Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM FOUND Trojan.Dropper please help


  • This topic is locked This topic is locked
6 replies to this topic

#1 DEATHlLINK

DEATHlLINK

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 09 June 2010 - 03:35 PM

Ok so a couple months ago I had a nasty virus so I re-installed my OS except it took me 3 times to be able to get the OS to install it seemed the windows updates were always failing during installation on the third attempt of re-installing my OS it worked. Everything was working ok until I noticed My CPU usage spiking in my task manager to 100% and when I had a couple tabs opened up at the same time the pages would not look right. So I decided to start looking further into my cpu and downloaded Avast to run a boot scan and also a couple other things.
on my pc I use Bit Defender total security2010 , MBAM for a stand alone scanner , Avast for additional scans.

I have ran Bitdefender scans , SAS online scanner scan , Avast multiple scans , MBAM quick and full scans . I am curious if there is an issue with my router as on my other laptop kasperskys just found a keylogger and I dont even use that cpu for anything but secure sites so i have no idea how it got infected. here is my mbam scan


MBAM scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4182

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/8/2010 8:53:51 PM
mbam-log-2010-06-08 (20-53-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 206559
Time elapsed: 53 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.0.6002.18005_lt-lt_bf12ba06fdc0c65b_msimsg.dll.mui_72e8994f (Trojan.Dropper) -> Quarantined and deleted successfully.



Any help would be appreciated. Well since I ran combo-fix and didnt follow directions lol please delete this post I will seek assistance elsewhere.

Edited by DEATHlLINK, 09 June 2010 - 06:22 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:10 AM

Posted 09 June 2010 - 07:10 PM

It looks like the iwindows installer is infected.. can you post SAS log?

Let's see part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DEATHlLINK

DEATHlLINK
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 09 June 2010 - 10:00 PM

After downloading when i try to run the Smitfraudfix it comes up with this error

C:\Users\DEATH-ZZ\Desktop\Smitfraudfix.exe

File System error (-1073741819).

in the box it shows access is denied over and over.


I also noticed now my notepad wont open.

I dont have the SAS logfile i dont think it as it was a online scan and it only found 4 cookies and 4 flash cookies. But I will re-run it and post the results.

Edited by DEATHlLINK, 09 June 2010 - 10:01 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:10 AM

Posted 09 June 2010 - 10:18 PM

Ok, we have either of 2 things happenning. Either your Hard drive is failing or we have very buried malware.
I don't know how old it is,but you can run the HD Mfr's Hard Drive Diagnostic utility.


For the malware end
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 DEATHlLINK

DEATHlLINK
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 10 June 2010 - 12:42 AM

I will prepare the DDS and GMER and post them in the appropriate topic as directed. It was interesting after running smitfraud and replying my internet stopped working and none of my programs would open then I had to reboot into safe mode and then I could run mbam and other programs again. I ran diagnostics on all my cpu when I had issues when I was re-installing my OS. It took three tries to install my OS to install and the windows updates to install without failing. Since then my cpu was doing ok till like a week ago. I noticed the 100% usage and since then its been all downhill. webpages not opening and different issues.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2010 at 10:27 PM

Application Version : 4.33.1000

Core Rules Database Version : 5055
Trace Rules Database Version: 0

Scan type : Complete Scan
Total Scan Time : 00:30:45

Memory items scanned : 818
Memory threats detected : 0
Registry items scanned : 5743
Registry threats detected : 0
File items scanned : 21829
File threats detected : 12

Adware.Tracking Cookie
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\death-zz@ad.yieldmanager[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\death-zz@content.yieldmanager[2].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\death-zz@content.yieldmanager[3].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@atdmt[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@msnportal.112.2o7[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@collective-media[2].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@ad.wsod[2].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@doubleclick[2].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@ad.yieldmanager[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@ads.owasp[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@content.yieldmanager[1].txt
C:\Users\DEATH-ZZ\AppData\Roaming\Microsoft\Windows\Cookies\Low\death-zz@imrworldwide[2].txt

Edited by DEATHlLINK, 10 June 2010 - 12:43 AM.


#6 DEATHlLINK

DEATHlLINK
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 10 June 2010 - 02:11 AM

Okay ,
I ran the scans posted the logs in a new topic in the appropriate forum. I appreciate all your help. I also have screenshots of my netstat info i ran. Also my clock is wrong i just noticed this as well. Thanks again for all your help.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:10 AM

Posted 10 June 2010 - 09:38 AM

Hi, we will get this sorted.
To fix the clock display:

Go to Start >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.


Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users