Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Nasy Trojandownloader Or Trojan.win32


  • This topic is locked This topic is locked
2 replies to this topic

#1 Renny9900

Renny9900

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 26 February 2006 - 12:28 PM

Any help you can offer would be so appreciated. This trojan is a dialer, and it replicates win###.tmp files in my C:\Windows\Temp folder. I just deleted 3,595 of them...and that's just 24 hours worth of replication. I get a popup that says: 16 bit MS-DOS Subsystem C:\WINDOWS\TEMP\h91746.exe
C:\PROGRA~1\Symantec\S32EVNT1.DLL An installed Virtual
Device Driver failed Dll initialization.

There's also a popup that says there may be an error running scripts. I can only used the internet on Safe Mode now as well. Thank you all


Logfile of HijackThis v1.99.1
Scan saved at 9:18:56 AM, on 2/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\winC78.tmp.exe
C:\WINDOWS\TEMP\winC72.tmp.exe
C:\WINDOWS\TEMP\hlpmeomd.exe
C:\HIjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [msconfig41] svccms.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140634907328
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iTunes MusicService - Unknown owner - C:\WINDOWS\USBBay.exe (file missing)
O23 - Service: Sophos Session Manager (LMSessn) - TODO: <Company name> - C:\Program Files\Sophos\Control Center\LMSessn.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Sophos Database Notification Service (sdbnsrvc) - Sophos Plc - C:\Program Files\Sophos\Control Center\Sdbnsrvc.exe
O23 - Service: Sophos Enterprise Manager Scheduler (SEMScheduler) - Sophos Plc - C:\Program Files\Sophos\Control Center\Library\bin\SchdSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ALCAgent.exe" -service -name ALC (file missing)
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: Sophos SBE Certification Manager - Unknown owner - C:\Program Files\Sophos\Control Center\CertificationManagerServiceNT.exe" -background -ORBSvcConf "C:\Program Files\Sophos\Control Center\svc.conf (file missing)
O23 - Service: Sophos SBE ManagementService - Sophos Plc - C:\Program Files\Sophos\Control Center\SbeMss.exe
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 27 February 2006 - 03:33 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Something that requires your immediate intervention. I notice that you have more than one anti-virus programs on your machine (AVG & Symantec). That's not a good idea!! Posted Image

This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

## Do NOT proceed with the rest of the fix until you have resolved the dual antivirus programs ##


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download & extract to it's own folder - rdrivRem.zip

You will need to update Ewido to the latest definition files.
Launch Ewido & click Update from the left pane
Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Windows lsass Service (lsass)
  • Double-click on it to open the Properties dialog.
    - Change the Startup type to Disabled & then click on the Apply button
    - Stop the service by using the Stop button.
  • Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  • In the popup box that appears, copy/paste lsass
  • Click on the OK button & answer No if prompted to reboot
Repeat steps 1-5 for these other services :-
  • SpywareCleanerService
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [msconfig41] svccms.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Spyware Cleaner
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\tct101.dll
    C:\WINDOWS\SYSTEM32\winmmt32.dll
    C:\WINDOWS\lsass.exe
    C:\Program Files\Spyware Cleaner\


    Search for these files
    veritas.exe
    msconfig32.exe
    svccms.exe
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


From within the rdrivRem folder, double-click on rdrivRem.bat & follow the instructions on the screen.


* * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 March 2006 - 09:19 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users