggest using another computer and downloading MBAM and the manual defintions and tansfering to the infected computer

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365


Sorry for the double post. Where do I get the manual definitions file?

My strategy looks like this:

1. Remove whatever I can of the trojans on the infected system without putting it on the internet.
2. Transfer data and internet favourites, email boxes, etc to a large external HDD.
3. Format BOTH drives on the infected PC.
4. Install OS from scratch, drivers, etc.
5. Install all security patches.
6. Install AV and Anti-Malware software.
7. Reinstall Apps
8. Restore data from external drive.
9. Malware scan PC.
10. Reformat external HDD.

Please let me know if I've forgotten anything and recommendations for good free AV anti-malware software appreciated.
What a way to spend time leading up to Xmas!

Edited by gah, 08 December 2008 - 06:06 PM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 AM

Posted 08 December 2008 - 06:11 PM

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.


http://www.malwarebytes.org/mbam/database/mbam-rules.exe

let's take this one step at a time

who knows maybe we'll get lucky
Chewy

No. Try not. Do... or do not. There is no try.

#7 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 06:17 PM

Cheers. I'm at work atm, and the infected machine is at home. Will give it a go in about 9 hours.

Thanks for your help. Once I've got something this insidious installed, I don't want any risk. Will things like HijackThis! 100% prove its removal? I don't want even 0.01% chance of transferring any funds to some Russian Mafia bank account :thumbsup:

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 AM

Posted 08 December 2008 - 06:37 PM

I don't want even 0.01% chance of transferring any funds to some Russian Mafia bank account



stay off the internet and never do any online transactions

never use a credit card
Chewy

No. Try not. Do... or do not. There is no try.

#9 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 08 December 2008 - 07:15 PM

stay off the internet and never do any online transactions

never use a credit card


My credit card doesn't charge me for fraudulent transactions. What I'm worried about is a trojan performing transactions on my online banking site and pinching funds. Using an untrusted site is one thing, having a notorious exploit installed is quite another.

Still kicking my own butt for running an exe from within a rar without scanning it first... stupid stupid stupid.

#10 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 09 December 2008 - 04:53 AM

MBAM is now running in safe mode. Will post log when it completes.
I assume I should remove all problems found, then reboot to user mode and re-run?

#11 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 09 December 2008 - 05:01 AM

OK, here's the log. *gulp*

Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

9/12/2008 8:57:38 PM
mbam-log-2008-12-09 (20-57-23).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 277005
Time elapsed: 1 hour(s), 1 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jsdf8j3dgf.dll (Trojan.Clicker) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Zlob.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Zlob.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jsdf8j3dgf.dll (Trojan.Zlob.H) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\winlogin.exe (Trojan.Clicker) -> No action taken.
C:\efwgtw.exe (Trojan.TinyDownloader705) -> No action taken.
C:\kidssr.exe (Trojan.TinyDownloader705) -> No action taken.
C:\mxqfds.exe (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\BNF48.tmp (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\547CGZUL\aasuper3[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\547CGZUL\eyeessftq[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\E7FKLTZM\czvsjkk[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\aasuper0[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\mss32[1].exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\tpmmnnbo[1].htm (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\aasuper2[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\jdwtth[1].htm (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\tpmmnnbo[1].htm (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\BNF4A.tmp (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\rs32net.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> No action taken.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 AM

Posted 09 December 2008 - 05:02 AM

MBAM is most effective and designed for normal mode scans, however several have reported safe mode scans to help with certain infections when normal mode scans failed to work


http://www.bleepingcomputer.com/forums/ind...mp;#entry913381

I reccomend ATFCleaner and SAS for safe mode scans, SAS's method for applying manual definitions has been improved
Chewy

No. Try not. Do... or do not. There is no try.

#13 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 09 December 2008 - 05:15 AM

Hey there Chewy. Glad you're online.
I had to switch to Safe Mode as HJT was being killed when run in normal mode. Couldn't scan anything.
So I should remove the items MBAM found, reboot to normal mode then try HJT? Can I just start a thread in the HJT forum with a log?

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:51 AM

Posted 09 December 2008 - 05:59 AM

There can be a rather long wait in the HJT forum, if a week or more is OK then by all means post there

If you want to continue with this forum then I would run MBAM from normal mode
Chewy

No. Try not. Do... or do not. There is no try.

#15 gah

gah
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 09 December 2008 - 06:52 AM

Here's the log from normal mode.
Note, whatever is there still infected my thum drive with m.exe and an autorun.inf. Makes me nervous deleting them on this machine in case I double click instead of single click to delete!

Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

9/12/2008 10:46:58 PM
mbam-log-2008-12-09 (22-46-53).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 265714
Time elapsed: 1 hour(s), 10 minute(s), 30 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
C:\Documents and Settings\user\Local Settings\Temp\winlogin.exe (Trojan.Clicker) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\jsdf8j3dgf.dll (Trojan.Clicker) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Zlob.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati4wbxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati4wbxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati4wbxx (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fci (Rootkit.ADS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.Zlob.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jsdf8j3dgf.dll (Trojan.Zlob.H) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\winlogin.exe (Trojan.Clicker) -> No action taken.
C:\efwgtw.exe (Trojan.TinyDownloader705) -> No action taken.
C:\kidssr.exe (Trojan.TinyDownloader705) -> No action taken.
C:\mxqfds.exe (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\BNF48.tmp (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\TDSS43e4.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\547CGZUL\aasuper3[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\547CGZUL\eyeessftq[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\E7FKLTZM\czvsjkk[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\aasuper0[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\mss32[1].exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\IK3PEVWH\tpmmnnbo[1].htm (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\aasuper2[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\jdwtth[1].htm (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L6CYQ9G4\tpmmnnbo[1].htm (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\38b9ed63c9b1b6212281b1b9bab5164a.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSacpc.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSShrtj.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSiden.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSiekj.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\ati4wbxx.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\Temp\BNF4A.tmp (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\rs32net.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> No action taken.
C:\WINDOWS\system32\TDSSeskv.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSqxna.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSwagp.sys (Rootkit.Agent) -> No action taken.


System is now rebooting after selecting "remove selected". Next? Another run?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users